Source: |
Binary string: costura.polly.pdb.compressed|||Polly.pdb|FD65CB8378305DD2185A5847C599E82A6AA5AD7A|81672 source: stub.exe |
Source: |
Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718394403.0000000006030000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: costura.dotnetzip.pdb.compressed source: stub.exe |
Source: |
Binary string: mscorlib.pdb source: stub.exe, 00000000.00000002.1714379327.000000000356E000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed-discord-webhook-client[costura.discord-webhook-client.dll.compressed source: stub.exe |
Source: |
Binary string: costura.polly.pdb.compressed source: stub.exe |
Source: |
Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718232203.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1710686089.00000000014E1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura.costura.pdb.compressed source: stub.exe |
Source: |
Binary string: n0C:\Windows\mscorlib.pdb source: stub.exe, 00000000.00000002.1718750202.0000000006D2B000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: costura.dotnetzip.pdb.compressed|||DotNetZip.pdb|565BABCBCD978AF66FE1150CC58FDEAFC9815822|622080 source: stub.exe |
Source: |
Binary string: dotnetzipAcostura.dotnetzip.dll.compressedAcostura.dotnetzip.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: stub.exe |
Source: |
Binary string: $^q costura.dotnetzip.pdb.compressed source: stub.exe, 00000000.00000002.1714379327.0000000003191000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: stub.exe |
Source: |
Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: stub.exe |
Source: |
Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256Qb source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718232203.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1710686089.00000000014E1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 01 Sep 2024 16:09:53 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=9fa9e5be687c11efa2ff2e0ac1bafc8d; Expires=Fri, 31-Aug-2029 16:09:53 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1725206994x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: MISSExpires: Sun, 01 Sep 2024 20:09:53 GMTCache-Control: public, max-age=14400Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TQlxRCUtIYXRlkKVdgg2Vs1N%2F6xsBEYGrAuryfnRy0LM8G%2FfNKROjA4Jyg%2BOsLU4Hf2%2FTeKjEU64P20%2Bc2zMcf17WqVYdAco7HT8H2wZ7fnRLaBHV371MwtLDGOj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=9fa9e5be687c11efa2ff2e0ac1bafc8dd571a141d5614895aa2bfadae526d02924b726e9d5a1b5271d4ff6ad1090086d; Expires=Fri, 31-Aug-2029 16:09:53 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax |
Source: stub.exe, 00000000.00000002.1714379327.0000000003541000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://discord.com |
Source: stub.exe, 00000000.00000002.1714379327.0000000003541000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://discord.comd |
Source: stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718232203.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000041F7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/binaryformatter |
Source: stub.exe, 00000000.00000002.1717104214.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/dotnet-warnings/ |
Source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718232203.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://aka.ms/serializationformat-binary-obsolete |
Source: stub.exe, 00000000.00000002.1714379327.0000000003538000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://discord.com |
Source: stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://discord.com/api/webhooks/1216977598710812722/eEJiGM8jVlIOF9WMbphPIuNdIEZhhSSu4T_LZSo0WE_S2Yn |
Source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718394403.0000000006030000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958 |
Source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718394403.0000000006030000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588 |
Source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718232203.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/dotnet/roslyn/issues/46646 |
Source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718232203.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/dotnet/roslyn/issues/46646~ |
Source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718232203.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/dotnet/runtime |
Source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718232203.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/dotnet/runtime/issues/73124. |
Source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718232203.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/dotnet/runtime8 |
Source: stub.exe |
String found in binary or memory: https://github.com/kgnfth |
Source: stub.exe, 00000000.00000002.1714379327.0000000003191000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://user-images.githubusercontent.com/73314940/227717196-0165bb7f-c33a-4985-8be8-2bd898eacc2b.pn |
Source: stub.exe, type: SAMPLE |
Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen |
Source: stub.exe, type: SAMPLE |
Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen |
Source: 0.0.stub.exe.c70000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen |
Source: 0.0.stub.exe.c70000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen |
Source: 00000000.00000000.1632374521.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen |
Source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs stub.exe |
Source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSystem.Memory.dllT vs stub.exe |
Source: stub.exe, 00000000.00000002.1718232203.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs stub.exe |
Source: stub.exe, 00000000.00000002.1717104214.00000000041F7000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs stub.exe |
Source: stub.exe, 00000000.00000002.1710686089.00000000014E1000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs stub.exe |
Source: stub.exe, 00000000.00000002.1717104214.00000000043C5000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSystem.Memory.dllT vs stub.exe |
Source: stub.exe, 00000000.00000002.1710686089.000000000145E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs stub.exe |
Source: stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSystem.Text.Json.dll@ vs stub.exe |
Source: stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSystem.Memory.dllT vs stub.exe |
Source: stub.exe, 00000000.00000002.1718394403.0000000006030000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameSystem.Memory.dllT vs stub.exe |
Source: stub.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions |
Source: stub.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers |
Source: 0.0.stub.exe.c70000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions |
Source: 0.0.stub.exe.c70000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers |
Source: 00000000.00000000.1632374521.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions |
Source: C:\Users\user\Desktop\stub.exe |
Mutant created: NULL |
Source: C:\Users\user\Desktop\stub.exe |
Mutant created: \Sessions\1\BaseNamedObjects\J2HAC7I0JMZ4NW61EGKI |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_03 |
Source: C:\Users\user\Desktop\stub.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\stub.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\stub.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\SysWOW64\taskkill.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 1732) |
Source: unknown |
Process created: C:\Users\user\Desktop\stub.exe "C:\Users\user\Desktop\stub.exe" |
|
Source: C:\Users\user\Desktop\stub.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp5F.tmp.bat |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\chcp.com chcp 65001 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 1732 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak |
|
Source: C:\Users\user\Desktop\stub.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp5F.tmp.bat |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\chcp.com chcp 65001 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 1732 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: rasapi32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: rasman.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: rtutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: edputil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: windows.staterepositoryps.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: appresolver.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: bcp47langs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: slc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: sppc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: onecorecommonproxystub.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Section loaded: onecoreuapcommonproxystub.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: cmdext.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\chcp.com |
Section loaded: ulib.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\chcp.com |
Section loaded: fsutilext.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: framedynos.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: dbghelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\timeout.exe |
Section loaded: version.dll |
Jump to behavior |
Source: |
Binary string: costura.polly.pdb.compressed|||Polly.pdb|FD65CB8378305DD2185A5847C599E82A6AA5AD7A|81672 source: stub.exe |
Source: |
Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000043C5000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718394403.0000000006030000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: costura.dotnetzip.pdb.compressed source: stub.exe |
Source: |
Binary string: mscorlib.pdb source: stub.exe, 00000000.00000002.1714379327.000000000356E000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed-discord-webhook-client[costura.discord-webhook-client.dll.compressed source: stub.exe |
Source: |
Binary string: costura.polly.pdb.compressed source: stub.exe |
Source: |
Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718232203.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1710686089.00000000014E1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura.costura.pdb.compressed source: stub.exe |
Source: |
Binary string: n0C:\Windows\mscorlib.pdb source: stub.exe, 00000000.00000002.1718750202.0000000006D2B000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: costura.dotnetzip.pdb.compressed|||DotNetZip.pdb|565BABCBCD978AF66FE1150CC58FDEAFC9815822|622080 source: stub.exe |
Source: |
Binary string: dotnetzipAcostura.dotnetzip.dll.compressedAcostura.dotnetzip.pdb.compressed;microsoft.bcl.asyncinterfacesicostura.microsoft.bcl.asyncinterfaces.dll.compressed source: stub.exe |
Source: |
Binary string: $^q costura.dotnetzip.pdb.compressed source: stub.exe, 00000000.00000002.1714379327.0000000003191000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: stub.exe |
Source: |
Binary string: polly9costura.polly.dll.compressed9costura.polly.pdb.compressed source: stub.exe |
Source: |
Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256Qb source: stub.exe, 00000000.00000002.1717104214.000000000430F000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1718232203.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, stub.exe, 00000000.00000002.1717104214.00000000041F7000.00000004.00000800.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1710686089.00000000014E1000.00000004.00000020.00020000.00000000.sdmp, stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
Source: Yara match |
File source: stub.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.stub.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1632374521.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1714379327.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: stub.exe PID: 1732, type: MEMORYSTR |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\taskkill.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController |
Source: C:\Users\user\Desktop\stub.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController |
Source: C:\Users\user\Desktop\stub.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController |
Source: C:\Users\user\Desktop\stub.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController |
Source: C:\Users\user\Desktop\stub.exe TID: 2424 |
Thread sleep time: -4611686018427385s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe TID: 2424 |
Thread sleep time: -100000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe TID: 2200 |
Thread sleep count: 706 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe TID: 2200 |
Thread sleep count: 1461 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe TID: 2424 |
Thread sleep time: -99875s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe TID: 2424 |
Thread sleep time: -99765s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe TID: 2424 |
Thread sleep time: -99656s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe TID: 2424 |
Thread sleep time: -99546s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe TID: 2424 |
Thread sleep time: -99320s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe TID: 2424 |
Thread sleep time: -99218s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe TID: 2424 |
Thread sleep time: -99108s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe TID: 2424 |
Thread sleep time: -98953s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\stub.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\stub.exe |
WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Users\user\Desktop\stub.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Thread delayed: delay time: 100000 |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Thread delayed: delay time: 99875 |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Thread delayed: delay time: 99765 |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Thread delayed: delay time: 99656 |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Thread delayed: delay time: 99546 |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Thread delayed: delay time: 99320 |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Thread delayed: delay time: 99218 |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Thread delayed: delay time: 99108 |
Jump to behavior |
Source: C:\Users\user\Desktop\stub.exe |
Thread delayed: delay time: 98953 |
Jump to behavior |
Source: stub.exe, 00000000.00000002.1714379327.00000000033E7000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VMware |
Source: stub.exe, 00000000.00000002.1717731651.00000000059F0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: stub.exe |
Binary or memory string: vmware |
Source: stub.exe, 00000000.00000002.1717731651.00000000059F0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ |
Source: stub.exe, 00000000.00000002.1717997877.0000000005AF0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'= |
Source: stub.exe |
Binary or memory string: VMwareVBox |
Source: stub.exe |
Binary or memory string: VirtualMachine: |
Source: stub.exe, Keylogger.cs |
Reference to suspicious API methods: MapVirtualKey(vkCode, 0u) |
Source: stub.exe, Decryptor.cs |
Reference to suspicious API methods: WinApi.LoadLibrary(sPath + "\\mozglue.dll") |
Source: stub.exe, Decryptor.cs |
Reference to suspicious API methods: WinApi.GetProcAddress(_hNss3, "NSS_Init") |
Source: C:\Users\user\Desktop\stub.exe |
Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp5F.tmp.bat |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\chcp.com chcp 65001 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 1732 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak |
Jump to behavior |
Source: Yara match |
File source: stub.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.stub.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1632374521.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: stub.exe |
String found in binary or memory: Electrum#\Electrum\wallets |
Source: stub.exe |
String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb |
Source: stub.exe |
String found in binary or memory: Exodus+\Exodus\exodus.wallet |
Source: stub.exe |
String found in binary or memory: Ethereum%\Ethereum\keystore |
Source: stub.exe |
String found in binary or memory: Exodus+\Exodus\exodus.wallet |
Source: stub.exe |
String found in binary or memory: Ethereum%\Ethereum\keystore |
Source: stub.exe |
String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets |
Source: stub.exe |
String found in binary or memory: Ethereum%\Ethereum\keystore |
Source: Yara match |
File source: stub.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.stub.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1632374521.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: stub.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.stub.exe.c70000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1632374521.0000000000C72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |