Source: workalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://ns.ado/1 |
Source: workalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://ns.adobe.c/g |
Source: workalone.exe, 00000001.00000003.385517483.0000000008C81000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404595530.0000000008C91000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.404434533.0000000008C90000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://ns.adobe.cobj |
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://saleshor12.duckdns.org |
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://saleshor12.duckdns.org: |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://saleshor12.duckdns.org:46539 |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://saleshor12.duckdns.org:46539/ |
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.datacontract.org/2004/07/ |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next |
Source: workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/ |
Source: workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/ |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/0 |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse |
Source: workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse |
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron |
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate |
Source: workalone.exe, 00000001.00000002.406453954.0000000003051000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse |
Source: workalone.exe, 00000001.00000002.406713080.000000000309F000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://tempuri.org/t_ |
Source: tmp1B56.tmp.1.dr | String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE% |
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg |
Source: tmp1B56.tmp.1.dr | String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: tmp1B56.tmp.1.dr | String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr | String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: tmp1B56.tmp.1.dr | String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: https://ipinfo.io/ip%appdata% |
Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr | String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search |
Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr | String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= |
Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr | String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp |
Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr | String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf |
Source: workalone.exe, 00000001.00000002.412835943.000000000432F000.00000004.00000800.00020000.00000000.sdmp, workalone.exe, 00000001.00000003.372893673.000000000695E000.00000004.00000800.00020000.00000000.sdmp, tmp10B8.tmp.1.dr, tmpE08F.tmp.1.dr, tmp4D74.tmp.1.dr, tmp10E8.tmp.1.dr, tmp6FE4.tmp.1.dr, tmp4075.tmp.1.dr, tmpAFBA.tmp.1.dr, tmp4D35.tmp.1.dr, tmp7EB6.tmp.1.dr, tmp6FB4.tmp.1.dr, tmpE939.tmp.1.dr, tmp1B56.tmp.1.dr | String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects RedLine infostealer Author: ditekSHen |
Source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: Process Memory Space: workalone.exe PID: 5836, type: MEMORYSTR | Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: Process Memory Space: workalone.exe PID: 5956, type: MEMORYSTR | Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown |
Source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 1.0.workalone.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.2.workalone.exe.3a29170.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.2.workalone.exe.3a11340.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.2.workalone.exe.3a29170.0.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073 |
Source: 0.2.workalone.exe.3a11340.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 00000001.00000000.262815044.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: Process Memory Space: workalone.exe PID: 5836, type: MEMORYSTR | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: Process Memory Space: workalone.exe PID: 5956, type: MEMORYSTR | Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23 |
Source: workalone.exe, 00000000.00000002.267079536.00000000029F1000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameImplosions.exe4 vs workalone.exe |
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameImplosions.exe4 vs workalone.exe |
Source: workalone.exe, 00000001.00000000.262909550.000000000041A000.00000040.00000400.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameImplosions.exe4 vs workalone.exe |
Source: workalone.exe, 00000001.00000002.406918576.00000000030E1000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilename vs workalone.exe |
Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamechrome.exe< vs workalone.exe |
Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilename vs workalone.exe |
Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: #l,\\StringFileInfo\\040904B0\\OriginalFilename vs workalone.exe |
Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs workalone.exe |
Source: workalone.exe, 00000001.00000002.410486785.00000000034BA000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameIEXPLORE.EXED vs workalone.exe |
Source: unknown | Process created: C:\Users\user\Desktop\workalone.exe C:\Users\user\Desktop\workalone.exe |
Source: C:\Users\user\Desktop\workalone.exe | Process created: C:\Users\user\Desktop\workalone.exe C:\Users\user\Desktop\workalone.exe |
Source: C:\Users\user\Desktop\workalone.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\workalone.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\svchost |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\workalone.exe | Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\workalone.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\workalone.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\workalone.exe | Process created: C:\Users\user\Desktop\workalone.exe C:\Users\user\Desktop\workalone.exe |
Source: C:\Users\user\Desktop\workalone.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c mkdir "C:\Users\user\AppData\Roaming\svchost |
Source: C:\Users\user\Desktop\workalone.exe | Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f |
Source: C:\Users\user\Desktop\workalone.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd" /c copy "C:\Users\user\Desktop\workalone.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Users\user\Desktop\workalone.exe VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Users\user\Desktop\workalone.exe VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation |
Source: C:\Users\user\Desktop\workalone.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation |
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth |
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: #l1C:\Users\user\AppData\Roaming\Electrum\wallets\* |
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB |
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB |
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: \Ethereum\wallets |
Source: workalone.exe, 00000000.00000002.270249352.00000000039F9000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB |
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: Ethereum |
Source: workalone.exe, 00000001.00000002.407484196.000000000318C000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: #l5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\* |